Abstract
Software developers interact with cryptographic components via APIs provided by a cryptographic library to protect sensitive information such as passwords and files. While cryptographic algorithms have been standardised for over a decade, with variety of crypto libraries that implemented the algorithm, many developers struggle to use the library correctly. This paper evaluates 6 different cryptographic libraries written in 3 different programming languages to find out what factors affect usability. We analyse the usability of surveyed libraries with regards to its API call sequence, number of parameters, exception handling mechanism and documentation. In the end, several recommendations are provided to help developers choose which library to use and more importantly, this paper showcases a few common pitfalls for library designers to prevent common misuses when designing a cryptographic library.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acar, Y., et al.: Comparing the Usability of Cryptographic APIs. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 154–171. IEEE (2017)
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 159–176. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33481-8_9
Bloch, J.: How to design a good API and why it matters. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications, pp. 506–507 (2006)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 73–84 (2013)
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61 (2012)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49 (2012)
Gorski, P.L., et al.: Developers deserve security warnings, too: on the effect of integrated security advice on cryptographic \(\{\)API\(\}\) misuse. In: Fourteenth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2018), pp. 265–281 (2018)
Green, M., Smith, M.: Developers are not the enemy!: the need for usable security APIs. IEEE Secur. Priv. 14(5), 40–46 (2016)
Krüger, S., et al.: CogniCrypt: supporting developers in using cryptography. In: 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 931–936. IEEE (2017)
Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: an extensible approach to validating the correct usage of cryptographic APIs. IEEE Trans. Softw. Eng. (2019)
Ma, S., Lo, D., Li, T., Deng, R.H.: CDRep: automatic repair of cryptographic misuses in android applications. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 711–722 (2016)
Mindermann, K., Keck, P., Wagner, S.: How usable are rust cryptography APIs? In: 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 143–154. IEEE (2018)
Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do java developers struggle with cryptography APIs? In: Proceedings of the 38th International Conference on Software Engineering, pp. 935–946 (2016)
Patnaik, N., Hallett, J., Rashid, A.: Usability smells: an analysis of developers’ struggle with crypto libraries. In: Fifteenth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2019) (2019)
Standard, N.F.: Announcing the advanced encryption standard (AES). Federal Information Processing Standards Publication 197(1–51), 3–3 (2001)
Zibran, M.F., Eishita, F.Z., Roy, C.K.: Useful, but usable? Factors affecting the usability of APIs. In: 2011 18th Working Conference on Reverse Engineering, pp. 151–155. IEEE (2011)
Zinzindohoué, J.K., Bhargavan, K., Protzenko, J., Beurdouche, B.: HACL*: a verified modern cryptographic library. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1789–1806 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Luo, J., Yi, X., Han, F., Yang, X. (2021). A Usability Study of Cryptographic API Design. In: Yuan, X., Bao, W., Yi, X., Tran, N.H. (eds) Quality, Reliability, Security and Robustness in Heterogeneous Systems. QShine 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 402. Springer, Cham. https://doi.org/10.1007/978-3-030-91424-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-91424-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91423-3
Online ISBN: 978-3-030-91424-0
eBook Packages: Computer ScienceComputer Science (R0)