Skip to main content

A Usability Study of Cryptographic API Design

  • Conference paper
  • First Online:
Quality, Reliability, Security and Robustness in Heterogeneous Systems (QShine 2021)

Abstract

Software developers interact with cryptographic components via APIs provided by a cryptographic library to protect sensitive information such as passwords and files. While cryptographic algorithms have been standardised for over a decade, with variety of crypto libraries that implemented the algorithm, many developers struggle to use the library correctly. This paper evaluates 6 different cryptographic libraries written in 3 different programming languages to find out what factors affect usability. We analyse the usability of surveyed libraries with regards to its API call sequence, number of parameters, exception handling mechanism and documentation. In the end, several recommendations are provided to help developers choose which library to use and more importantly, this paper showcases a few common pitfalls for library designers to prevent common misuses when designing a cryptographic library.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Acar, Y., et al.: Comparing the Usability of Cryptographic APIs. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 154–171. IEEE (2017)

    Google Scholar 

  2. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41

    Chapter  Google Scholar 

  3. Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 159–176. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33481-8_9

    Chapter  Google Scholar 

  4. Bloch, J.: How to design a good API and why it matters. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications, pp. 506–507 (2006)

    Google Scholar 

  5. Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 73–84 (2013)

    Google Scholar 

  6. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61 (2012)

    Google Scholar 

  7. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49 (2012)

    Google Scholar 

  8. Gorski, P.L., et al.: Developers deserve security warnings, too: on the effect of integrated security advice on cryptographic \(\{\)API\(\}\) misuse. In: Fourteenth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2018), pp. 265–281 (2018)

    Google Scholar 

  9. Green, M., Smith, M.: Developers are not the enemy!: the need for usable security APIs. IEEE Secur. Priv. 14(5), 40–46 (2016)

    Google Scholar 

  10. Krüger, S., et al.: CogniCrypt: supporting developers in using cryptography. In: 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 931–936. IEEE (2017)

    Google Scholar 

  11. Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: an extensible approach to validating the correct usage of cryptographic APIs. IEEE Trans. Softw. Eng. (2019)

    Google Scholar 

  12. Ma, S., Lo, D., Li, T., Deng, R.H.: CDRep: automatic repair of cryptographic misuses in android applications. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 711–722 (2016)

    Google Scholar 

  13. Mindermann, K., Keck, P., Wagner, S.: How usable are rust cryptography APIs? In: 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 143–154. IEEE (2018)

    Google Scholar 

  14. Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do java developers struggle with cryptography APIs? In: Proceedings of the 38th International Conference on Software Engineering, pp. 935–946 (2016)

    Google Scholar 

  15. Patnaik, N., Hallett, J., Rashid, A.: Usability smells: an analysis of developers’ struggle with crypto libraries. In: Fifteenth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2019) (2019)

    Google Scholar 

  16. Standard, N.F.: Announcing the advanced encryption standard (AES). Federal Information Processing Standards Publication 197(1–51), 3–3 (2001)

    Google Scholar 

  17. Zibran, M.F., Eishita, F.Z., Roy, C.K.: Useful, but usable? Factors affecting the usability of APIs. In: 2011 18th Working Conference on Reverse Engineering, pp. 151–155. IEEE (2011)

    Google Scholar 

  18. Zinzindohoué, J.K., Bhargavan, K., Protzenko, J., Beurdouche, B.: HACL*: a verified modern cryptographic library. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1789–1806 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Junwei Luo .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Luo, J., Yi, X., Han, F., Yang, X. (2021). A Usability Study of Cryptographic API Design. In: Yuan, X., Bao, W., Yi, X., Tran, N.H. (eds) Quality, Reliability, Security and Robustness in Heterogeneous Systems. QShine 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 402. Springer, Cham. https://doi.org/10.1007/978-3-030-91424-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91424-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91423-3

  • Online ISBN: 978-3-030-91424-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics