cd ..

Distributed Cryptographic Signing Platform

Architecture: Multi-language microservices + Serverless | Role: Systems / Security Engineering | Pattern: Byte-level cryptographic parity across runtimes
Go Node.js Google Cloud Functions Cloud Run Password-Based Key Derivation (PBKDF) AES Symmetric Encryption (CBC) HMAC Payload Signing ECDSA P-256 Docker Cloudflare Workers

Certain security-critical systems require a cryptographic token to authenticate every API request. This token is not a simple JWT — it is a multi-step cryptographic construct that involves key derivation, symmetric encryption, HMAC signing, and device fingerprinting, all assembled in a specific byte-order that must be reproduced exactly.

I implemented this undocumented proprietary authentication protocol to byte-level precision, rebuilding it as a distributed platform of production microservices across Go, Node.js, and Google Cloud Functions — all verified to produce identical output for identical input.

2,000+ Test Vectors Passing
100% Cross-Runtime Parity
3 Runtimes (Go/Node/GCF)
0 External Dependencies (Go)
< 1ms Token Generation Time

The Cryptographic Algorithm

The token construction is a four-stage pipeline. Each stage must be reproduced with byte-exact fidelity — a single misaligned padding byte or wrong truncation length produces an authentication failure with no diagnostic detail from the upstream service.

The pipeline stages are: (1) password-based key derivation — a device-bound secret is transformed into a symmetric key via a multi-round PBKDF; (2) payload integrity signing — an HMAC is computed over the payload and truncated to a compact fixed length as a MAC prefix; (3) symmetric encryption — the payload is encrypted with a random IV in CBC mode with standard block padding; (4) binary serialization — a versioned format prefix, the MAC, the IV, and the ciphertext are concatenated and Base64-encoded for transport.

The most challenging constraint is that the truncated MAC length and the key derivation parameters are not independently configurable — they are fixed by the platform's specification and must be matched exactly. Being "approximately right" produces a silent authentication failure every time.

The Platform Architecture

Rather than a monolith, I built the platform as a cluster of specialized microservices, each independently deployable and verifiable against the same test vector suite.

Token Generator (Go Microservice)

RESTful API implemented in pure Go with zero external dependencies. Docker-containerized with NGINX reverse proxy. Batch endpoint supports up to 100 concurrent token generations. Health check endpoint for orchestration integration.

Serverless Token Function (GCP)

Node.js Cloud Function deployed to Google Cloud Run. Identical algorithm, optimized for serverless cold-start. Handles content-encoding compatibility requirements specific to the upstream API. Supports multiple operational modes for efficiency.

Signing Proxy (Cloudflare Worker)

A stateless Cloudflare Worker that sits between the client and the signing API. Injects the signing API key server-side so the client application never holds it. Supports country normalization for global region routing. Request logging with sensitive field masking.

Device Profile Generator

Companion service generating the device fingerprints fed into token derivation. Covers major global markets and device categories, with per-device cryptographic keypair generation. Deterministic generation via a NIST-compliant DRBG — the same seed always produces the same device.

Cross-Runtime Parity Testing

A single test vector is a known input–output pair. A parity suite is 2,000 of them, run against every implementation simultaneously. If any implementation deviates by even a single byte, it fails the suite. This was the engineering discipline that made the platform reliable.

Pipeline Stage Go Node.js (GCF) Notes
Key Derivation Password-based, device-bound, multi-round
Payload Integrity (MAC) Truncated fixed-length prefix per spec
Symmetric Encryption CBC mode, random IV, standard block padding
Binary Serialization Versioned format prefix + Base64 transport encoding
Content Encoding Compatibility N/A GCF path applies compression header normalization

The API Key Isolation Pattern

A naive implementation of this system would embed the signing API key in the client application — where it can be extracted from memory, network traffic, or decompiled binaries. Instead, I implemented a signing proxy pattern on Cloudflare Workers.

Pattern: The client sends its own application key (X-App-Key header) to identify itself. The Cloudflare Worker validates it, strips it, appends the signing API key from an environment secret, and forwards the request. The client never sees the signing key. Cloudflare's edge network handles TLS termination, so the key is only present in the Worker's encrypted environment variables.

The proxy also implements regional identifier normalization — translating client-supplied locale codes into the format the upstream API expects, abstracting geographic routing conventions from the client entirely.

Authentication Protocol Implementation

Building this platform required a complete analysis of the target protocol across multiple authentication flows. This was accomplished through network traffic analysis and static binary analysis, then cross-referenced against known cryptographic algorithm implementations to validate correctness.

OAuth 2.0 + PKCE Flow

The authentication system uses OAuth 2.0 with PKCE (Proof Key for Code Exchange). I mapped the complete flow — code challenge generation, authorization URL construction, token exchange, and refresh — then built three independent implementations in different languages and verified that all three produce valid authentication sessions.

ECDSA P-256 Request Signing

After authentication, each API request is authenticated using asymmetric digital signatures (ECDSA P-256 / SHA-256). The signing input is canonicalized from request components per the platform's specification. The signing algorithm was mapped from static binary analysis and validated against live traffic captures.

Device Identity & Client Attestation

The platform derives a stable, deterministic client identity from device hardware characteristics using a standardized encoding process. The device generator service produces profiles that satisfy the platform's identity and attestation requirements.

Engineering Takeaways

This project forced precision at a level most application development does not demand. A single off-by-one in a key derivation iteration count, a wrong padding mode, or a missing byte in the output assembly breaks the entire pipeline silently — the error only surfaces as an authentication rejection with no error detail.

Key discipline: Never trust "approximately right." Build the test vector suite first, before writing any implementation. Every ambiguity in the spec — padding mode, encoding variant, byte order — gets a dedicated test case. The test suite is the spec.

The result is a production-deployed, multi-runtime platform where any service can be swapped out and the parity suite immediately verifies correctness. The Go microservice handles bulk throughput; the GCF serverless function handles on-demand requests without idle compute costs; the Cloudflare Worker handles key isolation at zero latency overhead.