Filippo Valsorda

Subscribe šŸ“® | Feed šŸ“” | Bluesky šŸ¦‹ | Mastodon šŸ˜

Go Assembly Mutation Testing

Test coverage of delicate Go cryptographic assembly through a new mutation testing framework.

Encrypting Files with Passkeys and age

Encrypting files with passkeys, using the WebAuthn prf extension and the TypeScript age implementation.

You Should Run a Certificate Transparency Log

Maybe you, yes you, should run a Certificate Transparency log. It’s cheaper, easier, and more important than ever.

Benchmarking RSA Key Generation

RSA key generation is conceptually simple, but extremely tricky. Even benchmarking involves math: we generated a stable but representative ā€œaverage caseā€ instead of using the ordinary statistical approach.

frood, an Alpine initramfs NAS

My NAS is just one big initramfs containing a whole Alpine Linux system. It’s delightful. Here's why and how.

Accumulated Test Vectors

Accumulated test vectors make it possible to run large sets of random known-answer tests without checking in large assets.

The FIPS Compliance of HKDF

The FIPS compliance of HKDF is a somewhat confusing and controversial topic, partially because the normative reference is split over at least four separate documents, but in practice it’s approved for almost any purpose.

Let’s All Agree to Use Seeds as ML-KEM Keys

ML-KEM private key seeds are vastly preferable to expanded decapsulation keys as a storage format. A plea to standardize on them.

age Plugins

The age plugin system allows integrating third-party recipient types at the CLI level. A new framework makes it easy to implement plugins.

Geomys, a blueprint for a sustainable open source maintenance firm

Announcing Geomys, a small firm of professional maintainers with a portfolio of critical Go projects.

XAES-256-GCM

XAES-256-GCM is a new AEAD extended-nonce algorithm designed for high-level APIs and FIPS 140 compliance.

My Maintenance Policy

A short document describing how I maintain open source projects. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations.

PINs for Cryptography with Hardware Secure Elements

Hardware secure elements make it possible to use low-entropy secrets like PINs for encryption.

Post-quantum Cryptography for the Go Ecosystem

filippo.io/mlkem768 is a pure-Go implementation of the post-quantum key exchange mechanism ML-KEM-768 optimized for correctness and readability.

Enough Polynomials and Linear Algebra to Implement Kyber

How much linear algebra and polynomials do you need to know to implement Kyber? Turns out, very little!

Why We Don’t Generate Elliptic Curves Every Day

Elliptic curves are standardized, instead of being generated like Diffie-Hellman parameters. There's good reasons!

Announcing the $12k NIST Elliptic Curves Seeds Bounty

Announcing a $12,288 bounty (tripled to charity) for cracking the five seeds selected by the NSA in the '90s for the NIST elliptic curve standard.

I want XAES-256-GCM/11

I want the extended-nonce 256-bit reduced-rounds XAES-256-GCM/11 AEAD. It has infinitely randomizable nonces, a comfortable margin of multi-user security, and nearly the same performance as AES-128-GCM. Only issue is that it doesn’t exist.

A Cryptographic Near Miss

A recent issue in scalar multiplication makes for a good case study of how unsafe interfaces, undocumented assumptions, and time lead to vulnerabilities.

Planning Go 1.21 Cryptography Work

Go 1.20 was a big release. Go 1.21 has some exciting API work on crypto/tls, and some follow-up work including crypto/rsa performance.

Avoid The Randomness From The Sky

Protocols that use randomness should make it a deterministic function that takes a fixed-size string of random bytes, so it can be tested.

I’m Now a Full-Time Professional Open Source Maintainer

It works! I am now a full-time independent open-source maintainer. I'm announcing my first cohort of six clients, and sharing some details of how the model works.

ssh whoami.filippo.io

I updated the whoami.filippo.io dataset! I explain how it works, and how I fetched the new data.

Go 1.20 Cryptography

A lot of new cryptography is landing in Go 1.20, including the new crypto/ecdh package and math/big-less RSA and ECDSA backends!

My age+YubiKeys Password Management Solution

A description of my password management solution based on passage, a fork of pass that uses age, and YubiKeys. Its main feature is resisting post-compromise exfiltration.

A GC-Friendly Go Interning Cache

Go 1.20 is adding an interning cache for reused certificates. The entries are reference-counted with the help of the garbage collector and finalizers.

Why Did the OpenSSL Punycode Vulnerability Happen

We look at how fuzzing should have caught the OpenSSL Punycode vulnerability, and why that code was even necessary in the first place.

The Reciprocal Value of Access to Maintainers

Having a direct line to the maintainers of Open Source project is reciprocally valuable, and made possible by high-touch contractual relationships.

age and Authenticated Encryption

age currently only provides confidentiality. We look at how a couple small tweaks can introduce authentication, when you'd need it, and how it is different from signing.

Planning Go 1.20 Cryptography Work

My plans for Go 1.20 include landing the crypto/ecdh package, making progress on moving math/big out of the security perimeter, and a batch of crypto/tls work.

A Wide Reduction Trick

We look into a neat trick that allowed replacing the last bit of unreadable edwards25519 code, and learn about the structure and lineage of ECC implementations.

KEMs and Post-Quantum age

NIST selected a post-quantum cryptographic KEM. We look at how it works and how we can use it for file encryption with age.

How to pay professional maintainers

To successfully fund Open Source projects, companies should: pay the maintainers; pay them real money; pay for maintenance; and keep paying them.

Professional maintainers: a wake-up call

Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of Open Source maintainer has failed to mature from a hobby into a proper profession.

From the Go Blog: Automatic Cipher Suite Ordering in crypto/tls

The Most Backdoor-Looking Bug I’ve Ever Seen

Re-Deriving the edwards25519 Decoding Formulas

Reconstruct Instead of Validating

NaCl Is Not a High-Level API

Registries Considered Harmful

This edition critiques cryptographic registries, advocating for fixed primitives in protocol design.

Replace PGP With an HTTPS Form

DSA Is Past Its Prime

Is X25519 Associative? Sometimes!

OpenSSH 8.2 Just Works with U2F/FIDO2 Security Keys

Hacking together a USB-C charger for a cheap Chromebook

Install Go tools from modules with brew-gomod

New Crypto in Go 1.14

The Linux CSPRNG Is Now Good!

Efficient Go APIs with the mid-stack inliner

A common task in Go API design is returning a byte slice. In this post I will explore some old techniques and a new one. In particular, we'll see how the mid-stack inliner interacts with escape analysis to make it possible for the most natural API to be also the fastest.

Hello World, and OpenPGP Is Broken

Using Ed25519 signing keys for encryption

@Benjojo12 and I are building an encryption tool that will support SSH keys as recipients. For Ed25519 keys that requires converting points between different elliptic curves. Let's see why and how.

A Go implementation of Poly1305 that makes sense

Cryptography code could be understandable if only we commented it. This Poly1305 implementation is an attempt to prove it. It should be readable with just an idea of what MACs are for, a beginner level of Go, and high school math.

mkcert: valid HTTPS certificates for localhost

Touch-to-operate password-store with YubiKey 4

Making a Gmail bot with Apps Script and TypeScript

Easy Windows and Linux cross-compilers for macOS

Live streaming Cryptopals

The scrypt parameters

We need to talk about Session Tickets

A secure captive portal browser with automatic DNS detection

Playing with kernel TLS in Linux 4.13 and Go

restic cryptography

rustgo: calling Rust from Go with near-zero overhead

Cleaning up my GOPATH with Homebrew

Reproducing Go binaries byte-by-byte

Setting a custom FileVault (macOS FDE) passphrase

Finding Ticketbleed

Go Time #32 - Hellogopher, whosthere?

TLS 1.3 at 33c3

How to protect yourself from the WebEx extension

So you want to expose Go on the Internet

I'm giving up on PGP

TLS nonce-nse

An overview of TLS 1.3

So I lost my OpenBSD FDE password

The complete guide to Go net/http timeouts

Securing a travel iPhone

Analyzing Go Vendoring with BigQuery

git fixup: --amend for older commits

Stale GOROOT and gorebuild

Untrusting an intermediate CA on OS X

Self-host analytics for better privacy and accuracy

vendorcheck: the simplest Go static analysis tool

"LuckyMinus20": Yet Another Padding Oracle in OpenSSL CBC Cipher Suites

Shrink your Go binaries with this one weird trick

Understanding Metrics in the Age of the TSDB

Technical notes: mixing speaker and slides recording with FFmpeg

Coverage for end-to-end tests of Go programs

Bleichenbacher'06 signature forgery in python-rsa

Most Go tools now work with GO15VENDOREXPERIMENT

SSLv2 redux: patching Go crypto/tls to work with IE6

"Automated Testing with go-fuzz" @ GothamGo

Creative foot-shooting with Go RWMutex

Building Python modules with Go 1.5

DNS parser, meet Go fuzzer

A deep look at CVE-2015-5477

ssh whoami.filippo.io

Quick and dirty annotations for Go stack traces

Technical notes: convert a partition image to a bootable disk image

Setting Go variables at compile time

Go has a debugger—and it's awesome!

How Plex is doing HTTPS for all its users

Logjam explained

The unofficial Chrome SHA1 deprecation FAQ

The sad state of SMTP encryption

Komodia/Superfish SSL Validation is broken

Make your own Superfish infected VM

So I lost my NAS password

scrypt all the things!

PSA: enable automatic updates. Please.

"The Heartbleed Test" @ OWASP / NYU Poly

Salt & Pepper, please: a note on password storage

On Keybase.io and encrypted private key uploading

Why Go is elegant and makes my code elegant

My remote shell session setup

Native scrolling and iTerm2

How the new Gmail image proxy works and what this means for you

The ECB Penguin