TIL: Asymmetric Cryptography in Go

I’ve been implementing a feature at work that involves asymmetric cryptography. It has been a pretty fun exercise in stitching together Go APIs while reading about best practices.

Here’s a few things I’ve learned over the last couple of days:

  • Go’s cryptography isn’t FIPS compliant.

  • Go has an implementation of ECDSA (Elliptic Curve Digital Signature Algorithm), but it doesn’t have any elliptic curve asymmetric encryption algorithms.

    • The best asymmetric algorithm that Go has is RSA

  • Go has an implementation of PEM (Privacy Enhanced Mail) data encoding which can be used to encode public/private in a familiar format. You’ve probably seen this format with SSH keys:

    -----BEGIN PUBLIC KEY-----
MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
<and so on>
-----END PUBLIC KEY-----

  • The legacy PEM format has support for plaintext headers like so:

    -----BEGIN PUBLIC KEY-----
Data: Some value I don't mind being plaintext

MIIEpAIBAAKCAQEAuOuUOwNRMbqc0jMEVTOyKuVUu0bk0zD5iwIggBHpDhV58DSJ
SK7OFIFHVMy6FKg2B3Y50srfVJ45OE9Vsb9hfErUNA/PB5meHGEI+yPKeni4GAfy
<and so on>
-----END PUBLIC KEY-----
    • The newer RFC eplicitly doesn’t support headers, though:

      Unlike legacy PEM encoding RFC1421, OpenPGP ASCII armor, and the OpenSSH key file format, textual encoding does not define or permit headers to be encoded alongside the data.

  • Go’s APIs for encrypting, decrypting, signing, and verifying data are quite pleasant to use!

  • When signing data, Go will first have you run that data through a hash algorithm (e.g. SHA256). This actually makes quite a bit of sense, and it helps me better understand why secure hashing is important for cryptography.

  • OWASP (Open Worldwide Application Security Project) has a great section on encryption algorithms which can help guide those less familiar with the specifics of encryption.

  • There are a few algorithms for signing and encryption data with RSA. Go implements PKCS1v15 and OAEP for encryption, and PKCS1v15 and PSS for signing.

While I’m generally not a huge fan of Go, I do think the standard library has some nice packages, and the encryption library is definitely one of them.

Recent posts from blogs that I like

An Introduction to Google’s Approach to AI Agent Security

via Simon Willison

Notes on Cramer's rule

Cramer's rule is a clever solution to the classical system of linear equations Ax=b: \[\begin{bmatrix} a_{11} & a_{12} & a_{13} \\ a_{21} & a_{22} & a_{23} \\ a_{31} & a_{32} & a_{33} \\ \end{bmatrix} \begin{bmatrix}x_1 \\ x_2 \\ x_3\end{bmatrix} = \begin{bmatrix}b_1 \\ b_2 \\ b_3\end{bmatrix}\] Usi...

via Eli Bendersky

Brandjes: Paintings as witnesses to fires 1640-1813

Dramatic paintings of towns and cities on fire, usually at night, were popular during the Dutch Golden Age, and known as brandjes. Examples to well into the 19th century.

via The Eclectic Light Company
Live in Seattle? Let's grab coffee!
github rss email