208 Integrity-check for the correlation ID

[pavestru]

Description

• Add encryption and verification to pid serialization to achieve authenticity, integrity and confidentiality
• Encryption key read env var CODEC_SECRET_KEY

Closes #208

What to look out for

• do we need confidentiality?
• the new serialized string is these values concatenated: initialization_vector <> MAC <> ciphertext
• default value for secret_key is setup in apps/rig/config.exs
• no script for generating and setting CODEC_SECRET_KEY env var was implemented in this PR apart from setting the default value in config.exs
• need to implement a microbenchmark to measure impact on performance

[kevinbader]

Encryption key read env var CODEC_SECRET_KEY

There is already a secret key shared among nodes:

Variable	Description	Default
NODE_COOKIE	Erlang cookie used in distributed mode, so nodes in cluster can communicate between each other.	nil

What about re-using it here?

[kevinbader]

I think I'd prefer use Rig.Config, [:secret_key] instead, to be consistent with the other modules and because it ensures that secret_key is set on startup.

[pavestru]

I've applied the change you suggested, but instead of :secret_key I've used name :codec_secret_key, because secret_key is used elsewhere as alias for jwt_secret_key as far as I understand. I'm using NODE_COOKIE env var.

[kevinbader]

well :secret_key in that context refers to the key used in the configuration for this module, which means there can't be a name clash here. That said, :codec_secret_key is fine, too.

[mmacai]

I would also mention this change in CHANGELOG.md

[pavestru]

It is important that NODE_COOKIE is base64 decodable. Right now it is generated in the following way:

export NODE_COOKIE="$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"

Having 32 characters 'a-zA-Z0-9' is base64 decodable, so I think we're fine.

[pavestru]

I would also mention this change in CHANGELOG.md

I've done that.