💾 Archived View for libreserver.org › blog › cryptography-matters.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Epicyon [1] now uses the python3-cryptography [2] library for its http and jsonLD signatures. I did a side by side test of httpsig.py using either *pycryptodome* or *python3-cryptography*, and the latter turned out to be about 18 times faster. This made the switch-over into an easy decision, and it will help with running the system on low power single board computers, since the signature checks are the most computationally demanding aspect. Every time a post arrives in your inbox its signature gets checked to verify that it was really sent by its claimed author, so if you are following a few people and that's happening regularly then this adds up to a lot of cryptographic operations.
Why is there such a speed difference? In *pycryptodome* the RSA algorithm [5]) is implemented in Python. in *python3-cryptography* those operations are really just a wrapper around OpenSSL [6], which is written in C and assembly. The lower level languages are closer to the metal and tend to be a lot faster because there are fewer layers of abstraction.
There is also an added benefit that this reduces overall complexity and attack surface [7]. Most web servers will already be using OpenSSL anyway, so dropping *pycryptodome* means one less set of cryptographic code implementation. OpenSSL is also so critical to the overall functioning of the internet that if there are any bugs they're likely to get fixed fairly quickly. There was the heartbleed incident [8] some years ago, but since then the project has received more support and a lot of former problems have been cleaned up.
So if you are already running an instance of Epicyon then make sure that you have *python3-cryptography* installed before doing an upgrade. On Freedombone [9] that is all handled automatically.