Hello,

I am a computer security researcher and software engineer living in Cambridge, UK. My academic interests revolve around cryptographic protocols, anonymity, usable security, and mobile devices. At the moment, I am doing a post-doc at the University of Cambridge. In my previous job I worked on image processing and formats.

Android HKDF implementations

This article discusses several open-source implementations of the HKDF scheme for Android. Since HKDF is a relatively simple algorithm, it allows for a good case study of cryptographic code. The primary audience are applied cryptographers and software engineers working on protocols. Key derivation functions (KDFs) are an important building block for practical protocols. They take as input the input keying material (IKM), an optional salt, and a context string (info). Their output is a pseudorandom key of specified length....

2024-04-23 · 12 min · Daniel

The power of example code

This article argues for the value of example code for software projects. The primary audience are software engineers working on libraries and open-source code. Executable example code is probably the most valuable artifact one can add to projects ranging from single-purpose libraries to larger frameworks. This applies from the API design phase of a library to maintaining them in the long term. The repositories of the Android libraries that I maintain(ed) typically include dedicated sample apps....

2024-02-15 · 5 min · Daniel

Secure remote access to Linux via SSH over Tailscale

This article describes how to securely access a local Linux machine remotely via SSH. The primary audience are engineers and researchers working with dedicated hardware behind a NAT, router, or similar. Researchers often work with dedicated machines that live in the lab or at home. This can be because they need to run experiments which require a lot of compute power or because they need to access hardware that is not available on a cloud server....

2023-04-09 · 6 min · Daniel

Creating a .jar executable in an Android Studio project

This article describes how to add a CLI module to an existing Android Studio project that generates an executable .jar archive. The primary audience are software engineers working on Android. When developing for Android – or other mobile platforms – the change-to-effect latency can be often quite high due to the involved compilation and cross-device communication. The regular unit tests get around this by executing in a VM on the host machine....

2022-09-12 · 3 min · Daniel

Stack diving: getting up to speed in a large codebase

This article describes a technique that helps to become productive in a large code base quickly. When mentoring other engineers, I found this to be a very effective and teachable approach. The primary audience are software engineers and engineering managers. When I joined larger organisations, the on-boarding usually involved some sort of starter task: add a new metric to the dashboard, allow people to add a website URL to their profile, … ....

2022-08-26 · 4 min · Daniel

Using linear programming (GLPK) for scheduling problems

This article is an intermediate-level tutorial on using the GNU Linear Programming Kit (GLPK) to solve a real-world scheduling problem. I wrote it, because I found only few good resources online that show specific solution strategies. This article wants to demystify linear programming and help you to start from a working example. Let’s first visit the problem. Scheduling outings for a rowing club can be tedious – and sometimes quite hard....

2022-03-23 · 7 min · Daniel

Android support for Elliptic Curves (EC) in KeyPairGenerator

This article discusses the support for elliptic curves on Android. Its primary audience are engineers implementing or maintaining cryptographic protocols on Android. It hopefully also shows up as a helpful result when searching for error messages. During a recent cryptography project on Android, I found that only few Elliptic Curves are supported by the built-in key pair generator. The typical error messages I got were along the line of java.security.InvalidAlgorithmParameterException: unknown curve name....

2021-07-10 · 6 min · Daniel

Password hashing on Android

This article explains why password hashing is important and how to do it properly on Android. The primary audience are software engineers working with passwords. Password hashing or password-based key derivation takes a password from the user as input and generates key material as output. This is a helpful thing because many people struggle to memorize 256-bit encryption keys. The standard procedure is to pass the user password through the password hashing function, and then use the derived key for cryptographic operations....

2021-06-14 · 6 min · Daniel

Roll-out phantoms - When results look worse than they are

This article explains an often-overlooked effect that can distort metrics during feature roll-out. The primary audience are software engineers and managers working on infrastructure and libraries. I want to motivate this problem with a fictive scenario: Alex wrote a replacement for an old and inefficient component in their app. It took the team a few weeks to implement and they carefully measured on test devices that it improves all core metrics....

2021-01-12 · 4 min · Daniel

Advanced A/B test concepts

This article explains advanced A/B test concepts. The primary audience are engineers encountering such A/B tests for the first time. A/B tests allow engineers to validate fixes, test for regressions, and measure improvements. In most situations the standard approach is to create a control and a test group of equal size (e.g. both 5%). Users within the test population (e.g. 10%) are then randomly assigned to one of these. However, sometimes more intricate methods can improve the user experience and make deployment safer and more effective....

2021-01-11 · 6 min · Daniel