Ethan Henderson

ethan@gnu.foo San Jose, CA
gnu.foo github.com/gnufood

Experience

Principal Security Architect

Kyndex

Multi-tenant zero-knowledge KYC platform for FinTech, healthcare, and enterprise SaaS customers (HIPAA, SOC 2, ISO 27001) and the end users they verify. Plaintext exists only inside attested enclaves; control plane has no path to it.

  • Zero-knowledge authentication via OPAQUE; end-to-end AEAD on AES-256-GCM with an authored canonicalized AAD envelope (RFC 8785 JCS), per-ciphertext DEKs for key commitment, and an authored hybrid-PQ primitives layer (ML-KEM-768 + X25519, ML-DSA + Ed25519) against HNDL.
  • Runtime split across edge compute (Cloudflare Workers), stateful coordination (Durable Objects), attested TEE (AWS Nitro Enclaves); purpose-bound key hierarchy rooted in OPAQUE-derived user keys, released by KMS only against enclave attestation (kms:RecipientAttestation) — P99 80ms at 500 RPS synthetic load.
  • Access layer as a single-writer state machine — grants bound to AAD with TTL and claim-count ceilings; blind-index HMAC for controlled ciphertext search; HMAC-chained audit log, all under an 18-key purpose-bound tree.

Security & Infrastructure Architect

Confidential Healthcare Technology Company

Sole owner of the security function at a 100+ person clinical organization. Inherited no SIEM, no IAM, no compliance artifacts, and no documented controls.

Identity-aware access across ~150 endpoints — fingerprint → AD logon (Keycloak-brokered) → full SSO → Kerberos ticket revoked at shift end or biometric clock-out.

  • Telemetry pipeline on Sysmon + custom endpoint collectors feeding ELK (logs) and Prometheus / Grafana (metrics); system, network, and kernel events including ImageLoad (loaded drivers) and device-arrival detection at LAN-traversal latency (firewall failover ≈ 1 ms).
  • Authored the HIPAA Security Rule controls (45 CFR §164.308–312) and ran the org's first §164.308(a)(1) risk analysis under NIST SP 800-66 — 30–40 remediations closed in 12 months.
  • Built the compute fabric on a 3-node Hyper-V failover cluster: VMs for IAM and ZTNA control planes, Docker for logging / telemetry services.
  • Designed the network layer: VLAN segmentation across clinical / admin / guest / medical-device zones, 802.1X NAC cert-based via AD, multi-SSID wireless, firewall east-west inspection, and ZTNA for remote clinicians.

Publications & Specifications

Publication Description
AEAD additional authenticated data canonicalization specification Deterministic byte representation of authenticated metadata before encryption — ensures cross-implementation interoperability with conformance test vectors.
AEAD encryption envelope wire format specification Binary wire format for encrypted payloads covering key rotation, algorithm negotiation with downgrade prevention, and envelope encryption for key commitment.
Technical Writing Technical publications covering applied cryptography, security architecture, and a 70-part vendor-agnostic networking curriculum based on CCNA objectives.

Technical Focus

Cryptographic Engineering
Protocol design, authenticated encryption, formal specification authoring, hybrid post-quantum cryptography, key-hierarchy design
Platform & Runtime Security
Attested-TEE architecture, zero-knowledge systems, secure multi-tenancy, enclave / edge trust models
Network Security
Segmentation, NAC, firewall inspection, ZTNA, identity-aware access
Infrastructure & Observability
Windows Server + Linux, failover clustering, containerization, endpoint and runtime telemetry
Governance & Compliance
HIPAA, SOC 2, ISO 27001, NIST 800-66 — risk analysis, controls authoring, remediation execution

Projects

httprift
HTTP desync research platform. Compiles nginx and Apache today, with more servers landing. Differential engine for parsing-discrepancy detection.
canaad
Reference implementation of the AAD canonicalization spec. Ships as a core library, CLI tool, and browser-ready WebAssembly package.
parlov
HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.
gtfo.dev
Public 4-stage kill chain deployed on Cloudflare edge — stages chain cryptographic oracle attacks, ORM injection, timing-based information disclosure, and authentication bypass into a full compromise sequence.