Garfinkel, S.
(2017),
Comparing the Usability of Cryptographic APIs, 38th IEEE Symposium on Security and Privacy, San Jose, CA, [online], https://doi.org/10.1109/SP.2017.52
(Accessed April 18, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Comparing the Usability of Cryptographic APIs
Published
Author(s)
Abstract
Potentially dangerous cryptography errors are well-documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programmer Interfaces (APIs) that are too complicated, have insecure defaults, or are poorly documented. To address this problem, researchers have created several cryptographic APIs that they claim are more usable; however, none of these APIs have been empirically evaluated for their ability to promote more secure development. This paper examines how the design and resulting usability of different cryptographic APIs affects the security of code written with them. We first provide a review of several Python cryptographic libraries and their documentation. We then report on a controlled experiment in which Python developers recruited from Github attempt tasks involving symmetric and asymmetric cryptography using these different libraries. Our results shed light on the extent to which these libraries, designed for usability, achieve their goals, as well as where they fall short.Proceedings Title
38th IEEE Symposium on Security and Privacy
Conference Dates
May 22-24, 2017
Conference Location
San Jose, CA
Pub Type
Conferences
Download Paper
Keywords
Cryptography, Software Development, Usability
Citation
Created June 26, 2017, Updated November 10, 2018