TIL: Asymmetric Cryptography in Go

I’ve been implementing a feature at work that involves asymmetric cryptography. It has been a pretty fun exercise in stitching together Go APIs while reading about best practices.

Here’s a few things I’ve learned over the last couple of days:

  • Go’s cryptography isn’t FIPS compliant.

  • Go has an implementation of ECDSA (Elliptic Curve Digital Signature Algorithm), but it doesn’t have any elliptic curve asymmetric encryption algorithms.

    • The best asymmetric algorithm that Go has is RSA

  • Go has an implementation of PEM (Privacy Enhanced Mail) data encoding which can be used to encode public/private in a familiar format. You’ve probably seen this format with SSH keys:

    -----BEGIN PUBLIC KEY-----
MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
<and so on>
-----END PUBLIC KEY-----

  • The legacy PEM format has support for plaintext headers like so:

    -----BEGIN PUBLIC KEY-----
Data: Some value I don't mind being plaintext

MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
<and so on>
-----END PUBLIC KEY-----
    • The newer RFC eplicitly doesn’t support headers, though:

      Unlike legacy PEM encoding RFC1421, OpenPGP ASCII armor, and the OpenSSH key file format, textual encoding does not define or permit headers to be encoded alongside the data.

  • Go’s APIs for encrypting, decrypting, signing, and verifying data are quite pleasant to use!

  • When signing data, Go will first have you run that data through a hash algorithm (e.g. SHA256). This actually makes quite a bit of sense, and it helps me better understand why secure hashing is important for cryptography.

  • OWASP (Open Worldwide Application Security Project) has a great section on encryption algorithms which can help guide those less familiar with the specifics of encryption.

  • There are a few algorithms for signing and encryption data with RSA. Go implements PKCS1v15 and OAEP for encryption, and PKCS1v15 and PSS for signing.

While I’m generally not a huge fan of Go, I do think the standard library has some nice packages, and the encryption library is definitely one of them.

Recent posts from blogs that I like

Is there a built-in way in C++/WinRT to get the string name for a Windows Runtime enum?

No, and maybe you don't want to. The post Is there a built-in way in C++/WinRT to get the string name for a Windows Runtime enum? appeared first on The Old New Thing.

via The Old New Thing

Writing MIME, RSS, and existential suffering

I'm trying to get back into streaming regularly, and I decided to break the anti-streak by doing a good old fashioned blogpost writing stream. I broke down the problem, wrote out all the prose, and then published it.

After remembering that you actually have to push commits for them to be live.

via Xe Iaso

Synergy Greg

Synergy Greg would like to see you in His office, You will know Him when you see Him, Multitudinous is Synergy Greg! His handshake grinds the bones of the world, Beneficent is Synergy Greg! His lungs are mighty bellows, Go Team! Get! Shit! Done! He will wait by the sidelines, Any day now. His minion...

via Ludicity
Live in Seattle? Let's grab coffee!
github rss email