Return home.


Security and cryptography are notoriously hard, and I am not claiming to be an expert on these. But on several projects I have used my software engineering experience, a basic understanding of the appropriate maths, and the ability to engage others and work towards a consensus, to adapt security-related software for particular uses.

The most complete case involved extending OpenSSH to work with X509 certificates and Spyrus hardware - keys (and certificates) are stored on a USB dongle and the user does not need to enter a password.


OpenSSH includes support for OpenSSL engines (I can’t find a good link to describe these; they are dynamic modules with a standard API that can be used to delegate cryptographic operations, like signing, to a hardware device). I extended an incomplete Spyrus engine to inter-operate with OpenSSH, both alone and using the X509 patch.


On the server side, an OpenSSH developer was kind enough to provide a patch that allowed access to the HostKey (server key) via PKCS11. I then:


I combined multiple components into a single, functional, solution. This required merging conflicting patches, extending functionality at the level of OpenSSL key methods, and adapting libraries to standard interfaces.

Working on crypto-related code I am always aware of my limitations, try to follow standards at as high a level as possible, check my assumptions, and “report upwards” the need for further validation.