Welcome to the latest edition of Illuminated Security news. In this month’s newsletter, we’re going to take a look at JWK Sets, an apparently simple specification for publishing public keys that has some surprisingly subtle gotchas.

Before we get into that, an update on the company. Illuminated Security now has a website with some snazzy branding from the design geniuses at Level. Check out the logotype and brand mark below. I’m busy preparing our first offering, the definitive guide to JSON Web Tokens (and alternatives), which will launch soon. In the meantime, I am also now looking to take on new consulting/advisory gigs, so if you’re looking for an OAuth/OIDC/JWT/AppSec/cryptography expert then give me a shout!

This newsletter's topic is around authentication factors and multi-factor authentication (MFA), and whether these are still relevant concepts to think about in 2023. On the way, I discuss newer technologies like passkeys and how they are pushing even further against these terminological boundaries.

Authentication Factors and MFA

Most developers at some point will have come across the three "factors" used for authentication:

• Something you forgot so you wrote it down on a sticky note (and then lost).

• Something you left at the office.

• Something that's covered in glue/jam/sweat/gloves/sunglasses.

Hello! Welcome to another Illuminated Security newsletter. This week I'm going to tell you a bit about secure random number generation with some benchmarks and pretty graphs.

Cryptography essentially relies on random values. Cryptographic keys must be generated with sufficient entropy to make them hard to guess. But it doesn't end there, because secure encryption and signature algorithms often require the injection of per-message randomness in the form of nonces (numbers-used-once). In this newsletter I'll talk a little bit about how this is done, look at NIST's recommendations in particular, and examine the performance of these compared to alternatives.

PRNGs

A lot can and has been written about how to generate these random values, but in many cases the right answer is to read them from a cryptographically-secure pseudorandom number generator (CSPRNG). On Linux this typically means reading from /dev/urandom or /dev/random or using the getrandom(2) system call.

Welcome to the inaugural Illuminated Security newsletter. I intend to publish this newsletter once or twice a month. Each email will have an in-depth discussion of a single topic in application security or applied cryptography, together with links to stories and articles from the wider community.

Introducing Illuminated Security

I guess as this is the first newsletter, I should say a little about who we are! Illuminated Security is a startup developing online and in-person training courses around application security and modern applied cryptography. We hope to launch our first courses in the next few months. In the meantime, please subscribe to the newsletter to keep informed with our plans.

Using passwords for encryption