Daniel Hugenroth

Scalable verifiability for supply chain security

Sat, 17 Jan 2026 00:00:00 +0000

This article discusses approaches for making supply chains verifiable and secure. The primary audience are developers working on build pipelines and dev ops engineers. It is cross-posted from the Light Squares blog.

Modern supply chain security needs scalable verifiability

Modern software supply chains are complex. Dependency trees of modern software often contain thousands of packages across multiple ecosystems. This makes it challenging for any developer team to fully understand exactly what code is going into their build.

Android HKDF implementations

Tue, 23 Apr 2024 00:00:00 +0000

This article discusses several open-source implementations of the HKDF scheme for Android. Since HKDF is a relatively simple algorithm, it allows for a good case study of cryptographic code. The primary audience are applied cryptographers and software engineers working on protocols.

Key derivation functions (KDFs) are an important building block for practical protocols. They take as input the input keying material (IKM), an optional salt, and a context string (info). Their output is a pseudorandom key of specified length. For most variants we can assume that the resulting key material is indistinguishable from random which makes it easily usable as input for other cryptographic algorithms. Below is a typical example.

The power of example code

Thu, 15 Feb 2024 00:00:00 +0000

This article argues for the value of example code for software projects. The primary audience are software engineers working on libraries and open-source code.

Executable example code is probably the most valuable artifact one can add to projects ranging from single-purpose libraries to larger frameworks. This applies from the API design phase of a library to maintaining them in the long term. The repositories of the Android libraries that I maintain(ed) typically include dedicated sample apps. For example, the sample app for the Sloth library or the sample app for the Spectrum library.

Secure remote access to Linux via SSH over Tailscale

Sun, 09 Apr 2023 00:00:00 +0000

This article describes how to securely access a local Linux machine remotely via SSH. The primary audience are engineers and researchers working with dedicated hardware behind a NAT, router, or similar.

Researchers often work with dedicated machines that live in the lab or at home. This can be because they need to run experiments which require a lot of compute power or because they need to access hardware that is not available on a cloud server. Since these machines typically do not have public IP addresses, accessing them remotely can seem tricky. When a lab mate asked me, “how can I access my computer at home”, I failed to find a good online resource that describes how to do this in a convenient and secure manner. That’s why I decided to write this quick tutorial.

Creating a .jar executable in an Android Studio project

Mon, 12 Sep 2022 00:00:00 +0000

This article describes how to add a CLI module to an existing Android Studio project that generates an executable .jar archive. The primary audience are software engineers working on Android.

When developing for Android – or other mobile platforms – the change-to-effect latency can be often quite high due to the involved compilation and cross-device communication. The regular unit tests get around this by executing in a VM on the host machine. However, they can be inflexible when it comes to incorporating larger (binary) assets to test against. Also, they do not lend themself to facilitate long fuzzing session or interactive usage.

Stack diving: getting up to speed in a large codebase

Fri, 26 Aug 2022 00:00:00 +0000

This article describes a technique that helps to become productive in a large code base quickly. When mentoring other engineers, I found this to be a very effective and teachable approach. The primary audience are software engineers and engineering managers.

When I joined larger organisations, the on-boarding usually involved some sort of starter task: add a new metric to the dashboard, allow people to add a website URL to their profile, … . They are a great idea, but often new engineers struggle to make progress – paralysed by the complexity of the code base. Most are start working on a small subset (e.g. do front-end changes first) before understanding the big picture. This not only applies to junior engineers, the same is true for software veterans switching to a new company and auditors parachuting into a short-term project.

Using linear programming (GLPK) for scheduling problems

Wed, 23 Mar 2022 00:00:00 +0000

This article is an intermediate-level tutorial on using the GNU Linear Programming Kit (GLPK) to solve a real-world scheduling problem. I wrote it, because I found only few good resources online that show specific solution strategies. This article wants to demystify linear programming and help you to start from a working example.

Let’s first visit the problem. Scheduling outings for a rowing club can be tedious – and sometimes quite hard. Given a list of squad members and their availabilities, we want to create outings with exactly 1 coach, 1 cox, and 4 people for each side of the boat (bow/stroke). Rowing is sometimes duped the “ultimate team sport”, because even one missing person means that the entire crew cannot go out. When faced with this challenge during term break where many people are only available sporadically, I gave up after trying to do so manually and resorted to automating it. In turn, this allowed me to do more “bespoke” scheduling where I could offer everyone to provide fine-grained availability and preferences.

Android support for Elliptic Curves (EC) in KeyPairGenerator

Sat, 10 Jul 2021 00:00:00 +0000

This article discusses the support for elliptic curves on Android. Its primary audience are engineers implementing or maintaining cryptographic protocols on Android. It hopefully also shows up as a helpful result when searching for error messages.

During a recent cryptography project on Android, I found that only few Elliptic Curves are supported by the built-in key pair generator. The typical error messages I got were along the line of java.security.InvalidAlgorithmParameterException: unknown curve name. Neither the official documentation nor any other online resource has a helpful list of the curves that I could use. Therefore, I decided to do a quick inventory and summarize the results here. In many places I link directly to the underlying source code. I hope this post helps next engineer to better understand exceptions like the following one:

Password hashing on Android

Mon, 14 Jun 2021 00:00:00 +0000

This article explains why password hashing is important and how to do it properly on Android. The primary audience are software engineers working with passwords.

Password hashing or password-based key derivation takes a password from the user as input and generates key material as output. This is a helpful thing because many people struggle to memorize 256-bit encryption keys. The standard procedure is to pass the user password through the password hashing function, and then use the derived key for cryptographic operations. These operations can be symmetrical encryption/decryption of files or the generation of login tokens.

Roll-out phantoms - When results look worse than they are

Tue, 12 Jan 2021 00:00:00 +0000

This article explains an often-overlooked effect that can distort metrics during feature roll-out. The primary audience are software engineers and managers working on infrastructure and libraries.

I want to motivate this problem with a fictive scenario: Alex wrote a replacement for an old and inefficient component in their app. It took the team a few weeks to implement and they carefully measured on test devices that it improves all core metrics. It is faster, uses less memory, all the good stuff. Following procedure, Alex’s new code is bundled with the next release and they open it to 1% for an A/B test.

Advanced A/B test concepts

Mon, 11 Jan 2021 00:00:00 +0000

This article explains advanced A/B test concepts. The primary audience are engineers encountering such A/B tests for the first time.

A/B tests allow engineers to validate fixes, test for regressions, and measure improvements. In most situations the standard approach is to create a control and a test group of equal size (e.g. both 5%). Users within the test population (e.g. 10%) are then randomly assigned to one of these. However, sometimes more intricate methods can improve the user experience and make deployment safer and more effective.

Software survivability: maintainable code is not enough

Tue, 24 Nov 2020 00:00:00 +0000

This article discusses how long-term survival rate of internal software projects can be improved. The primary audience are senior software engineers and engineering managers working in medium to large organizations.

When searching for “maintainable software”, many articles ([1], [2], [3]) focus on good coding practices. And certainly, good naming conventions, readable code, continuous integration, unit testing, … are all very important. However, I feel that many discussions implicitly assume a caring person who is motivated and capable to take care of the required maintenance indefinitely. I found that this is often not the case. In a larger organization with considerable churn and regular changes in direction, it quickly happens that projects, which were once a great success, quickly fall between the cracks.

Drawing in Python

Sun, 23 Aug 2020 00:00:00 +0000

This article shares experiences with Python drawing libraries that I was missing when I started. The primary audience are software engineers who are looking for the tool for simple graphics.

In 2020 the pandemic disrupted life. This included the cancellation of the traditional May Bumps rowing race that happens in Cambridge every year. Therefore, a group of rowing enthusiasts got together and organised a decentralized running event called Virtual May Bumps. It’s been a great success in bringing the community together (while being apart) and raising almost £6000 for charity.

Projects and papers

Mon, 01 Jan 0001 00:00:00 +0000

Here I collect recent projects and papers. Most projects stem from work in the industry or were part of my PhD. I enjoy specialised, under-explored, and niche areas while keeping an eye on the final product. Few things get me more excited than tackling challenging technical problems that result in large impact. You find many open-source projects on my [GitHub profile](https://github.com/lambdapioneer/) and full list of academic publications on [Google Scholar](https://scholar.google.com/citations?user=NCrUPQwAAAAJ).

Say hi 👋

Mon, 01 Jan 0001 00:00:00 +0000

You can get in contact with me via the mail below. I can potentially help with short-term consulting engagements related to my research areas: mobile security, protocol design, and applied cryptography. Also, I am always keen to learn about new resarch and opportunities for collaboration.