Refactor crypto, tests, and workflows for security & perf

Updated GitVersion workflow to streamline releases and added conditional checks for version changes. Bumped `next-version` to 3.0.0.

Refactored `KeyDerivation` to use HKDF (RFC 5869) with optional salt, improving cryptographic practices and memory safety. Updated `KeyDerivationTests` to align with the new implementation.

Enhanced `AesGcmStreamCipher` with `IDisposable`, memory limits, and stronger integrity checks using associated data (AAD). Improved encryption/decryption pipelines.

Refactored reliability tests for better scoping, exception handling, and maintainability. Updated performance benchmarks to reflect encryption optimizations.

Added XML documentation to `IMediator` for clarity. Updated binary performance analysis files to reflect new results.

Author: bvdcode

.github/workflows/publish-release.yml

@@ -24,6 +24,7 @@ jobs:
       uses: gittools/actions/gitversion/setup@v3.1.11
       with:
         versionSpec: 5.x
+        
     - name: Determine Version
       uses: gittools/actions/gitversion/execute@v3.1.11
       id: gitversion # step id used as reference for output values
@@ -67,15 +68,6 @@ jobs:
         dotnet nuget push *.nupkg --skip-duplicate --api-key ${{ secrets.DEPLOY_GITHUB_TOKEN }} --source "github"
         dotnet nuget push *.nupkg --skip-duplicate --api-key ${{ secrets.NUGET_KEY }} --source https://api.nuget.org/v3/index.json
     
-    #Create release
-    - name: Create Release
-      if: 1 == 0 #needs.build.outputs.CommitsSinceVersionSource > 0 #Only release if there has been a commit/version change
-      uses: actions/create-release@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }} 
-      with:
-        tag_name: ${{ needs.build.outputs.Version }}
-        release_name: Release ${{ needs.build.outputs.Version }}
     - name: Create Release
       if: needs.build.outputs.CommitsSinceVersionSource > 0 #Only release if there has been a commit/version change
       uses: ncipollo/release-action@v1

GitVersion.yml

@@ -1 +1 @@
-next-version: 2.0.0
+next-version: 3.0.0

Sources/EasyExtensions.Crypto.Tests.Charts/advanced_performance_analysis.png

@@ -1,144 +1,94 @@
- Decrypt_ThreadSweep_ChunkSweep
-   Source: PerformanceTests.cs line 88
-   Duration: 15.1 sec
+ Encrypt_ThreadSweep_ChunkSweep
+   Source: PerformanceTests.cs line 55
+   Duration: 6.2 sec
 
   Standard Output: 
-=== DECRYPTION THREAD/CHUNK SWEEP ===
+=== ENCRYPTION THREAD/CHUNK SWEEP ===
 Data size: 1000 MB
 Threads: 1, 2, 4, 8, 16
-Chunk sizes: 0.0MB, 0.0MB, 0.0MB, 0.0MB, 0.0MB, 0.0MB, 0.1MB, 0.1MB, 0.5MB, 1.0MB, 4.0MB, 8.0MB, 16.0MB
+Chunk sizes: 0.1MB, 0.1MB, 0.5MB, 1.0MB, 4.0MB, 8.0MB, 16.0MB
 Threads | ChunkMB | Avg MB/s
-      1 |   0.001 |    7474.8
-      1 |   0.002 |    7408.4
-      1 |   0.004 |    7564.8
-      1 |   0.008 |    7402.4
-      1 |   0.016 |    7592.4
-      1 |   0.031 |    7881.8
-      1 |   0.062 |    7760.4
-      1 |   0.125 |    7844.9
-      1 |   0.500 |    7933.8
-      1 |   1.000 |    7691.4
-      1 |   4.000 |    7997.9
-      1 |   8.000 |    7800.5
-      1 |  16.000 |    7570.1
-      2 |   0.001 |    9380.8
-      2 |   0.002 |    9190.2
-      2 |   0.004 |    9427.7
-      2 |   0.008 |    9688.8
-      2 |   0.016 |    9945.4
-      2 |   0.031 |    9692.3
-      2 |   0.062 |    9666.8
-      2 |   0.125 |    9637.3
-      2 |   0.500 |    9609.4
-      2 |   1.000 |    9518.5
-      2 |   4.000 |    9563.1
-      2 |   8.000 |    9574.3
-      2 |  16.000 |    9734.5
-      4 |   0.001 |    9353.5
-      4 |   0.002 |    9249.1
-      4 |   0.004 |    9235.2
-      4 |   0.008 |    9382.8
-      4 |   0.016 |    9374.9
-      4 |   0.031 |    9455.9
-      4 |   0.062 |    9293.3
-      4 |   0.125 |    9536.8
-      4 |   0.500 |    8914.2
-      4 |   1.000 |    9412.5
-      4 |   4.000 |    9607.3
-      4 |   8.000 |    9530.0
-      4 |  16.000 |    9204.4
-      8 |   0.001 |    9539.0
-      8 |   0.002 |    9602.0
-      8 |   0.004 |    9087.6
-      8 |   0.008 |    9350.7
-      8 |   0.016 |    9154.3
-      8 |   0.031 |    9248.2
-      8 |   0.062 |    9436.3
-      8 |   0.125 |    9255.7
-      8 |   0.500 |    8906.6
-      8 |   1.000 |    9391.8
-      8 |   4.000 |    9402.3
-      8 |   8.000 |    9552.3
-      8 |  16.000 |    9451.9
-     16 |   0.001 |    9413.0
-     16 |   0.002 |    9679.7
-     16 |   0.004 |    9658.1
-     16 |   0.008 |    9413.8
-     16 |   0.016 |    9385.4
-     16 |   0.031 |    9477.2
-     16 |   0.062 |    9623.6
-     16 |   0.125 |    8805.0
-     16 |   0.500 |    8691.3
-     16 |   1.000 |    8571.9
-     16 |   4.000 |    9108.3
-     16 |   8.000 |    9360.3
-     16 |  16.000 |    9416.8
+      1 |   0.062 |    9518.9
+      1 |   0.125 |   11383.9
+      1 |   0.500 |   12712.2
+      1 |   1.000 |   12431.7
+      1 |   4.000 |    9790.9
+      1 |   8.000 |    8820.4
+      1 |  16.000 |    7354.2
+      2 |   0.062 |   14578.4
+      2 |   0.125 |   15069.9
+      2 |   0.500 |   15962.9
+      2 |   1.000 |   14960.1
+      2 |   4.000 |   11781.2
+      2 |   8.000 |   10775.6
+      2 |  16.000 |    9166.5
+      4 |   0.062 |   13555.8
+      4 |   0.125 |   14117.3
+      4 |   0.500 |   14702.3
+      4 |   1.000 |   14299.6
+      4 |   4.000 |   11945.5
+      4 |   8.000 |   10768.6
+      4 |  16.000 |    8431.8
+      8 |   0.062 |   10921.1
+      8 |   0.125 |   13173.2
+      8 |   0.500 |   13962.2
+      8 |   1.000 |   13168.2
+      8 |   4.000 |   11042.9
+      8 |   8.000 |    9701.7
+      8 |  16.000 |    9387.7
+     16 |   0.062 |    8194.4
+     16 |   0.125 |   10708.4
+     16 |   0.500 |   14302.7
+     16 |   1.000 |   13576.2
+     16 |   4.000 |   11187.2
+     16 |   8.000 |    9916.9
+     16 |  16.000 |    9275.1
 
 
 
- Encrypt_ThreadSweep_ChunkSweep
-   Source: PerformanceTests.cs line 43
-   Duration: 16 sec
+ Decrypt_ThreadSweep_ChunkSweep
+   Source: PerformanceTests.cs line 100
+   Duration: 6.5 sec
 
   Standard Output: 
-=== ENCRYPTION THREAD/CHUNK SWEEP ===
+=== DECRYPTION THREAD/CHUNK SWEEP ===
 Data size: 1000 MB
 Threads: 1, 2, 4, 8, 16
-Chunk sizes: 0.0MB, 0.0MB, 0.0MB, 0.0MB, 0.1MB, 0.1MB, 0.5MB, 1.0MB, 4.0MB, 8.0MB, 16.0MB
+Chunk sizes: 0.1MB, 0.1MB, 0.5MB, 1.0MB, 4.0MB, 8.0MB, 16.0MB
 Threads | ChunkMB | Avg MB/s
-      1 |   0.004 |    2887.2
-      1 |   0.008 |    4974.3
-      1 |   0.016 |    7226.3
-      1 |   0.031 |    9415.9
-      1 |   0.062 |   11265.3
-      1 |   0.125 |   12084.1
-      1 |   0.500 |   12569.8
-      1 |   1.000 |   12163.6
-      1 |   4.000 |   10085.4
-      1 |   8.000 |    9354.9
-      1 |  16.000 |    7881.5
-      2 |   0.004 |    4272.8
-      2 |   0.008 |    7117.3
-      2 |   0.016 |   10355.5
-      2 |   0.031 |   12858.0
-      2 |   0.062 |   13823.1
-      2 |   0.125 |   15474.5
-      2 |   0.500 |   15252.4
-      2 |   1.000 |   13803.9
-      2 |   4.000 |   12313.6
-      2 |   8.000 |   10621.5
-      2 |  16.000 |    9413.4
-      4 |   0.004 |    3022.9
-      4 |   0.008 |    5417.8
-      4 |   0.016 |    7913.9
-      4 |   0.031 |   12175.1
-      4 |   0.062 |   14190.0
-      4 |   0.125 |   15301.6
-      4 |   0.500 |   14930.2
-      4 |   1.000 |   13461.7
-      4 |   4.000 |   12259.3
-      4 |   8.000 |   11456.5
-      4 |  16.000 |    9260.8
-      8 |   0.004 |    1961.7
-      8 |   0.008 |    3626.4
-      8 |   0.016 |    6746.5
-      8 |   0.031 |   10925.9
-      8 |   0.062 |   13287.6
-      8 |   0.125 |   14806.6
-      8 |   0.500 |   15225.5
-      8 |   1.000 |   15100.1
-      8 |   4.000 |   10884.0
-      8 |   8.000 |   10909.6
-      8 |  16.000 |    9042.3
-     16 |   0.004 |    1112.1
-     16 |   0.008 |    1897.4
-     16 |   0.016 |    3112.1
-     16 |   0.031 |    4809.1
-     16 |   0.062 |    7532.8
-     16 |   0.125 |   13798.6
-     16 |   0.500 |   15279.9
-     16 |   1.000 |   15090.4
-     16 |   4.000 |   12667.9
-     16 |   8.000 |   11849.1
-     16 |  16.000 |    9927.1
+      1 |   0.062 |   10084.2
+      1 |   0.125 |   10595.1
+      1 |   0.500 |   10137.6
+      1 |   1.000 |   10591.1
+      1 |   4.000 |   11068.6
+      1 |   8.000 |   10761.2
+      1 |  16.000 |   11065.3
+      2 |   0.062 |   15031.0
+      2 |   0.125 |   14879.9
+      2 |   0.500 |   14992.7
+      2 |   1.000 |   15025.4
+      2 |   4.000 |   14977.7
+      2 |   8.000 |   13735.5
+      2 |  16.000 |   14784.0
+      4 |   0.062 |   14776.7
+      4 |   0.125 |   14420.2
+      4 |   0.500 |   14424.2
+      4 |   1.000 |   14175.5
+      4 |   4.000 |   14824.2
+      4 |   8.000 |   14960.0
+      4 |  16.000 |   14551.7
+      8 |   0.062 |   14780.2
+      8 |   0.125 |   14725.3
+      8 |   0.500 |   14713.9
+      8 |   1.000 |   14693.7
+      8 |   4.000 |   14694.7
+      8 |   8.000 |   14763.9
+      8 |  16.000 |   14890.1
+     16 |   0.062 |   13035.8
+     16 |   0.125 |   13864.2
+     16 |   0.500 |   13645.4
+     16 |   1.000 |   13345.7
+     16 |   4.000 |   14402.7
+     16 |   8.000 |   14745.1
+     16 |  16.000 |   14301.3
 

Sources/EasyExtensions.Crypto.Tests.Charts/input.txt

@@ -15,9 +15,9 @@ public class KeyDerivationTests
     [Test]
     public void DeriveSubkey_Returns_Requested_Length([Values(0, 1, 16, 32, 48, 64, 100)] int len)
     {
-        var bytes = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, len);
+        var bytes = KeyDerivation.DeriveSubkey(Master1, PurposeA, len);
         Assert.That(bytes, Is.Not.Null);
-        Assert.That(bytes.Length, Is.EqualTo(len));
+        Assert.That(bytes, Has.Length.EqualTo(len));
         if (len > 0)
         {
             // Not all zeros
@@ -28,53 +28,53 @@ public void DeriveSubkey_Returns_Requested_Length([Values(0, 1, 16, 32, 48, 64,
     [Test]
     public void Deterministic_For_Same_Inputs()
     {
-        var a1 = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 48);
-        var a2 = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 48);
+        var a1 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 48);
+        var a2 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 48);
         Assert.That(a1, Is.EqualTo(a2));
     }
 
     [Test]
     public void Different_Master_Produces_Different_Key()
     {
-        var a = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 48);
-        var b = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master2, PurposeA, 48);
+        var a = KeyDerivation.DeriveSubkey(Master1, PurposeA, 48);
+        var b = KeyDerivation.DeriveSubkey(Master2, PurposeA, 48);
         Assert.That(a, Is.Not.EqualTo(b));
     }
 
     [Test]
     public void Different_Purpose_Produces_Different_Key()
     {
-        var a = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 48);
-        var b = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeB, 48);
+        var a = KeyDerivation.DeriveSubkey(Master1, PurposeA, 48);
+        var b = KeyDerivation.DeriveSubkey(Master1, PurposeB, 48);
         Assert.That(a, Is.Not.EqualTo(b));
     }
 
     [Test]
     public void Base64_Matches_Raw_Encoding()
     {
-        var bytes = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 32);
+        var bytes = KeyDerivation.DeriveSubkey(Master1, PurposeA, 32);
         var b64A = EasyExtensions.Crypto.KeyDerivation.DeriveSubkeyBase64(Master1, PurposeA, 32);
         var b64B = Convert.ToBase64String(bytes);
         Assert.That(b64A, Is.EqualTo(b64B));
     }
 
     [Test]
-    public void Length32_Vs_Length64_Prefixes_Differ_By_Design()
+    public void Length32_Vs_Length64_Prefixes_NotDiffer_By_Design()
     {
         // length 32 uses HMAC(purpose) directly
-        var l32 = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 32);
+        var l32 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 32);
         // length 64 uses HMAC(purpose||1) + HMAC(purpose||2)
-        var l64 = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 64);
-        Assert.That(l32, Is.Not.EqualTo(l64.Take(32).ToArray()));
+        var l64 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 64);
+        Assert.That(l32, Is.EqualTo(l64.Take(32).ToArray()));
     }
 
     [Test]
     public void Longer_Length_Extends_With_Deterministic_Blocks()
     {
         // For lengths > 32, result is concatenation of counter-based blocks starting at 1,
         // so prefix of 64 should match prefix of 96.
-        var l64 = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 64);
-        var l96 = EasyExtensions.Crypto.KeyDerivation.DeriveSubkey(Master1, PurposeA, 96);
+        var l64 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 64);
+        var l96 = KeyDerivation.DeriveSubkey(Master1, PurposeA, 96);
         Assert.That(l96.Take(64).ToArray(), Is.EqualTo(l64));
     }
 }