TIL: Asymmetric Cryptography in Go

I’ve been implementing a feature at work that involves asymmetric cryptography. It has been a pretty fun exercise in stitching together Go APIs while reading about best practices.

Here’s a few things I’ve learned over the last couple of days:

  • Go’s cryptography isn’t FIPS compliant.

  • Go has an implementation of ECDSA (Elliptic Curve Digital Signature Algorithm), but it doesn’t have any elliptic curve asymmetric encryption algorithms.

    • The best asymmetric algorithm that Go has is RSA

  • Go has an implementation of PEM (Privacy Enhanced Mail) data encoding which can be used to encode public/private in a familiar format. You’ve probably seen this format with SSH keys:

    -----BEGIN PUBLIC KEY-----
MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
<and so on>
-----END PUBLIC KEY-----

  • The legacy PEM format has support for plaintext headers like so:

    -----BEGIN PUBLIC KEY-----
Data: Some value I don't mind being plaintext

MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
<and so on>
-----END PUBLIC KEY-----
    • The newer RFC eplicitly doesn’t support headers, though:

      Unlike legacy PEM encoding RFC1421, OpenPGP ASCII armor, and the OpenSSH key file format, textual encoding does not define or permit headers to be encoded alongside the data.

  • Go’s APIs for encrypting, decrypting, signing, and verifying data are quite pleasant to use!

  • When signing data, Go will first have you run that data through a hash algorithm (e.g. SHA256). This actually makes quite a bit of sense, and it helps me better understand why secure hashing is important for cryptography.

  • OWASP (Open Worldwide Application Security Project) has a great section on encryption algorithms which can help guide those less familiar with the specifics of encryption.

  • There are a few algorithms for signing and encryption data with RSA. Go implements PKCS1v15 and OAEP for encryption, and PKCS1v15 and PSS for signing.

While I’m generally not a huge fan of Go, I do think the standard library has some nice packages, and the encryption library is definitely one of them.

Recent posts from blogs that I like

The difference between undefined behavior and ill-formed C++ programs

They are two kinds of undefined-ness, one for runtime and one for compile-time. The post The difference between undefined behavior and ill-formed C++ programs appeared first on The Old New Thing.

via The Old New Thing

This game would be perfect if it wasn't gacha

TL;DR: Zenless Zone Zero is a fantastic game that's ruined by its gacha system. It's a shame that it's a gacha game, because it's so good otherwise. 8/10

via Xe Iaso

Building static binaries with Go on Linux

One of Go's advantages is being able to produce statically-linked binaries [1]. This doesn't mean that Go always produces such binaries by default, however; in some scenarios it requires extra work to make this happen. Specifics here are OS-dependent; here we focus on Unix systems. Basics - hello wo...

via Eli Bendersky
Live in Seattle? Let's grab coffee!
github rss email