Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Comparing the Usability of Cryptographic APIs

Published

Author(s)

Simson L. Garfinkel

Abstract

Potentially dangerous cryptography errors are well-documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programmer Interfaces (APIs) that are too complicated, have insecure defaults, or are poorly documented. To address this problem, researchers have created several cryptographic APIs that they claim are more usable; however, none of these APIs have been empirically evaluated for their ability to promote more secure development. This paper examines how the design and resulting usability of different cryptographic APIs affects the security of code written with them. We first provide a review of several Python cryptographic libraries and their documentation. We then report on a controlled experiment in which Python developers recruited from Github attempt tasks involving symmetric and asymmetric cryptography using these different libraries. Our results shed light on the extent to which these libraries, designed for usability, achieve their goals, as well as where they fall short.
Proceedings Title
38th IEEE Symposium on Security and Privacy
Conference Dates
May 22-24, 2017
Conference Location
San Jose, CA

Keywords

Cryptography, Software Development, Usability

Citation

Garfinkel, S. (2017), Comparing the Usability of Cryptographic APIs, 38th IEEE Symposium on Security and Privacy, San Jose, CA, [online], https://doi.org/10.1109/SP.2017.52 (Accessed November 21, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created June 26, 2017, Updated November 10, 2018