Go Assembly Mutation Testing
Test coverage of delicate Go cryptographic assembly through a new mutation testing framework.
Test coverage of delicate Go cryptographic assembly through a new mutation testing framework.
Encrypting files with passkeys, using the WebAuthn prf extension and the TypeScript age implementation.
Maybe you, yes you, should run a Certificate Transparency log. Itās cheaper, easier, and more important than ever.
RSA key generation is conceptually simple, but extremely tricky. Even benchmarking involves math: we generated a stable but representative āaverage caseā instead of using the ordinary statistical approach.
My NAS is just one big initramfs containing a whole Alpine Linux system. Itās delightful. Here's why and how.
Accumulated test vectors make it possible to run large sets of random known-answer tests without checking in large assets.
The FIPS compliance of HKDF is a somewhat confusing and controversial topic, partially because the normative reference is split over at least four separate documents, but in practice itās approved for almost any purpose.
ML-KEM private key seeds are vastly preferable to expanded decapsulation keys as a storage format. A plea to standardize on them.
The age plugin system allows integrating third-party recipient types at the CLI level. A new framework makes it easy to implement plugins.
Announcing Geomys, a small firm of professional maintainers with a portfolio of critical Go projects.
XAES-256-GCM is a new AEAD extended-nonce algorithm designed for high-level APIs and FIPS 140 compliance.
A short document describing how I maintain open source projects. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations.
Hardware secure elements make it possible to use low-entropy secrets like PINs for encryption.
filippo.io/mlkem768 is a pure-Go implementation of the post-quantum key exchange mechanism ML-KEM-768 optimized for correctness and readability.
How much linear algebra and polynomials do you need to know to implement Kyber? Turns out, very little!
Elliptic curves are standardized, instead of being generated like Diffie-Hellman parameters. There's good reasons!
Announcing a $12,288 bounty (tripled to charity) for cracking the five seeds selected by the NSA in the '90s for the NIST elliptic curve standard.
I want the extended-nonce 256-bit reduced-rounds XAES-256-GCM/11 AEAD. It has infinitely randomizable nonces, a comfortable margin of multi-user security, and nearly the same performance as AES-128-GCM. Only issue is that it doesnāt exist.
A recent issue in scalar multiplication makes for a good case study of how unsafe interfaces, undocumented assumptions, and time lead to vulnerabilities.
Go 1.20 was a big release. Go 1.21 has some exciting API work on crypto/tls, and some follow-up work including crypto/rsa performance.
Protocols that use randomness should make it a deterministic function that takes a fixed-size string of random bytes, so it can be tested.
It works! I am now a full-time independent open-source maintainer. I'm announcing my first cohort of six clients, and sharing some details of how the model works.
I updated the whoami.filippo.io dataset! I explain how it works, and how I fetched the new data.
A lot of new cryptography is landing in Go 1.20, including the new crypto/ecdh package and math/big-less RSA and ECDSA backends!
A description of my password management solution based on passage, a fork of pass that uses age, and YubiKeys. Its main feature is resisting post-compromise exfiltration.
Go 1.20 is adding an interning cache for reused certificates. The entries are reference-counted with the help of the garbage collector and finalizers.
We look at how fuzzing should have caught the OpenSSL Punycode vulnerability, and why that code was even necessary in the first place.
Having a direct line to the maintainers of Open Source project is reciprocally valuable, and made possible by high-touch contractual relationships.
age currently only provides confidentiality. We look at how a couple small tweaks can introduce authentication, when you'd need it, and how it is different from signing.
My plans for Go 1.20 include landing the crypto/ecdh package, making progress on moving math/big out of the security perimeter, and a batch of crypto/tls work.
We look into a neat trick that allowed replacing the last bit of unreadable edwards25519 code, and learn about the structure and lineage of ECC implementations.
NIST selected a post-quantum cryptographic KEM. We look at how it works and how we can use it for file encryption with age.
To successfully fund Open Source projects, companies should: pay the maintainers; pay them real money; pay for maintenance; and keep paying them.
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of Open Source maintainer has failed to mature from a hobby into a proper profession.
This edition critiques cryptographic registries, advocating for fixed primitives in protocol design.
A common task in Go API design is returning a byte slice. In this post I will explore some old techniques and a new one. In particular, we'll see how the mid-stack inliner interacts with escape analysis to make it possible for the most natural API to be also the fastest.
@Benjojo12 and I are building an encryption tool that will support SSH keys as recipients. For Ed25519 keys that requires converting points between different elliptic curves. Let's see why and how.
Cryptography code could be understandable if only we commented it. This Poly1305 implementation is an attempt to prove it. It should be readable with just an idea of what MACs are for, a beginner level of Go, and high school math.