Earlier this week I had ATT Business fiber installed in the new apartment. This building was gutted and rebuilt in the mid-2010s, so there was already ATT UVerse fiber in the utility closet. Installation was fairly trivial; the technician showed up with a gateway (looks like a BGW210-700). Four ethernet ports on the back, one port which goes to the PON (the thing already screwed on the wall with the fiber going into it), and power.
This weekend I made another addition to age-pkcs11, to follow best practices for HKDF key expansion from the shared secret at the core of the program. I’d been wanting to do this for a while, after reviewing some stuff I wrote about age and looking at the new V1 API there. If you recall back in June when I went into detail on the X25519 cryptography in Age, near the end Age builds up a salt which, when combined with a label and supplied to the HKDF function ties the derived key to a specific context.
I’ve been dealing a lot with the age encryption protocol lately, and had a rough idea of how the scheme worked, but I finally wanted to sit down and work it out until it actually made sense. As background, we have two parties, a sender, someone who wants to encrypt and send a file. We denote that party as U. Second, we have the recipient, that will receive that file and be able to decrypt it.
I came across this pull request in rage, the Rust implementation of age. There’s been some discussion of building a plugin system for age, and the rage implementer has started work for using a PIV device to store an age-compatible key. When the plugin system for age is decided, this will likely be the first implementation. Looking at it, parts of it are remarkably similar to what I came up with, which is reassuring to me, as I was at least heading down a similar path.
My code to use age encryption with a PKCS11 token has drastically improved in the past couple days. Fewer things hardcoded, although it still assumes you have a NIST P-256 curve on both sides of the exchange. But it derives a shared secret, passes that through a HKDF to make it a reliable key, and can output an age-formatted private or public key. It’s rapidly approaching rough usability. Some TODO items remain:
I’ve got a handful of the sub-50 Euro USB-based HSM tokens, the Smartcard-HSM 4K and the Nitrokey HSM. I’ve also started using age encryption for file encryption. I’d like to merge the two. Using a PKCS11 token is something (reluctantly) on the age wishlist, but I got bored this weekend and decided to poke at it. The stock AGE key, if you’re not deriving it from something like an SSH key or typing in a password, is an X25519 key, which none of my tokens support.
Update https://blacklivesmatter.carrd.co/ There’s a lot of shit going on in the world right now, and everything I have to say about it right now is over on my Twitter, because Frankly, 280 characters at a time is about all I can deal with right now; and My voice is not the one that needs amplifying or listening to, seek out Black voices.
For a personal project I really need to write up, I’m using the HashiCorp Vault Agent to auto authenticate to AWS and write out some dynamic creds; for my use case I don’t have any need for the resultant Vault token outside of the Agent. I quickly ran into an outstanding issue trying to do that, in that you had to do something with the token; either write it out, or have the Agent act as a local cache for Vault queries.
My long weekend project was to finally get around to moving my website from 1997 to something a little more contemporary. I’ve been following Hugo for some time now and finally bit the bullet. I started reading in depth, but got much further when I just picked a theme, made a site and just started trying to add stuff, figuring out things as I went along. Moving my old pyblosxom content was relatively easy, and the other static content was trivial.
My husband and I just finished watching Into the Night, the Belgian sci-fi series which recently came out on Netflix. I want to say we were rage watching it, although once it finished I realized that it's very similar to 10 Cloverfield Lane in that I loved the story and want to watch it again, but some of the execution left me enraged. I would have completely changed the ending, however.