Onward15

1. ONWARD! ’15 Towards Secure Integration of Cryptographic Software Steven Arzt Sarah Nadi Karim Ali Eric Bodden Sebastian Erdweg Mira Mezini

2. An Application Developer’s World 2

3. An Application Developer’s World 2 User accounts Sensitive user documents Payment info.

4. An Application Developer’s World 2 User accounts Sensitive user documents Payment info. How to securely connect to a server? How to encrypt data? Encryption vs Hashing? Encryption mode? Salted hashing?

5. Problem Deﬁnition 3 Application developers are not cryptographic experts!

6. Problem Deﬁnition 3 Application developers are not cryptographic experts! 83% of 269 examined Common Vulnerabilities & Exposures (CVE) are due to misuse of crypto libraries [Lazar et al., APSys ’14]

7. Problem Deﬁnition 3 Application developers are not cryptographic experts! 83% of 269 examined Common Vulnerabilities & Exposures (CVE) are due to misuse of crypto libraries [Lazar et al., APSys ’14] Even companies like Amazon & Paypal misuse SSL certiﬁcate validation [Georgiev et al., CCS ‘12]

8. Problem Deﬁnition 3 Application developers are not cryptographic experts! 83% of 269 examined Common Vulnerabilities & Exposures (CVE) are due to misuse of crypto libraries [Lazar et al., APSys ’14] Even companies like Amazon & Paypal misuse SSL certiﬁcate validation [Georgiev et al., CCS ‘12] 88% of Android apps misuse cryptography APIs in at least one way [Egele et al., CCS ‘13]

9. 4 So what exactly is a misuse?

10. 4 So what exactly is a misuse? Scope:

11. Java Cryptography Architecture (JCA) 5

12. Example of an API Misuse 6 1 byte[] key = ... 2 3 Cipher cipher = Cipher.getInstance("AES"); 4 5 SecretKey keyObj = new SecretKeySpec(key,"AES"); 6 7 cipher.init(Cipher.ENCRYPT_MODE, keyObj); 8 byte[] cipherText = cipher.doFinal(input); Figure 1. Example of using an AES cipher

13. Example of an API Misuse 7 Depending on the provider, default mode for AES is Electronic Codebook (ECB) which is insecure 1 byte[] key = ... 2 3 Cipher cipher = Cipher.getInstance("AES"); 4 5 SecretKey keyObj = new SecretKeySpec(key,"AES"); 6 7 cipher.init(Cipher.ENCRYPT_MODE, keyObj); 8 byte[] cipherText = cipher.doFinal(input); Figure 1. Example of using an AES cipher ion must first check the issuer of a certificate before passing his certificate on to the authentication primitive. Such usage protocols can then be translated into static analyses that au-

14. Goals 8 Bridge the gap between application developers & cryptography experts

15. Goals 8 Assist developers in choosing appropriate components & conﬁgurations Bridge the gap between application developers & cryptography experts

16. Goals 8 Assist developers in choosing appropriate components & conﬁgurations Support automatic generation of code that uses cryptography securely Bridge the gap between application developers & cryptography experts

17. Goals 8 Assist developers in choosing appropriate components & conﬁgurations Support automatic generation of code that uses cryptography securely Support automatic validation of code that uses cryptography & notify developer of any problems Bridge the gap between application developers & cryptography experts

18. Long-term Vision 9 Crypto Algorithms & correct conﬁgurations Available on the Crypto Store Conﬁgured crypto tasks

19. Observations 10

20. Observations 11 Diﬀerent types of cryptography algorithms

21. Different types of cryptography algorithms Observations 12 Different configurations within one class of algorithms

22. Observations 13 Different types of cryptography algorithms Different configurations within one class of algorithms Tasks combine different algorithms (often with some restrictions)

23. Observations 14 Lots of variability in cryptography! Tasks combine different algorithms (often with some restrictions) Different types of cryptography algorithms Different configurations within one class of algorithms

24. Proposed Solution: IDE Plugin 15 Task-based Software Product Line of Cryptography Components

25. Working Example: Password-based Encryption 16 1 // Key generation code 2 SecureRandom random = new SecureRandom(); 3 byte[] salt = new byte[32]; 4 random.nextBytes(salt); 5 PBEKeySpec spec = new PBEKeySpec(pwdChar, salt, 1000, 128); 6 SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); 7 SecretKey key = skf.generateSecret(spec); 8 9 // Encryption code 0 Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); 1 cipher.init(Cipher.ENCRYPT_MODE, key); 2 byte[] cipherText = cipher.doFinal(inputMsg); Figure 3. Example of password-based encryption which requires the composition 1 abstract Algorithm

26. 17

27. Modeling Language 18

28. Modeling Language 18 Attribute-based feature models with support for referencing

29. Modeling Language 18 Attribute-based feature models with support for referencing www.clafer.org

30. Cryptography Feature Model in Clafer 19 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13

31. 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string Cryptography Feature Model in Clafer 20 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"]

32. Cryptography Feature Model in Clafer 21 17 [memory >=1 && memory 18 } 19 20 abstract SymmetricCipher : Ci 21 keySize -> integer 22 23 abstract SymmetricBlockCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCiph 32 [ name = "AES with 128b 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 37 [ name = "AES with 256bit key"] 38 [ performance = 3 ] 39 [ secure ] 40 [ memory = 1 ] 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 78 kda -> KeyDerivationAlgorithm 79 digest -> Digest 80 cipher -> SymmetricBlockCipher

33. Cryptography Feature Model in Clafer 22 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 37 [ blockSize = 128 ] 38 39 AES256 : SymmetricBlockCipher 40 [ name = "AES with 256bit key"] 41 [ performance = 3 ] 42 [ secure ] 43 [ memory = 1 ] 44 [ keySize = 256 ] 45 [ blockSize = 128 ] Figure 4. Clafer model for sample hash functions ciph based encryption task hash function) is a type of algorithm. It includes all pro ties from Algorithm, but also adds more speciﬁc proper such as outputSize. The outputSize property determi orithm tring ce -> integer //Levels 1 - 4 (4 fastest) mance >=1 && performance <= 4] s e est : Algorithm e -> integer //in bits DerivationAlgorithm : Algorithm 46 DES: SymmetricBlockCipher 47 [ name = "DES"] 48 [ performance = 2 ] 49 [ memory = 2 ] 50 [ secure ] 51 [ keySize = 56 ] 52 [ blockSize = 64 ] 53 54 DigestAlgorithms 55 md5: Digest 56 [name = "MD5"] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 37 [ blockSize = 128 ] 38 39 AES256 : SymmetricBlockCipher 40 [ name = "AES with 256bit key"] 41 [ performance = 3 ] 46 DES: SymmetricBlockCipher 47 [ name = "DES"] 48 [ performance = 2 ] 49 [ memory = 2 ] 50 [ secure ] 51 [ keySize = 56 ] 52 [ blockSize = 64 ] 53 54 DigestAlgorithms 55 md5: Digest 56 [name = "MD5"] 57 [performance = 4] 58 [insecure] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 75 [name = "PBKDF"] 76 [performance = 2] 77 [secure] 78 } 79 80 PasswordBasedEncryption : Task 81 [name = "Encrypt data based on a password"] 82 kda -> KeyDerivationAlgorithm 83 digest -> Digest 84 cipher -> SymmetricBlockCipher 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 37 [ name = "AES with 256bit key"] 38 [ performance = 3 ] 39 [ secure ] 40 [ memory = 1 ] 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 78 kda -> KeyDerivationAlgorithm 79 digest -> Digest 80 cipher -> SymmetricBlockCipher

34. Cryptography Feature Model in Clafer 23 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 37 [ blockSize = 128 ] 38 39 AES256 : SymmetricBlockCipher 40 [ name = "AES with 256bit key"] 41 [ performance = 3 ] 42 [ secure ] 43 [ memory = 1 ] 44 [ keySize = 256 ] 45 [ blockSize = 128 ] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 75 [name = "PBKDF"] 76 [performance = 2] 77 [secure] 78 } 79 80 PasswordBasedEncryption : Task 81 [name = "Encrypt data based on a pass 82 kda -> KeyDerivationAlgorithm 83 digest -> Digest 84 cipher -> SymmetricBlockCipher 85 [cipher.keySize > 128] Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model als based encryption task hash function) is a type of algorithm. It includes all properties from Algorithm, but also adds more specific properties such as outputSize. The outputSize property determines the fixed length of the output produced by this hash function, measured in bits. Generally, the higher the number, the harder it is to conduct a brute force attack against the hash function. Similarly, Line 13 introduces an abstract Clafer called KeyDerivationAlgorithm. In our example, it does not have any additional properties. Lines 15–24 define the different types of ciphers and the additional properties each type might add to Algorithm. Lines 26–27 define an abstract clafer called Task that we use to represent a cryptography- related task (e.g., secure password storage, email transmis- sion, data encryption, etc.). Lines 30–71 define several instances of Cipher and property to 4 and the outputSize to variability for these properties. Simi one instance of a key-derivation alg as opposed to regular feature mode actual instances and not just rely o ble instances from Digest or Ciphe combinations do not exist. For exam pher with a key of 100 bits is a va corresponding algorithm that suppor A task that developers can later c figurator is represented by a concrete abstract clafer Task. Line 80 define cryption task. Such a task needs a k (Line 82), a digest to use with the k (Line 83), and a cipher to perform 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 46 DES: SymmetricBlockCipher 47 [ name = "DES"] 48 [ performance = 2 ] 49 [ memory = 2 ] 50 [ secure ] 51 [ keySize = 56 ] 52 [ blockSize = 64 ] 53 54 DigestAlgorithms 55 md5: Digest 56 [name = "MD5"] 57 [performance = 4] 58 [insecure] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 37 [ blockSize = 128 ] 38 39 AES256 : SymmetricBlockCipher 40 [ name = "AES with 256bit key"] 41 [ performance = 3 ] 46 DES: SymmetricBlockCipher 47 [ name = "DES"] 48 [ performance = 2 ] 49 [ memory = 2 ] 50 [ secure ] 51 [ keySize = 56 ] 52 [ blockSize = 64 ] 53 54 DigestAlgorithms 55 md5: Digest 56 [name = "MD5"] 57 [performance = 4] 58 [insecure] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 75 [name = "PBKDF"] 76 [performance = 2] 77 [secure] 78 } 79 80 PasswordBasedEncryption : Task 81 [name = "Encrypt data based on a password"] 82 kda -> KeyDerivationAlgorithm 83 digest -> Digest 84 cipher -> SymmetricBlockCipher 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 37 [ name = "AES with 256bit key"] 38 [ performance = 3 ] 39 [ secure ] 40 [ memory = 1 ] 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 78 kda -> KeyDerivationAlgorithm 79 digest -> Digest 80 cipher -> SymmetricBlockCipher ipher 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf2 : KeyDerivationAlgorithm 72 [name = "PBKDF2"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task

35. Cryptography Feature Model in Clafer 24 cCipher 67 [insecure] 68 [outputSize = 160] 69 70 sha_256: Digest 71 [name = "SHA-256"] 72 [outputSize = 256 ] 73 [secure] 74 [performance = 2] 75 76 KeyDerivationAlgorithms 77 pbkdf : KeyDerivationAlgorithm 78 [name = "PBKDF"] 79 [performance = 2] 80 [secure] 81 } 82 83 PasswordBasedEncryption : Task 84 [name = "Encrypt data using a given password"] 85 kda -> KeyDerivationAlgorithm 86 cipher -> SymmetricBlockCipher 87 [cipher.keySize = kda.outputKeySize] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 37 [ blockSize = 128 ] 38 39 AES256 : SymmetricBlockCipher 40 [ name = "AES with 256bit key"] 41 [ performance = 3 ] 46 DES: SymmetricBlockCipher 47 [ name = "DES"] 48 [ performance = 2 ] 49 [ memory = 2 ] 50 [ secure ] 51 [ keySize = 56 ] 52 [ blockSize = 64 ] 53 54 DigestAlgorithms 55 md5: Digest 56 [name = "MD5"] 57 [performance = 4] 58 [insecure] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 75 [name = "PBKDF"] 76 [performance = 2] 77 [secure] 78 } 79 80 PasswordBasedEncryption : Task 81 [name = "Encrypt data based on a password"] 82 kda -> KeyDerivationAlgorithm 83 digest -> Digest 84 cipher -> SymmetricBlockCipher 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 37 [ name = "AES with 256bit key"] 38 [ performance = 3 ] 39 [ secure ] 40 [ memory = 1 ] 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 78 kda -> KeyDerivationAlgorithm 79 digest -> Digest 80 cipher -> SymmetricBlockCipher 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 37 [ name = "AES with 256bit key"] 38 [ performance = 3 ] 39 [ secure ] 40 [ memory = 1 ] 41 [ keySize = 256 ] 42 [ blockSize = 128 ] 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf2 : KeyDerivationAlgorithm 72 [name = "PBKDF2"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 78 kda -> KeyDerivationAlgorithm 79 digest -> Digest 80 cipher -> SymmetricBlockCipher 81 [cipher.keySize > 128] Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model also inclu based encryption task hash function) is a type of algorithm. It includes all properties from Algorithm, but also adds more specific properties such as outputSize. The outputSize property determines the fixed length of the output produced by this hash function, measured in bits. Generally, the higher the number, the harder it is to conduct a brute force attack against the hash function. Similarly, Line 12 introduces an abstract Clafer called KeyDerivationAlgorithm. In our example, it does not have any additional properties. Lines 14–22 define the different types of ciphers and the additional properties each type might add to Algorithm. Lines 24–25 define an abstract clafer called Task that we use to represent a cryptography- related task (e.g., secure password storage, email transmis- one instance of a key-derivation algorithm. as opposed to regular feature modeling, w actual instances and not just rely on gene ble instances from Digest or Cipher, simpl combinations do not exist. For example, ev pher with a key of 100 bits is a valid insta corresponding algorithm that supports that. A task that developers can later choose t figurator is represented by a concrete clafer abstract clafer Task. Line 76 defines a pass cryption task. Such a task needs a key deriv (Line 78), a digest to use with the key deriv (Line 79), and a cipher to perform the ac 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 37 [ blockSize = 128 ] 38 39 AES256 : SymmetricBlockCipher 40 [ name = "AES with 256bit key"] 41 [ performance = 3 ] 42 [ secure ] 43 [ memory = 1 ] 44 [ keySize = 256 ] 45 [ blockSize = 128 ] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 75 [name = "PBKDF"] 76 [performance = 2] 77 [secure] 78 } 79 80 PasswordBasedEncryption : Task 81 [name = "Encrypt data based on a pass 82 kda -> KeyDerivationAlgorithm 83 digest -> Digest 84 cipher -> SymmetricBlockCipher 85 [cipher.keySize > 128] Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model als based encryption task hash function) is a type of algorithm. It includes all properties from Algorithm, but also adds more specific properties such as outputSize. The outputSize property determines the fixed length of the output produced by this hash function, measured in bits. Generally, the higher the number, the harder it is to conduct a brute force attack against the hash function. Similarly, Line 13 introduces an abstract Clafer called KeyDerivationAlgorithm. In our example, it does not have any additional properties. Lines 15–24 define the different types of ciphers and the additional properties each type might add to Algorithm. Lines 26–27 define an abstract clafer called Task that we use to represent a cryptography- related task (e.g., secure password storage, email transmis- sion, data encryption, etc.). Lines 30–71 define several instances of Cipher and property to 4 and the outputSize to variability for these properties. Simi one instance of a key-derivation alg as opposed to regular feature mode actual instances and not just rely o ble instances from Digest or Ciphe combinations do not exist. For exam pher with a key of 100 bits is a va corresponding algorithm that suppor A task that developers can later c figurator is represented by a concrete abstract clafer Task. Line 80 define cryption task. Such a task needs a k (Line 82), a digest to use with the k (Line 83), and a cipher to perform 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 46 DES: SymmetricBlockCipher 47 [ name = "DES"] 48 [ performance = 2 ] 49 [ memory = 2 ] 50 [ secure ] 51 [ keySize = 56 ] 52 [ blockSize = 64 ] 53 54 DigestAlgorithms 55 md5: Digest 56 [name = "MD5"] 57 [performance = 4] 58 [insecure] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm

36. Cryptography Feature Model in Clafer 25 Cipher 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 75 [name = "PBKDF"] 76 [performance = 2] 77 [secure] 78 } 79 80 PasswordBasedEncryption : Task 81 [name = "Encrypt data based on a password"] 82 kda -> KeyDerivationAlgorithm 83 digest -> Digest 84 cipher -> SymmetricBlockCipher 85 [cipher.keySize > 128] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 37 [ blockSize = 128 ] 38 39 AES256 : SymmetricBlockCipher 40 [ name = "AES with 256bit key"] 41 [ performance = 3 ] 46 DES: SymmetricBlockCipher 47 [ name = "DES"] 48 [ performance = 2 ] 49 [ memory = 2 ] 50 [ secure ] 51 [ keySize = 56 ] 52 [ blockSize = 64 ] 53 54 DigestAlgorithms 55 md5: Digest 56 [name = "MD5"] 57 [performance = 4] 58 [insecure] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 75 [name = "PBKDF"] 76 [performance = 2] 77 [secure] 78 } 79 80 PasswordBasedEncryption : Task 81 [name = "Encrypt data based on a password"] 82 kda -> KeyDerivationAlgorithm 83 digest -> Digest 84 cipher -> SymmetricBlockCipher 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >= 1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 12 abstract KeyDerivationAlgorithm : Algorithm 13 14 abstract Cipher : Algorithm 15 memory -> integer //Levels 1 - 4 (1 lowest) 16 [memory >= 1 && memory <= 4] 17 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 37 [ name = "AES with 256bit key"] 38 [ performance = 3 ] 39 [ secure ] 40 [ memory = 1 ] 43 DES: SymmetricBlockCipher 44 [ name = "DES"] 45 [ performance = 2 ] 46 [ memory = 2 ] 47 [ secure ] 48 [ keySize = 56 ] 49 [ blockSize = 64 ] 50 51 DigestAlgorithms 52 md5: Digest 53 [name = "MD5"] 54 [performance = 4] 55 [insecure] 56 [outputSize = 128] 57 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf : KeyDerivationAlgorithm 72 [name = "PBKDF"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 78 kda -> KeyDerivationAlgorithm 79 digest -> Digest 80 cipher -> SymmetricBlockCipher 18 abstract SymmetricCipher : Cipher 19 keySize -> integer 20 21 abstract SymmetricBlockCipher : SymmetricCipher 22 blockSize -> integer 23 24 abstract Task 25 name -> string 26 27 Ciphers 28 AES128 : SymmetricBlockCipher 29 [ name = "AES with 128bit key" ] 30 [ performance = 3 ] 31 [ secure ] 32 [ memory = 1 ] 33 [ keySize = 128 ] 34 [ blockSize = 128 ] 35 36 AES256 : SymmetricBlockCipher 37 [ name = "AES with 256bit key"] 38 [ performance = 3 ] 39 [ secure ] 40 [ memory = 1 ] 41 [ keySize = 256 ] 42 [ blockSize = 128 ] 58 sha_1: Digest 59 [name = "SHA-1"] 60 [performance = 4] 61 [insecure] 62 [outputSize = 160] 63 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf2 : KeyDerivationAlgorithm 72 [name = "PBKDF2"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 78 kda -> KeyDerivationAlgorithm 79 digest -> Digest 80 cipher -> SymmetricBlockCipher 81 [cipher.keySize > 128] Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model also inclu based encryption task hash function) is a type of algorithm. It includes all properties from Algorithm, but also adds more specific properties such as outputSize. The outputSize property determines the fixed length of the output produced by this hash function, measured in bits. Generally, the higher the number, the harder it is to conduct a brute force attack against the hash function. Similarly, Line 12 introduces an abstract Clafer called KeyDerivationAlgorithm. In our example, it does not have any additional properties. Lines 14–22 define the different types of ciphers and the additional properties each type might add to Algorithm. Lines 24–25 define an abstract clafer called Task that we use to represent a cryptography- related task (e.g., secure password storage, email transmis- one instance of a key-derivation algorithm. as opposed to regular feature modeling, w actual instances and not just rely on gene ble instances from Digest or Cipher, simpl combinations do not exist. For example, ev pher with a key of 100 bits is a valid insta corresponding algorithm that supports that. A task that developers can later choose t figurator is represented by a concrete clafer abstract clafer Task. Line 76 defines a pass cryption task. Such a task needs a key deriv (Line 78), a digest to use with the key deriv (Line 79), and a cipher to perform the ac cCipher 67 [insecure] 68 [outputSize = 160] 69 70 sha_256: Digest 71 [name = "SHA-256"] 72 [outputSize = 256 ] 73 [secure] 74 [performance = 2] 75 76 KeyDerivationAlgorithms 77 pbkdf : KeyDerivationAlgorithm 78 [name = "PBKDF"] 79 [performance = 2] 80 [secure] 81 } 82 83 PasswordBasedEncryption : Task 84 [name = "Encrypt data using a given password"] 85 kda -> KeyDerivationAlgorithm 86 cipher -> SymmetricBlockCipher 87 [cipher.keySize = kda.outputKeySize] 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 37 [ blockSize = 128 ] 38 39 AES256 : SymmetricBlockCipher 40 [ name = "AES with 256bit key"] 41 [ performance = 3 ] 42 [ secure ] 43 [ memory = 1 ] 44 [ keySize = 256 ] 45 [ blockSize = 128 ] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm 75 [name = "PBKDF"] 76 [performance = 2] 77 [secure] 78 } 79 80 PasswordBasedEncryption : Task 81 [name = "Encrypt data based on a pass 82 kda -> KeyDerivationAlgorithm 83 digest -> Digest 84 cipher -> SymmetricBlockCipher 85 [cipher.keySize > 128] Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model als based encryption task hash function) is a type of algorithm. It includes all properties from Algorithm, but also adds more specific properties such as outputSize. The outputSize property determines the fixed length of the output produced by this hash function, measured in bits. Generally, the higher the number, the harder it is to conduct a brute force attack against the hash function. Similarly, Line 13 introduces an abstract Clafer called KeyDerivationAlgorithm. In our example, it does not have any additional properties. Lines 15–24 define the different types of ciphers and the additional properties each type might add to Algorithm. Lines 26–27 define an abstract clafer called Task that we use to represent a cryptography- related task (e.g., secure password storage, email transmis- sion, data encryption, etc.). Lines 30–71 define several instances of Cipher and property to 4 and the outputSize to variability for these properties. Simi one instance of a key-derivation alg as opposed to regular feature mode actual instances and not just rely o ble instances from Digest or Ciphe combinations do not exist. For exam pher with a key of 100 bits is a va corresponding algorithm that suppor A task that developers can later c figurator is represented by a concrete abstract clafer Task. Line 80 define cryption task. Such a task needs a k (Line 82), a digest to use with the k (Line 83), and a cipher to perform 1 abstract Algorithm 2 name -> string 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 46 DES: SymmetricBlockCipher 47 [ name = "DES"] 48 [ performance = 2 ] 49 [ memory = 2 ] 50 [ secure ] 51 [ keySize = 56 ] 52 [ blockSize = 64 ] 53 54 DigestAlgorithms 55 md5: Digest 56 [name = "MD5"] 57 [performance = 4] 58 [insecure] 59 [outputSize = 128] 60 61 sha_1: Digest 62 [name = "SHA-1"] 63 [performance = 4] 64 [insecure] 65 [outputSize = 160] 66 67 sha_256: Digest 68 [name = "SHA-256"] 69 [outputSize = 256 ] 70 [secure] 71 [performance = 2] 72 73 KeyDerivationAlgorithms 74 pbkdf : KeyDerivationAlgorithm

37. 26

38. 27

39. • Support method order restrictions • Support parameter restrictions Usage Protocol Language 28

40. • Support method order restrictions • Support parameter restrictions Usage Protocol Language 28 TS4J [Bodden, SOAP ’14]

41. • Relies on ﬂuent interfaces to build a domain speciﬁc language (DSL), in Java • Underlying typestate analysis Typestate for Java (TS4J) 29

42. • Relies on fluent interfaces to build a domain specific language (DSL), in Java • Underlying typestate analysis Typestate for Java (TS4J) 29 String CONS = "<javax.crypto.Cipher: javax.crypto.Cipher getInstance(java.lang.String)>"; return UsageProtocolAPI .atCallTo(CONS) .ifParameter(0, p -> !p.contains("/") || p.contains("/ECB")) .reportError("Insecure block cipher mode"); Figure 6. TSJ4 Specification for Checking Block Cip ert Java developers. Since our goal is to allow crypto-

43. Mapping to Code & Usage Protocols 30 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 46 DE 47 [ 48 [ 49 [ 50 [ 51 [ 52 [ 53 54 Digest 55 md5: 56 [n 57 [p 58 [i 59 [o 60 61 sha_ 62 [n 63 [p 64 [i 65 [o 66 67 sha_ 68 [n 69 [o 70 [s 71 [p 72 73 KeyDer 74 pbkd 75 [n 76 [p 77 [s 78 } 79 1 public class KeyDeriv { 2 private String algorithm = ""; 3 4 public SecretKey getKey(String pwd) throws ... { 5 SecureRandom r = new SecureRandom(); 6 byte[] salt = new byte[32]; 7 r.nextBytes(salt); 8 9 PBEKeySpec spec = new PBEKeySpec(pwd.toCharArray(), salt, 1000, 128); 10 SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm); 11 return skf.generateSecret(spec); 12 } 13 } Figure 7. Generic key derivation code 1 public class KeyDeriv { 2 private String algorithm = "PBKDF2WithHmacSHA1"; 1 String CONS = 2 "<javax.crypto.spec.PBEKEYSpec: void <init>(char[],byte[],int,int)>"; 3 4 return UsageProtocolAPI 5 .atCallTo(CONS) 6 .ifParameter(2, p -> p < 500) 7 .reportError("Not enough iterations"); Figure 5. TSJ4 Speciﬁcation for Checking PBEKey Iteration Count by view count and score) asked on StackOverﬂow. W currently preparing a questionnaire to extract more info tion on the concrete problems faced by these developer the causes of requesting help from the community. In allel, we are currently conducting an empirical study o uses of cryptography in real-world application code to Code Template Usage protocol

44. Mapping to Code & Usage Protocols 30 3 performance -> integer //Levels 1 - 4 (4 fastest) 4 [performance >=1 && performance <= 4] 5 xor status 6 secure 7 insecure 8 9 abstract Digest : Algorithm 10 outputSize -> integer //in bits 11 } 12 13 abstract KeyDerivationAlgorithm : Algorithm 14 15 abstract Cipher : Algorithm 16 memory -> integer //Levels 1 - 4 (1 lowest) 17 [memory >=1 && memory <= 4] 18 } 19 20 abstract SymmetricCipher : Cipher 21 keySize -> integer 22 23 abstract SymmetricBlockCipher : SymmetricCipher 24 blockSize -> integer 25 26 abstract Task 27 name -> string 28 } 29 30 Ciphers 31 AES128 : SymmetricBlockCipher 32 [ name = "AES with 128bit key" ] 33 [ performance = 3 ] 34 [ secure ] 35 [ memory = 1 ] 36 [ keySize = 128 ] 46 DE 47 [ 48 [ 49 [ 50 [ 51 [ 52 [ 53 54 Digest 55 md5: 56 [n 57 [p 58 [i 59 [o 60 61 sha_ 62 [n 63 [p 64 [i 65 [o 66 67 sha_ 68 [n 69 [o 70 [s 71 [p 72 73 KeyDer 74 pbkd 75 [n 76 [p 77 [s 78 } 79 1 public class KeyDeriv { 2 private String algorithm = ""; 3 4 public SecretKey getKey(String pwd) throws ... { 5 SecureRandom r = new SecureRandom(); 6 byte[] salt = new byte[32]; 7 r.nextBytes(salt); 8 9 PBEKeySpec spec = new PBEKeySpec(pwd.toCharArray(), salt, 1000, 128); 10 SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm); 11 return skf.generateSecret(spec); 12 } 13 } Figure 7. Generic key derivation code 1 public class KeyDeriv { 2 private String algorithm = "PBKDF2WithHmacSHA1"; 1 String CONS = 2 "<javax.crypto.spec.PBEKEYSpec: void <init>(char[],byte[],int,int)>"; 3 4 return UsageProtocolAPI 5 .atCallTo(CONS) 6 .ifParameter(2, p -> p < 500) 7 .reportError("Not enough iterations"); Figure 5. TSJ4 Speciﬁcation for Checking PBEKey Iteration Count by view count and score) asked on StackOverﬂow. W currently preparing a questionnaire to extract more info tion on the concrete problems faced by these developer the causes of requesting help from the community. In allel, we are currently conducting an empirical study o uses of cryptography in real-world application code to Code Template Usage protocol

45. Mapping to Code & Usage Protocols 31 3 4 public SecretKey getKey(String pwd) throws ... { 5 SecureRandom r = new SecureRandom(); 6 byte[] salt = new byte[32]; 7 r.nextBytes(salt); 8 9 PBEKeySpec spec = new PBEKeySpec(pwd.toCharArray(), salt, 1000, 128); 10 SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm); 11 return skf.generateSecret(spec); 12 } 13 } Figure 7. Generic key derivation code 1 public class KeyDeriv { 2 private String algorithm = "PBKDF2WithHmacSHA1"; 3 4 public SecretKey getKey(String pwd) throws ... { 5 return original(pwd); 6 } 7 } Figure 8. Reﬁning the generic key derivation code in Fig- ure 7 using FeatureHouse to use the PBKDF2 algorithm challenge to detect such inconsistencies and report them to the developer in an understandable terminology. Code Template No additional usage protocol necessary 64 sha_256: Digest 65 [name = "SHA-256"] 66 [outputSize = 256 ] 67 [secure] 68 [performance = 2] 69 70 KeyDerivationAlgorithms 71 pbkdf2 : KeyDerivationAlgorithm 72 [name = "PBKDF2"] 73 [performance = 2] 74 [secure] 75 76 PasswordBasedEncryption : Task 77 [name = "Encrypt data based on a password"] 78 kda -> KeyDerivationAlgorithm 79 digest -> Digest 80 cipher -> SymmetricBlockCipher 81 [cipher.keySize > 128] unctions ciphers and key derivation algorithms. Model also includes a pas cludes all proper- one instance of a key-derivation algorithm. Note he

46. 32

47. 32 Boundary between feature model & usage protocol?

48. 33

49. Conﬁgurator 34

50. Conﬁgurator 35

51. Conﬁgurator 36 PasswordBasedEncryption kda = pbkdf2 cipher = AES with 128bit key

52. Composer 37 Composer PBKDF2 1 public class KeyDeriv { 2 private String algorithm = ""; 3 4 public SecretKey getKey(String pwd) throws ... { 5 SecureRandom r = new SecureRandom(); 6 byte[] salt = new byte[32]; 7 r.nextBytes(salt); 8 9 PBEKeySpec spec = new PBEKeySpec(pwd.toCharArray(), salt, 1000, 128); 10 SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm); 11 return skf.generateSecret(spec); 12 } 13 } Figure 7. Generic key derivation code 1 public class KeyDeriv { 2 private String algorithm = "PBKDF2WithHmacSHA1"; 3 4 public SecretKey getKey(String pwd) throws ... { 5 return original(pwd); 6 } 7 } Figure 8. Refining the generic key derivation code in Fig- ure 7 using FeatureHouse to use the PBKDF2 algorithm challenge to detect such inconsistencies and report them to the developer in an understandable terminology. In the background, ClaferIG uses a SAT solver to gener- ate the instances that satisfy the given constraints7 . We are currently developing the configurator as an Eclipse plugin and exploring the tradeoffs between a filtering approach and KeyDerivationAlgorithm applied om be- ery call omplex rameter ementa- ensions urrently e TS4J ily ex- crypto- thms to domain e proto- he tasks Clafer ces that ces are straints. oncrete shown xample es that s to as- n other devel- laferIG ble key n task. specify ad a re- greater nt from Line 85 stances ES_128 not sat- genera- on [38]. 1 public class KeyDeriv { 2 private String algorithm = ""; 3 4 public SecretKey getKey(String pwd) throws ... { 5 SecureRandom r = new SecureRandom(); 6 byte[] salt = new byte[32]; 7 r.nextBytes(salt); 8 9 PBEKeySpec spec = new PBEKeySpec(pwd.toCharArray(), salt, 1000, 128); 10 SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm); 11 return skf.generateSecret(spec); 12 } 13 } Figure 7. Generic key derivation code 1 public class KeyDeriv { 2 private String algorithm = "PBKDF2WithHmacSHA1"; 3 4 public SecretKey getKey(String pwd) throws ... { 5 return original(pwd); 6 } 7 } Figure 8. Refining the generic key derivation code in Fig- ure 7 using FeatureHouse to use the PBKDF2 algorithm challenge to detect such inconsistencies and report them to the developer in an understandable terminology. In the background, ClaferIG uses a SAT solver to gener- ate the instances that satisfy the given constraints7 . We are currently developing the configurator as an Eclipse plugin and exploring the tradeoffs between a filtering approach and a step-wise approach. The filtering approach is currently used in the online Clafer configurator8 where all valid instances of a given model are generated. Such instances are then filtered based on the constraints enforced by the user selection. The down- side to such a solution is that if the configuration space is large, an extremely large number of instances would be generated, which is time-consuming. In a step-wise approach (which is our current design approach), we present only valid selections to the user at each step during the configuration process. The idea is that only 1 public class KeyDeriv { 2 private String algorithm = "PBKDF2WithHmacSHA1"; 3 4 private SecretKey getKey__wrappee__KeyDerivation(String pwd) throws ... { 5 SecureRandom r = new SecureRandom(); 6 byte[] salt = new byte[32]; 7 r.nextBytes(salt); 8 9 PBEKeySpec spec = new PBEKeySpec(pwd.toCharArray(), salt, 1000, 128); 10 SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm); 11 return skf.generateSecret(spec); 12 } 13 14 public SecretKey getKey(String pwd) throws ... { 15 return getKey__wrappee__KeyDerivation(pwd); 16 } 17 } Figure 9. Resulting composition of Figure 7 and Figure 8 3.4 Composer Now that the right features (i.e., algorithms) needed to per form the task have been selected by the configurator, we [FeatureIDE, Thüm et al. 2014 & FeatureHouse, Apel et al. 2009] FeatureHouse (Feature-oriented programming + superimposition)

53. 38

54. 38 Feature interactions during composition?

55. 39

56. Challenges/Future Work 40 Mapping user’s selections to parameters Finding secure code snippets Different libraries & library versions Cryptography & library evolution More user-friendly speciﬁcation languages

57. 41 Towards Secure Integration of Cryptographic Software S. Arzt, S. Nadi, K. Ali, E. Bodden, S. Erdweg, M. Mezini Check out our poster @6pm tonight

Onward15

You are reading a preview.

Check these out next

Onward15

More Related Content

Slideshows for you (20)

Similar to Onward15 (20)

Recently uploaded (20)

Onward15

Onward15

You are reading a preview.

Onward15

Recommended

More Related Content

Slideshows for you (20)

Similar to Onward15 (20)

Recently uploaded (20)

Onward15