Potentially dangerous cryptography errors are well-documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programmer Interfaces (APIs) that are too complicated, have insecure defaults, or are poorly documented. To address this problem, researchers have created several cryptographic APIs that they claim are more usable; however, none of these APIs have been empirically evaluated for their ability to promote more secure development. This paper examines how the design and resulting usability of different cryptographic APIs affects the security of code written with them. We first provide a review of several Python cryptographic libraries and their documentation. We then report on a controlled experiment in which Python developers recruited from Github attempt tasks involving symmetric and asymmetric cryptography using these different libraries. Our results shed light on the extent to which these libraries, designed for usability, achieve their goals, as well as where they fall short.
Comparing the Usability of Cryptographic APIs, 38th IEEE Symposium on Security and Privacy, San Jose, CA, [online], https://doi.org/10.1109/SP.2017.52
(Accessed February 21, 2024)