A New Year, A New Website - 2021-04-11
It's a new year, the grass is finally growing, and I finally have some energy to set things up. Although it is near mid April, it feels like 2020 is finally being left behind. In the last week, I visited my employer's office to retrieve any belongings I forgot in April 2020 when I last visited. The calendar where I worked has yet to be turned from the very moment life became work from home.
It's a bit sobering to consider how much time has passed with this new life style, how my relationships have changed, how I have adapted to a significantly less social life.
During Summer 2020, I made a goal to learn cryptography, so I could make competent decisions in how I contribute to my employer's system. At the time, I did not comprehend Key Encryption Keys vs Content Encryption Keys. A mistake I made was using RSA PKCS1 v1.5 encryption of content requiring encryption at rest. Some data did not fit, so I simply used a bigger RSA key, 4096 bit.
Since then I have replaced that implementation with Google Tink, where it's keychain is rotated each year, and it's underlying keychain is decrypted through AWS KMS. But why not use KMS for all encryption? Because it is expensive.
Since then I've learned what Google Tink is doing. By reading through 80% of A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup.
I had read other books, such as the Manga guide to Cryptography, a few online that I no longer remember. However, I was displeased with the content in nearly all accessible cryptography literature. Much of it glorified DES, RSA. Too much of it was focused on how it works rather than how to use it effectively.
It isn't my job to reimplement AES, or RSA with naive implementation timing attacks in place. It is my job to securely process information and permit access under controlled sound circumstances. I have yet to find a book out there that actually teaches this.
So began my journey with reading the WIP book A Graduate Course in Applied Cryptography. I did not however go through the proof exercises. Though I often gave some cursory thought to them. Once I deemed the material outside of practical scope, such as post-quantum / quantum-resistant lattice based cryptography, I began to practice with implementations that didn't hide everything behind nice interfaces. Initially I tinkered with OpenSSL, but then moved to Mbed TLS due to it's focus on accessible primitive APIs. Though, Mbed TLS is going to move to obscuring more things in the next major version.
When I wanted to verify my experiments were correct with Mbed TLS, I reimplemented portions in the Python Cryptography library, which provides a nice interface on top of an OpenSSL wrapper. For example, experimenting with the Cipher Modes in symmetric encryption.
When I was able to correctly make Json Web Tokens for HMAC, RSA, and ECDSA keys, it felt like I reached a big milestone in understanding the protocols, decisions, etc. that go into secure exchange of data.That said, many people on the internet will shout "booooo" at JWT and point to alternatives such as PASETO, Branca, and Macaroons. The arguments usually come down to creating protocols and APIs that are misuse resistant. While JWT appears to be an extensible (but now abandoned for future development) standard. New development on extensible similar protocols goes with CBOR (a kind and beautiful binary format, unlike ASN.1) such as RFC 8392 CBOR Web Token (CWT) by the Authentication and Authorization for Constrained Environments (ace) working group.
So, what to expect this year?
Well, my professional life is quite different now. This year I was promoted to being a people manager, technical team lead, and I'm no longer in a position where I can contribute much code. For the last two months, much of my time and unfortunately stress has been analyzing requirements, determining capabilities that my employer lacks, then estimating timelines and inter-project dependencies. On top of all that, I've also been interviewing and hiring. A few of my referrals have come through, so I'm glad to be working with and alongside them.
In the last month, some of my time has gone towards mentoring newly hired developers, in a few weeks I expect to be guiding one junior and two mid level software engineers through learning Java, AWS (where it matters), Spring Boot, Docker / Containerization, and serverless practices.
When I do get a moment to contribute along side my team members, I anticipate that I'll be directly involved when it comes to anything in regards to authentication and authorization. An upcoming requirement appears to involve hosting access control for a partner's employees in the field on a web portal that we will be running.
As for my personal time, I'll probably tinker with GraalVM native image, tinker with C some more, figure out how to run things in a FreeBSD jail, and dissect obscure things like PGP's ASCII Armor format, SSH key formats, etc.; it would be nice if I could reimplement age for fun. Though in the long term, if I could make an OAuth implementation using mutual TLS, I'd be ecstatic.
Future posts will likely contain bits and pieces around key formats and software projects or theories I'm pondering.