Maintainers of Last Resort
Geomys sometimes acts as a maintainer of last resort for critical Go projects. Recently, we took over the bluemonday HTML sanitizer, and built upgrade paths for the gorilla/csrf library.
Cross-Site Request Forgery
Cross-Site Request Forgery countermeasures can be greatly simplified using request metadata provided by modern browsers.
Go Assembly Mutation Testing
Test coverage of delicate Go cryptographic assembly through a new mutation testing framework.
Encrypting Files with Passkeys and age
Encrypting files with passkeys, using the WebAuthn prf extension and the TypeScript age implementation.
You Should Run a Certificate Transparency Log
Maybe you, yes you, should run a Certificate Transparency log. Itās cheaper, easier, and more important than ever.
Benchmarking RSA Key Generation
RSA key generation is conceptually simple, but extremely tricky. Even benchmarking involves math: we generated a stable but representative āaverage caseā instead of using the ordinary statistical approach.
frood, an Alpine initramfs NAS
My NAS is just one big initramfs containing a whole Alpine Linux system. Itās delightful. Here's why and how.
Accumulated Test Vectors
Accumulated test vectors make it possible to run large sets of random known-answer tests without checking in large assets.
The FIPS Compliance of HKDF
The FIPS compliance of HKDF is a somewhat confusing and controversial topic, partially because the normative reference is split over at least four separate documents, but in practice itās approved for almost any purpose.
Letās All Agree to Use Seeds as ML-KEM Keys
ML-KEM private key seeds are vastly preferable to expanded decapsulation keys as a storage format. A plea to standardize on them.
age Plugins
The age plugin system allows integrating third-party recipient types at the CLI level. A new framework makes it easy to implement plugins.
Geomys, a blueprint for a sustainable open source maintenance firm
Announcing Geomys, a small firm of professional maintainers with a portfolio of critical Go projects.
XAES-256-GCM
XAES-256-GCM is a new AEAD extended-nonce algorithm designed for high-level APIs and FIPS 140 compliance.
My Maintenance Policy
A short document describing how I maintain open source projects. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations.
PINs for Cryptography with Hardware Secure Elements
Hardware secure elements make it possible to use low-entropy secrets like PINs for encryption.
Post-quantum Cryptography for the Go Ecosystem
filippo.io/mlkem768 is a pure-Go implementation of the post-quantum key exchange mechanism ML-KEM-768 optimized for correctness and readability.
Enough Polynomials and Linear Algebra to Implement Kyber
How much linear algebra and polynomials do you need to know to implement Kyber? Turns out, very little!
Why We Donāt Generate Elliptic Curves Every Day
Elliptic curves are standardized, instead of being generated like Diffie-Hellman parameters. There's good reasons!
Announcing the $12k NIST Elliptic Curves Seeds Bounty
Announcing a $12,288 bounty (tripled to charity) for cracking the five seeds selected by the NSA in the '90s for the NIST elliptic curve standard.
I want XAES-256-GCM/11
I want the extended-nonce 256-bit reduced-rounds XAES-256-GCM/11 AEAD. It has infinitely randomizable nonces, a comfortable margin of multi-user security, and nearly the same performance as AES-128-GCM. Only issue is that it doesnāt exist.
A Cryptographic Near Miss
A recent issue in scalar multiplication makes for a good case study of how unsafe interfaces, undocumented assumptions, and time lead to vulnerabilities.
Planning Go 1.21 Cryptography Work
Go 1.20 was a big release. Go 1.21 has some exciting API work on crypto/tls, and some follow-up work including crypto/rsa performance.
Avoid The Randomness From The Sky
Protocols that use randomness should make it a deterministic function that takes a fixed-size string of random bytes, so it can be tested.
Iām Now a Full-Time Professional Open Source Maintainer
It works! I am now a full-time independent open-source maintainer. I'm announcing my first cohort of six clients, and sharing some details of how the model works.
ssh whoami.filippo.io
I updated the whoami.filippo.io dataset! I explain how it works, and how I fetched the new data.
Go 1.20 Cryptography
A lot of new cryptography is landing in Go 1.20, including the new crypto/ecdh package and math/big-less RSA and ECDSA backends!
My age+YubiKeys Password Management Solution
A description of my password management solution based on passage, a fork of pass that uses age, and YubiKeys. Its main feature is resisting post-compromise exfiltration.
A GC-Friendly Go Interning Cache
Go 1.20 is adding an interning cache for reused certificates. The entries are reference-counted with the help of the garbage collector and finalizers.
Why Did the OpenSSL Punycode Vulnerability Happen
We look at how fuzzing should have caught the OpenSSL Punycode vulnerability, and why that code was even necessary in the first place.
The Reciprocal Value of Access to Maintainers
Having a direct line to the maintainers of Open Source project is reciprocally valuable, and made possible by high-touch contractual relationships.
age and Authenticated Encryption
age currently only provides confidentiality. We look at how a couple small tweaks can introduce authentication, when you'd need it, and how it is different from signing.
Planning Go 1.20 Cryptography Work
My plans for Go 1.20 include landing the crypto/ecdh package, making progress on moving math/big out of the security perimeter, and a batch of crypto/tls work.
A Wide Reduction Trick
We look into a neat trick that allowed replacing the last bit of unreadable edwards25519 code, and learn about the structure and lineage of ECC implementations.
KEMs and Post-Quantum age
NIST selected a post-quantum cryptographic KEM. We look at how it works and how we can use it for file encryption with age.
How to pay professional maintainers
To successfully fund Open Source projects, companies should: pay the maintainers; pay them real money; pay for maintenance; and keep paying them.
Professional maintainers: a wake-up call
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of Open Source maintainer has failed to mature from a hobby into a proper profession.
From the Go Blog: Automatic Cipher Suite Ordering in crypto/tls
The Most Backdoor-Looking Bug Iāve Ever Seen
Re-Deriving the edwards25519 Decoding Formulas
Reconstruct Instead of Validating
NaCl Is Not a High-Level API
Registries Considered Harmful
This edition critiques cryptographic registries, advocating for fixed primitives in protocol design.
Replace PGP With an HTTPS Form
DSA Is Past Its Prime
Is X25519 Associative? Sometimes!
OpenSSH 8.2 Just Works with U2F/FIDO2 Security Keys
Hacking together a USB-C charger for a cheap Chromebook
Install Go tools from modules with brew-gomod
New Crypto in Go 1.14
The Linux CSPRNG Is Now Good!
Efficient Go APIs with the mid-stack inliner
A common task in Go API design is returning a byte slice. In this post I will explore some old techniques and a new one. In particular, we'll see how the mid-stack inliner interacts with escape analysis to make it possible for the most natural API to be also the fastest.
Hello World, and OpenPGP Is Broken
Using Ed25519 signing keys for encryption
@Benjojo12 and I are building an encryption tool that will support SSH keys as recipients. For Ed25519 keys that requires converting points between different elliptic curves. Let's see why and how.
A Go implementation of Poly1305 that makes sense
Cryptography code could be understandable if only we commented it. This Poly1305 implementation is an attempt to prove it. It should be readable with just an idea of what MACs are for, a beginner level of Go, and high school math.