A Comparative Study on Design and Usability of Cryptographic Libraries
Authors: 
Junwei Luo, Xuechao Yang, Xun Yi, Fengling Han, Iqbal Gondal, Guang-Bin HuangAuthors Info & Claims
Pages 102 - 111
Abstract
Cryptographic misuse such as incorrect use of cipher, key, and other security-related parameters in software products can lead to devastating consequences. While for many developers, the lack of prior experience in applied cryptography could be the cause of crypto misuses, the complexity of a crypto library, bad API design, and the lack of proper documentation and assistant tools are the factors that lead to misuses. In this paper, we conduct a comparative study on cryptographic libraries with regard to their design and usability. We choose nine libraries written in three programming languages as the candidate for the usability study. We pay attention to the design and usability of symmetric encryption APIs with the help of a series of tasks designed to evaluate potential causes of crypto misuses. The experimental results grant us new insights as to what improvements can be made to mitigate crypto misuses and our results serve as a roadmap for library designers to avoid common pitfalls when designing a crypto library in the future.
References
[1]
Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic apis. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 154–171.
[2]
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2016. You get where you’re looking for: The impact of information sources on code security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 289–305.
[3]
Md Ahasanuzzaman, Muhammad Asaduzzaman, Chanchal K Roy, and Kevin A Schneider. 2018. Classifying stack overflow posts on API issues. In 2018 IEEE 25th international conference on software analysis, evolution and reengineering (SANER). IEEE, 244–254.
[4]
Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 356–367.
[5]
Daniel J Bernstein, Tanja Lange, and Peter Schwabe. 2012. The security impact of a new cryptographic library. In International Conference on Cryptology and Information Security in Latin America. Springer, 159–176.
[6]
Joshua Bloch. 2006. How to design a good API and why it matters. In Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications. 506–507.
[7]
Alexandre Braga, Ricardo Dahab, Nuno Antunes, Nuno Laranjeiro, and Marco Vieira. 2019. Understanding how to use static analysis tools for detecting cryptography misuse in software. IEEE Transactions on Reliability 68, 4 (2019), 1384–1403.
[8]
Aline Brito, Laerte Xavier, Andre Hora, and Marco Tulio Valente. 2018. Why and how Java developers break APIs. In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 255–265.
[9]
Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 73–84.
[10]
Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proceedings of the 2012 ACM conference on Computer and communications security. 50–61.
[11]
Jun Gao, Pingfan Kong, Li Li, Tegawendé F Bissyandé, and Jacques Klein. 2019. Negative results on mining crypto-api usage rules in android apps. In 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). IEEE, 388–398.
[12]
Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security. 38–49.
[13]
Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, and Sascha Fahl. 2018. Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic {API} Misuse. In Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018). 265–281.
[14]
Matthew Green and Matthew Smith. 2016. Developers are not the enemy!: The need for usable security apis. IEEE Security & Privacy 14, 5 (2016), 40–46.
[15]
Shay Gueron, Adam Langley, and Yehuda Lindell. 2019. AES-GCM-SIV: Nonce misuse-resistant authenticated encryption. RFC 8452 (2019).
[16]
Chun Guo, Olivier Pereira, Thomas Peters, and François-Xavier Standaert. 2019. Authenticated encryption with nonce misuse and physical leakage: definitions, separation results and first construction. In International Conference on Cryptology and Information Security in Latin America. Springer, 150–172.
[17]
Mohammadreza Hazhirpasand, Mohammad Ghafari, Stefan Krüger, Eric Bodden, and Oscar Nierstrasz. 2019. The impact of developer experience in using Java cryptography. In 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). IEEE, 1–6.
[18]
Viet Tung Hoang, Reza Reyhanitabar, Phillip Rogaway, and Damian Vizár. 2015. Online authenticated-encryption and its nonce-reuse misuse-resistance. In Annual Cryptology Conference. Springer, 493–517.
[19]
Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, 2017. Cognicrypt: Supporting developers in using cryptography. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 931–936.
[20]
Stefan Krüger, Johannes Späth, Karim Ali, Eric Bodden, and Mira Mezini. 2019. Crysl: An extensible approach to validating the correct usage of cryptographic apis. IEEE Transactions on Software Engineering(2019).
[21]
David Lazar, Haogang Chen, Xi Wang, and Nickolai Zeldovich. 2014. Why does cryptographic software fail? A case study and open problems. In Proceedings of 5th Asia-Pacific Workshop on Systems. 1–7.
[22]
Yong Li, Yuanyuan Zhang, Juanru Li, and Dawu Gu. 2015. iCryptoTracer: Dynamic analysis on misuse of cryptography functions in iOS applications. In International Conference on Network and System Security. Springer, 349–362.
[23]
Siqi Ma, David Lo, Teng Li, and Robert H Deng. 2016. Cdrep: Automatic repair of cryptographic misuses in android applications. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. 711–722.
[24]
Kai Mindermann and Stefan Wagner. 2018. Usability and security effects of code examples on crypto apis. In 2018 16th Annual Conference on Privacy, Security and Trust (PST). IEEE, 1–2.
[25]
Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. Jumping through hoops: Why do Java developers struggle with cryptography APIs?. In Proceedings of the 38th International Conference on Software Engineering. 935–946.
[26]
Nikhil Patnaik, Joseph Hallett, and Awais Rashid. 2019. Usability smells: An analysis of developers’ struggle with crypto libraries. In Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019).
[27]
Luca Piccolboni, Giuseppe Di Guglielmo, Luca P Carloni, and Simha Sethumadhavan. 2021. Crylogger: Detecting crypto misuses dynamically. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1972–1989.
[28]
Bradley Reaves, Jasmine Bowers, Nolen Scaife, Adam Bates, Arnav Bhartiya, Patrick Traynor, and Kevin RB Butler. 2017. Mo (bile) money, mo (bile) problems: Analysis of branchless banking applications. ACM Transactions on Privacy and Security (TOPS) 20, 3 (2017), 1–31.
[29]
Bruce Schneier. 1998. Cryptographic design vulnerabilities. Computer 31, 9 (1998), 29–33.
[30]
Shao Shuai, Dong Guowei, Guo Tao, Yang Tianchang, and Shi Chenjie. 2014. Modelling analysis and auto-detection of cryptographic misuse in android applications. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing. IEEE, 75–80.
[31]
Tianyi Zhang, Ganesha Upadhyaya, Anastasia Reinhardt, Hridesh Rajan, and Miryung Kim. 2018. Are code examples on an online Q&A forum reliable?: a study of API misuse on stack overflow. In 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). IEEE, 886–896.
[32]
Minhaz F Zibran, Farjana Z Eishita, and Chanchal K Roy. 2011. Useful, but usable? factors affecting the usability of APIs. In 2011 18th Working Conference on Reverse Engineering. IEEE, 151–155.
Index Terms
- A Comparative Study on Design and Usability of Cryptographic Libraries
Index terms have been assigned to the content through auto-classification.
Recommendations
Decoupled design: building applications on the NetBeans platform
OOPSLA '06: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applicationsThe NetBeans Platform is the open-source NetBeans Integrated Development Environment (IDE) less those modules that make it a development tool. The platform is a "generic application" - a runtime which can be used to develop applications.One of the key ...
Decoupled design: building applications on the NetBeans platform
OOPSLA '06: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applicationsThe NetBeans Platform is the open-source NetBeans Integrated Development Environment (IDE) less those modules that make it a development tool. The platform is a "generic application" - a runtime which can be used to develop applications.One of the key ...
Measuring Popularity of Cryptographic Libraries in Internet-Wide Scans
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceWe measure the popularity of cryptographic libraries in large datasets of RSA public keys. We do so by improving a recently proposed method based on biases introduced by alternative implementations of prime selection in different cryptographic ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
January 2023
272 pages
ISBN:9798400700057
DOI:10.1145/3579375
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 March 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Development of Cryptographic Library and Support System
Conference
ACSW 2023
ACSW 2023: 2023 Australasian Computer Science Week
January 30 - February 3, 2023
VIC, Melbourne, Australia
Acceptance Rates
Overall Acceptance Rate 61 of 141 submissions, 43%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 151Total Downloads
- Downloads (Last 12 months)78
- Downloads (Last 6 weeks)7
Reflects downloads up to 25 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format