Whilst slightly updating the WebServer Help page I noticed Andreas' comment that MD5 authentication was 'pathetic'. Certainly the simple version in WebUtils might be (I couldn't honestly judge it) but we do have a fairly serious crypto package these days. Has anybody ever made WebServer/Client use the presumably much faster MD5 in that package?
tim -- tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim There are only two really difficult problems in programming: -Naming -Cache invalidation -Off-by-one errors
Hi Tim,
On 2023. 04. 10. 3:14, tim Rowledge wrote:
Whilst slightly updating the WebServer Help page I noticed Andreas' comment that MD5 authentication was 'pathetic'. Certainly the simple version in WebUtils might be (I couldn't honestly judge it) but we do have a fairly serious crypto package these days. Has anybody ever made WebServer/Client use the presumably much faster MD5 in that package?
WebClient's MD5 implementation uses primitiveMD5Transform of CroquetPlugin, so it's reasonably fast.
The implementation in the Cryptography package is 2-6.5x faster depending on the input size.
On my machine, WebClient's throughput is ~43MB/s for a 8MB input, while the cryptography package reaches 283MB/s using CryptographyHashing-ul.26 [1].
For comparison, OpenSSL's h(and-tuned assembly) implementation reaches 600MB/s on my machine on 16kB inputs (that's the largest you can benchmark). Cryptography package gives 267MB/s for that size, so if you need the best performance available, perhaps an FFI call is the way to go.
Levente
[1] I just fixed a performance issue with the hash functions, so make sure you use the latest version of CryptographyHashing if you want to give that a try.
tim
tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim There are only two really difficult problems in programming: -Naming -Cache invalidation -Off-by-one errors
On 2023-04-10, at 2:18 PM, leves leves@caesar.elte.hu wrote:
...
WebClient's MD5 implementation uses primitiveMD5Transform of CroquetPlugin, so it's reasonably fast.
So it does; hadn't dug that far.
Looking at it I don't see any reason we couldn't do a tweak a bit like you use in the PG3ConnectionArguments>>#md5Hasher code *except* that it is a small puzzle why the WebUtils code seems to provide a result reversed from the MD5 code. Both senders of WebUtils class>>#md5HashStream: reverse the results, which seems a bit odd and a bit time-wasting.
If we were to change
^(ByteArray new: 16) unsignedLongAt: 1 put: (hash at: 4) bigEndian: true; unsignedLongAt: 5 put: (hash at: 3) bigEndian: true; unsignedLongAt: 9 put: (hash at: 2) bigEndian: true; unsignedLongAt: 13 put: (hash at: 1) bigEndian: true; yourself to
^(ByteArray new: 16) unsignedLongAt: 1 put: (hash at: 1) bigEndian: false; unsignedLongAt: 5 put: (hash at: 2) bigEndian: false; unsignedLongAt: 9 put: (hash at: 3) bigEndian: false; unsignedLongAt: 13 put: (hash at: 4) bigEndian: false; yourself
... it would simplify a little and make it easier to swap in the faster MD5 class. We get rid of two #reversed sends.
The other difference seems to be whether the hex chars should be upper or lower case - it is a little bad that #hex uses uppercase for everything but the ByteArray implementation but it looks like all the web related usages require that?
tim -- tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim Useful Latin Phrases:- Utinam logica falsa tuam philosophiam totam suffodiant! = May faulty logic undermine your entire philosophy!
Hi Tim,
Cleartext is faster than MD5, and only barely less-secure.
If security is a priority, you might prefer SHA2 in the external cryptography package.
- Chris
On Sun, Apr 9, 2023 at 8:15 PM tim Rowledge tim@rowledge.org wrote:
Whilst slightly updating the WebServer Help page I noticed Andreas' comment that MD5 authentication was 'pathetic'. Certainly the simple version in WebUtils might be (I couldn't honestly judge it) but we do have a fairly serious crypto package these days. Has anybody ever made WebServer/Client use the presumably much faster MD5 in that package?
tim
tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim There are only two really difficult problems in programming: -Naming -Cache invalidation -Off-by-one errors
On 2023-04-11, at 3:32 PM, Chris Muller asqueaker@gmail.com wrote:
Hi Tim,
Cleartext is faster than MD5, and only barely less-secure.
If security is a priority, you might prefer SHA2 in the external cryptography package.
In this particular case the only bit I was interested in was Andreas' comment and whether we could do better now - and thus remove the comment. I suspect there is some interesting work that could be done to use these newer encryptions in the Web* classes.
tim -- tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim Strange OpCodes: SEXI: Sign EXtend Integer
squeak-dev@lists.squeakfoundation.org