A Comparative Study on Design and Usability of Cryptographic Libraries

Cryptographic misuse such as incorrect use of cipher, key, and other security-related parameters in software products can lead to devastating consequences. While for many developers, the lack of prior experience in applied cryptography could be the cause of crypto misuses, the complexity of a crypto library, bad API design, and the lack of proper documentation and assistant tools are the factors that lead to misuses. In this paper, we conduct a comparative study on cryptographic libraries with regard to their design and usability. We choose nine libraries written in three programming languages as the candidate for the usability study. We pay attention to the design and usability of symmetric encryption APIs with the help of a series of tasks designed to evaluate potential causes of crypto misuses. The experimental results grant us new insights as to what improvements can be made to mitigate crypto misuses and our results serve as a roadmap for library designers to avoid common pitfalls when designing a crypto library in the future.