Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rust-crypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.
%0 Conference Paper
%1 mindermann2018usable
%A Mindermann, Kai
%A Keck, Philipp
%A Wagner, Stefan
%B Proceedings of the 18th International Conference on Software Quality, Reliability, and Security
%D 2018
%I IEEE
%K iste-se myown
%P 143-154
%R 10.1109/QRS.2018.00028
%T How Usable are Rust Cryptography APIs?
%U https://arxiv.org/abs/1806.04929
%X Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rust-crypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.
%@ 978-1-5386-7757-5
@inproceedings{mindermann2018usable,
abstract = {Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rust-crypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.},
added-at = {2018-06-14T09:45:35.000+0200},
author = {Mindermann, Kai and Keck, Philipp and Wagner, Stefan},
biburl = {https://puma.ub.uni-stuttgart.de/bibtex/2f1f986ad665a6cfae746c44afa2f56c6/kaimindermann},
booktitle = {Proceedings of the 18th International Conference on Software Quality, Reliability, and Security},
description = {post-print, author version},
doi = {10.1109/QRS.2018.00028},
interhash = {297999fd0396c59b44b42c2d2ff0bf24},
intrahash = {f1f986ad665a6cfae746c44afa2f56c6},
isbn = {978-1-5386-7757-5},
keywords = {iste-se myown},
month = jul,
pages = {143-154},
publisher = {IEEE},
timestamp = {2018-08-16T14:54:14.000+0200},
title = {How Usable are Rust Cryptography APIs?},
url = {https://arxiv.org/abs/1806.04929},
venue = {Lisbon, Portugal},
year = 2018
}