Late Night Thinking

by Thomas L. Kula

Dear Recruiters

Recruiters, contacting me at my job email is wholly unprofessional and I absolutely refuse to engage with any recruiting company that does this. It’s easy enough to find my personal contact information, do try harder. This brought to you by a recruiter whose entire company will now never even make it to my email inbox.

Cilantro Lime Dipping Sauce

Adapted from this recipe. 1 bunch cilantro leaves and steps, roughly chopped 1 cup plain Greek yogurt 4 cloves garlic 2 oz lime juice 2 oz olive oil 1 jalapeno, seeded and minced Salt and pepper to taste Blend everything in a food processor until nice and creamy. Chill. Works well with cilantro-lime chicken

Cilantro Lime Chicken

Adapted from this recipe. 1 bunch cilantro, roughly chopped 4 cloves garlic 2 oz lime juice 1 oz olive oil 1 tbsp salt 1 tsp chili powder 1 tsp ground cumin 1 tsp onion powder 1/2 tsp smoked paprika 1/2 tsp pepper 1/2 tsp cayenne or chili powder

Consul RPC Mechanism

HashiCorp Consul is a distributed, highly-available service which provides service discovery with corresponding health checks, a distributed key/value store, and a service mesh solution, which can run on a variety of platforms and environments. It is designed so that every node which provides services (things to be registered in service discovery, or participate in the service mesh) runs a Consul agent, which acts as a sort of intermediary: providing an easy interface for registering services, running local health checks for both services and the node upon which it is running, and acting as a control plane for service mesh components running on that local node, amongst other things.

Terrorist Attack on the US Capitol

Make no mistake, this is a terrorist attack on the United States Capitol. There must be no reconciliation, there is no reconciling this. There must be serious consequences to performing, and inciting, a terrorist attack on our seat of government, all the way up to and including the Executive. If we don’t, next time we won’t get the building back.

ATT Business Fiber and IPv6 Prefix Delegation

Earlier this week I had ATT Business fiber installed in the new apartment. This building was gutted and rebuilt in the mid-2010s, so there was already ATT UVerse fiber in the utility closet. Installation was fairly trivial; the technician showed up with a gateway (looks like a BGW210-700). Four ethernet ports on the back, one port which goes to the PON (the thing already screwed on the wall with the fiber going into it), and power.

HKDF Salt in Key Expansion

This weekend I made another addition to age-pkcs11, to follow best practices for HKDF key expansion from the shared secret at the core of the program. I’d been wanting to do this for a while, after reviewing some stuff I wrote about age and looking at the new V1 API there. If you recall back in June when I went into detail on the X25519 cryptography in Age, near the end Age builds up a salt which, when combined with a label and supplied to the HKDF function ties the derived key to a specific context.

X25519 Encryption in Age

I’ve been dealing a lot with the age encryption protocol lately, and had a rough idea of how the scheme worked, but I finally wanted to sit down and work it out until it actually made sense. As background, we have two parties, a sender, someone who wants to encrypt and send a file. We denote that party as U. Second, we have the recipient, that will receive that file and be able to decrypt it.

Age Encryption with PKCS11 tokens update, again

I came across this pull request in rage, the Rust implementation of age. There’s been some discussion of building a plugin system for age, and the rage implementer has started work for using a PIV device to store an age-compatible key. When the plugin system for age is decided, this will likely be the first implementation. Looking at it, parts of it are remarkably similar to what I came up with, which is reassuring to me, as I was at least heading down a similar path.

Age Encryption with PKCS11 tokens update

My code to use age encryption with a PKCS11 token has drastically improved in the past couple days. Fewer things hardcoded, although it still assumes you have a NIST P-256 curve on both sides of the exchange. But it derives a shared secret, passes that through a HKDF to make it a reliable key, and can output an age-formatted private or public key. It’s rapidly approaching rough usability. Some TODO items remain: