[CryptoAPI] ArdoCrypto on Slow Extensions

[CryptoAPI] ArdoCrypto on Slow Extensions

Forge Component
Published on 2015-11-29 by Ricardo Silva
9 votes
Published on 2015-11-29 by Ricardo Silva
I have the ArdoCrypto extension installed (v1.0) and it is constantly on my slow extensions report. I am running platform version

So I have a couple questions:

1) I see this component is called 'CryptoAPI' - is this just the new name for this extension or is it a new component altogether? See the screenshot below for what extension/version I have. If this is the same I will update and check my slow extensions afterward.

2) Does anyone else have issues with this extension taking a while to compute a Mac hash? That is the method that is always on my slow extensions report taking at least half a second. See the second screenshot below of the report.

Hello Brian,

You are facing the same "issue" as Tim describes in the documentation page.

The actions in CryptoAPI that take a password, derive the password. This is the step that takes a few milliseconds. This is by design and a security property.

If you're repeatedly using the same password, you can derive it once and keep the key to use with the K-prefixed actions. These don't do any key derivation and should be quick.

Finally, yes. CryptoAPI is ardoCrypto renamed, so you can install it.

Okay, that sounds logical, thanks.

The way we are using the ComputeMac action right now is on every page there is piece of Javascript that takes this ComputeMac output and sends over to a third party service. This is wrong we are realizing...

Few follow-up questions:

1) Would the best way to use these actions be:

a. Call DeriveKey once given the password currently being passed into ComputeMac to get the key
b. Use the KComputeMac in this Javascript given the DeriveKey output and the input previously passed to ComputeMac to quickly get a Mac to hand off to the third party

(Thus removing the usage of ComputeMac)

2) Is there any way to compute a hexidecimal mac rather than a base-64 encoded mac?

I see this extension here:

Which has HMAC actions that do what we need. Any way to get this with the ArdoCrypto extension?

3) I went to upgrade the component and I get the 'You already have modules installed with that key...' error message. I've upgraded other extensions no problem and they just overwrite. Anything I'm missing here? I want to make sure it updates and carries over between environments on deployments correctly.

Thanks so much!
Hello Brian,

1) From what I gather, yes. That's what you would want to do. I'm not sure what you mean by "use KComputeMac in a Javascript" as there is currently no CryptoAPI implementation in Javascript. Do you mean to say to use this in an Ajax Submit action?

2) Yes, I can add that functionality to CryptoAPI. It'll take me a few days to do this, as I'm on vacation without access to my work computer. I'll probably post a new version of Crypto API on Tuesday.

3) I'd guess this is some kind of protection from the Forge integration. You should be able to download the application package and install it in your dev environment and then move it along through your other environments in LifeTime.

I can check exactly what's going on here, but would probably only be able to do it in the middle of next week.

Thanks for the quick reply. 

Regarding the JavaScript I was referring to a piece of JavaScript we have on a page that uses the output of the ComputeMac action which is slowing down pages since it takes a little bit to come back with a value. I've already replaced this as mentioned above and all is well.

No worries on getting that added before then, enjoy your vacation! Thanks for your quick turnaround here though, much appreciated!

Im going to try upgrading Monday again and see what happens. Thanks!
Hi Brian,

I just published version 1.4.0 of CryptoAPI which adds a hex output to [K]ComputeMac.

Best regards,
Ricardo Silva
Awesome! Thank you! 

We will try implementing this as soon as possible and will report any issues if found.