Job Description

What you'll work on

Protocol implementation (Java):

Extend and harden our current Java simulation for the Bio-Hybrid TESLA flow (key chain derivation, delayed disclosure, MAC verification, time windows, key commitment, and revocation handling).

Biometric binding:

Define how iris features/quality metrics bind to TESLA key schedules without leaking PII/templates; design privacy-preserving verification artifacts.

IoT integration:

Package the protocol for edge devices (e.g., mini-PC/industrial controller) interfacing with an

iris scanner

(e.g., CMITech EF-45 or similar) and site networks.

Secure storage & key management:

Keystore/TPM/HSM use on server/edge; nonce handling, replay protection, and secure audit logs.

Resilience:

Handle clock drift, packet loss, lossy links, offline windows, and device compromise scenarios; DoS-aware verification.

API & data paths:

Define secure APIs between React/Django back end, Java services, and MS SQL Server; ensure encrypted transit & at-rest data with clear key rotation plans.

Threat modeling & tests:

STRIDE-style analysis, unit/prop tests for cryptographic invariants, and red-team scripts for tamper/fuzz testing.

Documentation:

Developer-ready specs, message diagrams, and ops runbooks for deployment at construction sites.

Required qualifications

6+ years

in security engineering or applied cryptography for production systems.

Strong

Java

(security, concurrency, performance) and experience with at least one of:

Kotlin, Python, C/C++

for edge utilities.

Hands-on with

TESLA-like broadcast authentication

or time-based key disclosure schemes; comfort with

HKDF

,

HMAC-SHA-256

,

AES-GCM/ChaCha20-Poly1305

, and rolling key chains.

IoT/edge

security: device onboarding, attestation basics, secure boot, firmware signing, and field update strategies.

Network security:

TLS 1.2/1.3, mTLS, certificate pinning, API auth (JWT/OAuth service-to-service), replay defense, rate limiting.

Data protection for

biometrics

: template handling, unlinkability concepts, and privacy- by-design patterns.

Proven delivery of a security-critical component (protocol/library/service) used in production.

Experience with

biometric devices

(iris or face), image/template pipelines, and liveness/quality scoring.

Formal methods or model-checking (TLA+, ProVerif) for protocol sanity checks.

Windows/Linux edge deployments, Docker, CI/CD, observability (OpenTelemetry).

MS SQL Server hardening, secure logging pipelines, KMS/Key Vault (Azure/AWS).

Bilingual UI contexts (EN/AR) awareness and data residency/regulatory familiarity in the GCC.

Apply

Email

raffas@tristarsystem.com

raffas66@icloud.com

with:

1. CV/LinkedIn + links to relevant repos or redacted code samples.

2. A short write-up (? 300 words) on how you'd design

key disclosure and replay protection

for a TESLA-style protocol over unreliable links.

3. One diagram (PNG/PDF) of a

device?edge?server

message flow showing time windows, keys, and logs.

Subject:

Senior Security -- Bio-Hybrid TESLA

Job Type: Full-time