1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
I strive to develop reliable and maintainable software,
with an eye toward improving the tools of our craft.
* Experience
** 2014 – present: software engineer at Airbus CyberSecurity
*** Research
I took part in the [[https://paclido.fr][PACLIDO project]], a French government-funded project
gathering industrial and academic partners in order to design and
implement *lightweight authenticated encryption algorithms* and
protocols.
During the course of this project,
- I implemented the reference version of Lilliput-AE, our submission
to the [[https://csrc.nist.gov/projects/lightweight-cryptography][NIST Lightweight Cryptography Standardization Process]].
- I described this implementation in [[https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/LILLIPUT-AE-spec.pdf][the algorithm's specification
document]], comparing its performance to that of Ascon and ACORN, the
lightweight winners of the [[https://competitions.cr.yp.to/caesar-submissions.html][CAESAR competition]].
- I extended the [[https://www.cryptolux.org/index.php/FELICS][FELICS]] benchmarking framework to support AEAD
algorithms; we [[https://gitlab.inria.fr/minier/felics-ae/][published this fork]] and presented these improvements
at the [[https://csrc.nist.gov/CSRC/media/Presentations/felics-ae-a-framework-to-benchmark-lightweight/images-media/session3-huynh-felics-ae.pdf][NIST LWC Workshop 2019]].
- I developed optimized software implementations for Lilliput-AE on
the 16-bit MSP430 platform.
*** Industrial development
For four years, I helped develop a network monitoring appliance. My
main role was *maintaining the codebase* for an in-house rule-matching
engine: designing and implementing features, fixing bugs… Over the
course of the project, I took part in many other activities:
- I helped our project transition from manual software packaging to
full-blown continuous integration,
- I contributed extensively to our integration test suite,
- I studied some mechanisms to improve the system's security (Secure
Boot, TPMs) and helped implement others (LXC containers).
- I reviewed all uses of cryptography in the system as part of our
security certification process; this allowed me to get a good grasp
of how filesystem encryption, VPNs, webservers, and repository
authentication are configured in a free software distribution.
- I supported our license team in assessing our use of free and open
source software.
** 2014 (6 months): internship at Airbus CyberSecurity
I extended an *Intrusion Detection System to authenticate and decrypt
its ruleset using a Hardware Security Module*. This was a very
informative foray into the world of cryptographic APIs, such as:
- the [[https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html][PKCS#11]] standard to communicate with hardware tokens,
- the [[https://tools.ietf.org/html/rfc2315][PKCS#7]] format, and its successor [[https://tools.ietf.org/html/rfc5652][CMS]], to serialize encrypted and
authenticated messages,
- the [[https://tools.ietf.org/html/rfc5280][X.509]] standard to understand how PKIs work and how to process
certificates,
- the [[http://luca.ntop.org/Teaching/Appunti/asn1.html][ASN.1]] format to reverse-engineer cryptic HSM errors, such as
ECDSA signatures lacking the [[https://www.cryptsoft.com/pkcs11doc/v220/group__SEC__12__3__1__EC__SIGNATURES.html][zero-padding expected in PKCS#11]],
- [[https://www.openssl.org/][OpenSSL]], to setup PKIs, [[https://stackoverflow.com/a/23422301/1503371][encrypt and sign rulesets, and generate CSRs
for keys stored securely on a hardware token]].
** 2013 (4 months): internship at LIRIS laboratory
I studied two protocols for anonymous communication:
- [[https://dedis.cs.yale.edu/dissent/][Dissent]] :: "accountable anonymous group communication",
- [[https://hal.inria.fr/hal-00945795][RAC]] :: "freerider-resilent, scalable, anonymous communication"
([[https://web.archive.org/web/20131018000154/http://www.temple.edu/cis/icdcs2013/data/5000a520.pdf][paper]]).
The goal was to instrument Dissent's implementation to assess its
performance, then to implement and benchmark RAC in order to validate
the theoretical results presented in its specification.
While four months proved too short for me to obtain comparable figures
for both protocols, I appreciated the opportunity to dive into the
guts of secure communication protocols.
|
