I am working as a freelance developer, consultant and trainer. Further infos here.
krypt is my contribution in order to provide the next level of Ruby cryptography by providing a platform- and library-independent framework similar to Java’s JCE. It is designed as an all-purpose cryptography framework with a modular approach that allows to plug in various implementations of low-level cryptographic primitives in order to provide maximum efficiency, interoperability and security on all major Ruby platforms.
I am a member of the core development team of the Ruby language (“ruby-core”) and I’m the maintainer of the OpenSSL extension which is a part of the Ruby standard library.
Project lead for Electronic Signature Service Infrastructure (ESSI) at Dokumenta of a team of five.
We developed the authentication component of the platform and analyzed requirements and conducted case studies regarding the design of the production platform architecture. Furthermore, we developed the complete redesign of the platform as a SOA architecture exposing REST interfaces, that can be consumed by application clients and browsers alike.
Development of an application for managing the European “List of Trusted Lists”.
To optimize communication between client and team, we used Kanban, which increased our efficiency notably. All communication, verbal or written (including technical specification and analysis), was held in English.
Principal security consultant for Electronic Signature Service Infrastructure (ESSI), the European Commission’s service for creation, extension and validation of electronic document signatures complying with the ETSI standards CAdES, XAdES and PAdES.
Among others, my responsibilities were the analysis and selection of the platform’s core components, design of the architecture of the production platform, development of its authentication component as well as a complete redesign of the platform as a SOA architecture exposing REST interfaces to be consumed by application clients and browsers alike.
I was responsible for consulting Commission-internal clients in order to provide them with seamless integration of ESSI into their products.
Lead developer and security/cryptography consultant for several (web) applications dealing with document encryption/signatures, certificate validation and PKI in general as well as low-level interfaces such as PKCS#11, smart cards and HSMs.
Co-inventor of the standard for digitally signing PNG images (dSIG).
Expert for actuarial mathematics and cryptography in PenCom, a web-based actuarial application. I also developed various extensions for the Java EE-based backend and the web frontend.
I won one of the first two Ruby Association Grants for my project krypt, which aims at providing library- and platform-independent cryptography for Ruby.
During the grant period, I developed a DSL for parsing and generating ASN.1 data structures using a modern pull parser technique to provide streaming support with superior performance. krypt runs on CRuby, JRuby and Rubinius, native Java and C parts were developed in parallel.
An extensive RSpec test suite, code coverage and Valgrind integration completed my work.
Developed the import/export workflow for PenCom, a web-based actuarial application.
Activities included creation and validation of XML-based data structures, thread-based scheduling and storing, updating and retrieving data and results in an Oracle database using an in-house ORM layer based on EJB. The final product was integrated into the main application as a Java EE Application Client, interfacing with various external sub systems such as the client mail system, external databases and web services.
I was a freelancer at ITWM during my time at the university. I majored in financial mathematics, and my job was to develop a GUI application for the analysis of stochastic processes simulating financial scenarios for pricing stocks and options.
I also developed and maintained the department’s web site, adding dynamic HTML content scripted with Javascript, and I helped designing the CSS to provide a consistent look and feel.
I am a member of the OASIS DSS-X TC.
I was a mentor for JRuby GSoC 2013 for my project krypt.
Together with Jean-Philippe Aumasson and Daniel J. Bernstein, we developed proof of concepts for an algorithmic complexity attack on general-purpose hash functions, this was published as CVE-2012-5370, CVE-2012-5371, CVE-2012-5372 and CVE-2012-5373. I also provided the SipHash C implementation which was used to patch CRuby.
I was a mentor for JRuby GSoC 2012 for my project krypt.
I developed proof of concepts in C, Java and Ruby for SipHash , a family of pseudo-random functions (PRF) optimized for short inputs.
Two-day workshop for applied cryptography with examples using Ruby and Ruby OpenSSL.
How browser cryptography could and hopefully will make an impact in the future.
Presentation of krypt and its underlying provider principle.
Presentation of the current state of affairs regarding cryptography and JavaScript.
Presentation illustrating how to use krypt with JRuby.
Presentation of the current state of affairs regarding cryptography and JavaScript.
Presentation of krypt and its underlying provider principle.
Presentation of krypt and its underlying provider principle.
Co-presentation with Jean-Philippe Aumasson and Daniel J. Bernstein of a hash flooding attack that exploits the algorithmic complexity of the underlying hash function even if the hash function’s seed has been randomized (the officially accepted countermeasure to 2011’s original “hashDoS” attack).
Co-presentation with Jean-Philippe Aumasson of a hash flooding attack that exploits the algorithmic complexity of the underlying hash function even if the hash function’s seed has been randomized (the officially accepted countermeasure to 2011’s original “hashDoS” attack).
Presentation of krypt and FuzzBert (random testing/fuzzing in Ruby). First details about the “HashDoS” exploit that would be presented later at AppSec-Forum ‘12 in Switzerland.
Presentation of krypt and its subprojects binyo (fast binary IO in Ruby) and FuzzBert (random testing/fuzzing in Ruby).
A lightning talk at Railsberry 2012 about krypt, the platform- and library-independent cryptography framework for Ruby, JRuby and Rubinius.
A talk at RubyConf 2011 in New Orleans about my work on the OpenSSL extension and where it would be headed in the future.
If you are interested in the details of my project experience, I’m happy to send you an updated version of my CV including a complete list of all relevant projects that I’ve worked on so far.