TIL: Asymmetric Cryptography in Go

I’ve been implementing a feature at work that involves asymmetric cryptography. It has been a pretty fun exercise in stitching together Go APIs while reading about best practices.

Here’s a few things I’ve learned over the last couple of days:

  • Go’s cryptography isn’t FIPS compliant.

  • Go has an implementation of ECDSA (Elliptic Curve Digital Signature Algorithm), but it doesn’t have any elliptic curve asymmetric encryption algorithms.

    • The best asymmetric algorithm that Go has is RSA
  • Go has an implementation of PEM (Privacy Enhanced Mail) data encoding which can be used to encode public/private in a familiar format. You’ve probably seen this format with SSH keys:

    -----BEGIN PUBLIC KEY-----
    MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
    SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
    <and so on>
    -----END PUBLIC KEY-----
    
  • The legacy PEM format has support for plaintext headers like so:

    -----BEGIN PUBLIC KEY-----
    Data: Some value I don't mind being plaintext
    
    MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
    SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
    <and so on>
    -----END PUBLIC KEY-----
    
    • The newer RFC eplicitly doesn’t support headers, though:

      Unlike legacy PEM encoding RFC1421, OpenPGP ASCII armor, and the OpenSSH key file format, textual encoding does not define or permit headers to be encoded alongside the data.

  • Go’s APIs for encrypting, decrypting, signing, and verifying data are quite pleasant to use!

  • When signing data, Go will first have you run that data through a hash algorithm (e.g. SHA256). This actually makes quite a bit of sense, and it helps me better understand why secure hashing is important for cryptography.

  • OWASP (Open Worldwide Application Security Project) has a great section on encryption algorithms which can help guide those less familiar with the specifics of encryption.

  • There are a few algorithms for signing and encryption data with RSA. Go implements PKCS1v15 and OAEP for encryption, and PKCS1v15 and PSS for signing.

While I’m generally not a huge fan of Go, I do think the standard library has some nice packages, and the encryption library is definitely one of them.

Recent posts from blogs that I like

How do I produce a Windows Runtime asynchronous activity from C++/WinRT?

Somebody that deals with them natively. The post How do I produce a Windows Runtime asynchronous activity from C++/WinRT? appeared first on The Old New Thing.

via The Old New Thing

On Burnout, Mental Health, And Not Being Okay

This blog did so many hits last week that the host platform experienced timeouts. I've been invited onto podcasts, and offered both small technical projects and journalism work, of all things. It was a crazy time. But the internet moves on, as it always does, and I am left, as we all always are, to ...

via Ludicity

"No way to prevent this" say users of only language where this regularly happens

In the hours following the release of CVE-2024-6387 for the project OpenSSH, site reliability workers and systems administrators scrambled to desperately rebuild and patch all their systems to fix a combination of memory unsafety and glibc's creative decisions in signal handler implementation logic...

via Xe Iaso