Master Thesis MSTR-2020-59

BibliographyTeis, Lisa-Marie: Java Interface for Secure Crypto Config.
University of Stuttgart, Faculty of Computer Science, Electrical Engineering, and Information Technology, Master Thesis No. 59 (2020).
87 pages, english.
Abstract

Context: Cryptography is mainly considered in the field of information security for the protection of digital data. But the right selection of a secure set of cryptographic algorithms and parameters can be difficult. Another problem is that provided cryptographic Application Programming Interface (API)s cannot change their default configurations, meaning that they get insecure over time. Aim: The general aim is to create a cryptographic library that allows developers to easily use secure default configurations. Such a library should realize all security-relevant details internally by safe default configurations, which are adapting to changing security standards. To achieve this goal the Secure Crypto Config (SCC) can be used which ensures security, usability, maintainability and up- /downward compatibility. Method: First, a draft for a future standardized Request for comments (RFC) was created. In addition, a sample implementation for the corresponding API in Java was developed. This implementation was evaluated by conducting a study that consists of live programming tasks and online questionnaires. The study should compare the Secure Crypto Config Interface (SCCI) with the standard cryptographic libraries of the Java Development Kit (JDK) and Google Tink. Result: The evaluation has shown that the SCCI is more usable than JDK and Google Tink. By considering the number of security bugs the SCCI is also more secure than JDK. Unfortunately, there was no significant result by comparing the security of the SCCI and Google Tink. Furthermore, no significant difference in the maintainability between the SCCI and the other libraries could be shown. In terms of security and maintainability the SCCI was not significantly better according to statistical tests, nevertheless there are fewer security bugs with the usage of the SCCI. Conclusion: The SCCI is a future-proof alternative to other cryptographic libraries as it has proven to be both more usable and more secure than other implementations. In the next steps, it is now necessary to drive the standardization process forward. Furthermore, implementations in other languages must follow.

Department(s)University of Stuttgart, Institute of Software Technology, Empirical Software Engineering
Superviser(s)Wagner, Prof. Stefan; Mindermann, Kai
Entry dateMarch 3, 2021
   Publ. Computer Science