NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Comparing the Usability of Cryptographic APIs

Published

Author(s)

Yasemin Acar, Michael Backes, Sascha Fahl, Simson L. Garfinkel, Doowon Kim, Michelle L. Mazurek, Christian Stransky

Abstract

Potentially dangerous cryptography errors are well-documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programmer Interfaces (APIs) that are too complicated, have insecure defaults, or are poorly documented. To address this problem, researchers have created several cryptographic APIs that they claim are more usable; however, none of these APIs have been empirically evaluated for their ability to promote more secure development. This paper examines how the design and resulting usability of different cryptographic APIs affects the security of code written with them. We first provide a review of several Python cryptographic libraries and their documentation. We then report on a controlled experiment in which Python developers recruited from Github attempt tasks involving symmetric and asymmetric cryptography using these different libraries. Our results shed light on the extent to which these libraries, designed for usability, achieve their goals, as well as where they fall short.
Proceedings Title
38th IEEE Symposium on Security and Privacy
Conference Dates
May 22-24, 2017
Conference Location
San Jose, CA, US
Pub Type
Conferences

Download Paper

DOI Link

Keywords

Cryptography, Software Development, Usability
Cybersecurity and privacy

Citation

Acar, Y. , Backes, M. , Fahl, S. , Garfinkel, S. , Kim, D. , Mazurek, M. and Stransky, C. (2017), Comparing the Usability of Cryptographic APIs, 38th IEEE Symposium on Security and Privacy, San Jose, CA, US, [online], https://doi.org/10.1109/sp.2017.52 (Accessed October 9, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created May 1, 2017, Updated November 18, 2024
Was this page helpful?