SlideShare a Scribd company logo
1 of 61
Download to read offline
“Jumping Through Hoops”
Why do Java Developers Struggle With
Cryptography APIs?
Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden
sarahnadi.org@sarahnadi
ICSE ’16 — May 20th, 2016
Sarah Nadi
An Application Developer’s World
2
Application
Sarah Nadi
User accounts
Payment info.
An Application Developer’s World
2
Application
Sensitive user
documents
Sarah Nadi
User accounts
Payment info.
How to encrypt data?
Encryption vs
Hashing?
Encryption mode?
Salted hashing?
How to securely connect
to a server?
An Application Developer’s World
2
Application
Sensitive user
documents
Sarah Nadi
Application Developers in The Wild
3
83% of 269 Vulnerabilities are due to misuse of crypto libraries
[Lazar et al., APSys ’14]
Even Amazon & Paypal misuse SSL certificate validation
[Georgiev et al., CCS ‘12]
88% of ~12,000 Android apps misuse crypto APIs
[Egele et al., CCS ‘13]
Sarah Nadi 4
So what exactly is a misuse?
Sarah Nadi
Example of an API Misuse
5
Sarah Nadi
Example of an API Misuse
5
SecretKey secretKey = …
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
cipher.doFinal(inputMsg);
Sarah Nadi
Sarah Nadi
Example of an API Misuse
5
SecretKey secretKey = …
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
cipher.doFinal(inputMsg);
Example of an API Misuse
6
“Algorithm/Mode/Padding”
Sarah Nadi
Sarah Nadi
Example of an API Misuse
5
SecretKey secretKey = …
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
cipher.doFinal(inputMsg);
Example of an API Misuse
6
“Algorithm/Mode/Padding”
In some API implementations,
default mode for AES is
Electronic Codebook (ECB) —
which is insecure
Sarah Nadi
Sarah Nadi
Example of an API Misuse
5
SecretKey secretKey = …
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
cipher.doFinal(inputMsg);
[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
Example of an API Misuse
6
“Algorithm/Mode/Padding”
In some API implementations,
default mode for AES is
Electronic Codebook (ECB) —
which is insecure
Sarah Nadi 7
Why do Developers Struggle
With Cryptography APIs?
Sarah Nadi 7
Why do Developers Struggle
With Cryptography APIs?
What obstacles do
developers face?
Sarah Nadi 7
Why do Developers Struggle
With Cryptography APIs?
What are the common
cryptography tasks
developers perform?
What obstacles do
developers face?
Sarah Nadi 7
Why do Developers Struggle
With Cryptography APIs?
What are the common
cryptography tasks
developers perform?
What tools/methods would help
developers use cryptography
more effectively?
What obstacles do
developers face?
Sarah Nadi
Empirical Investigation
Study 1 Study 2
Study 4Study 3
8
Sarah Nadi
Study 1 (S1) Design
9
…
<java> <cryptography>
(Sorted by view count & score)
Goal: Find obstacles
Sarah Nadi
Study 1 (S1) Design
9
…
<java> <cryptography>
top
100
(Sorted by view count & score)
Goal: Find obstacles
Sarah Nadi
Study 1 (S1) Design
9
…
<java> <cryptography>
top
100
Question topic?
Likely obstacle?
(Sorted by view count & score)
Goal: Find obstacles
Sarah Nadi
Study 2 (S2) Design
10
javax.crypto
Goal: Find tasks
Sarah Nadi
Study 2 (S2) Design
10
random
100
repos
javax.crypto
Goal: Find tasks
Sarah Nadi
Study 2 (S2) Design
10
random
100
repos
What crypto task
is performed?
javax.crypto
Goal: Find tasks
Sarah Nadi
Study 3 (S3) & Study 4 (S4) Survey Design
11
Goal: Find obstacles, tasks, & suggestions
Sarah Nadi
Study 3 (S3) & Study 4 (S4) Survey Design
11
Background
Goal: Find obstacles, tasks, & suggestions
Sarah Nadi
Study 3 (S3) & Study 4 (S4) Survey Design
11
Background
Frequency of Cryptography Use
Never Rarely
…
Occasionally
…
Frequently
…
Goal: Find obstacles, tasks, & suggestions
Sarah Nadi
Study 3 (S3) & Study 4 (S4) Survey Design
11
Background
Frequency of Cryptography Use
Never Rarely
…
Occasionally
…
Frequently
…
Cryptography Tasks Used/Needed
Goal: Find obstacles, tasks, & suggestions
Sarah Nadi
Study 3 (S3) & Study 4 (S4) Survey Design
11
Background
Frequency of Cryptography Use
Never Rarely
…
Occasionally
…
Frequently
…
Cryptography Tasks Used/Needed
Frequently-used Crypto
APIs/libraries & ease of use
Goal: Find obstacles, tasks, & suggestions
Sarah Nadi
Study 3 (S3) & Study 4 (S4) Survey Design
11
Background
Frequency of Cryptography Use
Never Rarely
…
Occasionally
…
Frequently
…
Cryptography Tasks Used/Needed
Frequently-used Crypto
APIs/libraries & ease of use
Obstacles (free-text +
rated)
Goal: Find obstacles, tasks, & suggestions
Sarah Nadi
Study 3 (S3) & Study 4 (S4) Survey Design
11
Background
Frequency of Cryptography Use
Never Rarely
…
Occasionally
…
Frequently
…
Cryptography Tasks Used/Needed
Frequently-used Crypto
APIs/libraries & ease of use
Obstacles (free-text +
rated)
Goal: Find obstacles, tasks, & suggestions
Sarah Nadi
Survey Process & Participant Recruitment
12
Study 4
Study 3
Sarah Nadi
Emailed
<java><cryptography> posters
Survey Process & Participant Recruitment
12
Study 4
Study 3
Sarah Nadi
Emailed
<java><cryptography> posters
Survey Process & Participant Recruitment
12
Study 4
11 participants
Study 3
Sarah Nadi
Emailed
<java><cryptography> posters
Survey Process & Participant Recruitment
12
Study 4
11 participants
Study 3
Refine
Sarah Nadi
Emailed
<java><cryptography> posters
Survey Process & Participant Recruitment
12
Snowball
sampling
Emailed
related
committers
+
Study 4
11 participants
Study 3
Refine
Sarah Nadi
Emailed
<java><cryptography> posters
Survey Process & Participant Recruitment
12
Snowball
sampling
Emailed
related
committers
37 participants+
Study 4
11 participants
Study 3
Refine
Sarah Nadi
Findings
13
TASKS
OBSTACLES
DESIRED
SUPPORT
Sarah Nadi
What Obstacles do Developers Face?
14
Sarah Nadi
What Obstacles do Developers Face?
15
Obstacle % Posts
API use 57%
Domain knowledge 15%
Provider & Setup 15%
Library Identification 7%
Domain knowledge + API use 6%
Sarah Nadi
What Obstacles do Developers Face?
15
S3 participants mention:
poor documentation, bad API design,and missing cryptography knowledge
Obstacle % Posts
API use 57%
Domain knowledge 15%
Provider & Setup 15%
Library Identification 7%
Domain knowledge + API use 6%
Sarah Nadi
What Obstacles do Developers Face?
15
S3 participants mention:
poor documentation, bad API design,and missing cryptography knowledge
65% of S4 Participants find the
APIs hard to use
Obstacle % Posts
API use 57%
Domain knowledge 15%
Provider & Setup 15%
Library Identification 7%
Domain knowledge + API use 6%
Sarah Nadi
Obstacle Category 1: Domain Knowledge
16
11%
24%
38%
27%
Frequently Occasionally Rarely Never Don't know
Identify correct cryptography algorithm
14%
41% 43%
3%
Frequently Occasionally Rarely Never Don't know
Identify relevant cryptography concepts
Sarah Nadi
Obstacle Category 1: Domain Knowledge
17
11%
24%
38%
27%
Frequently Occasionally Rarely Never Don't know
Identify correct cryptography algorithm
14%
41% 43%
3%
Frequently Occasionally Rarely Never Don't know
Identify relevant cryptography concepts
Developers may not always know the correct
cryptography algorithm to use
Sarah Nadi
Obstacle Category 2: Setting Up
18
27% 32% 27%
11% 3%
Frequently Occasionally Rarely Never Don't know
Identify relevant Java API
22%
41%
30%
5% 3%
Frequently Occasionally Rarely Never Don't know
Select provider
22% 27% 32%
16%
3%
Frequently Occasionally Rarely Never Don't know
Setup environment
Sarah Nadi
Obstacle Category 2: Setting Up
19
27% 32% 27%
11% 3%
Frequently Occasionally Rarely Never Don't know
Identify relevant Java API
22%
41%
30%
5% 3%
Frequently Occasionally Rarely Never Don't know
Select provider
22% 27% 32%
16%
3%
Frequently Occasionally Rarely Never Don't know
Setup environment
Finding the right API/library to use & setting it
up is often an obstacle in itself
Sarah Nadi
19%
54%
22%
5%
Frequently Occasionally Rarely Never Don't know
32%
43%
19%
5%
Frequently Occasionally Rarely Never Don't know
35%
46%
11% 8%
Frequently Occasionally Rarely Never Don't know
Obstacle Category 3: API Use
20
Identify sequence of method calls
Identify parameters
Understand API error messages
Sarah Nadi
19%
54%
22%
5%
Frequently Occasionally Rarely Never Don't know
32%
43%
19%
5%
Frequently Occasionally Rarely Never Don't know
35%
46%
11% 8%
Frequently Occasionally Rarely Never Don't know
Obstacle Category 3: API Use
21
Identify sequence of method calls
Identify parameters
Understand API error messages
The most frequently faced obstacle is
identifying the sequence of API method calls
Sarah Nadi
Common Cryptography Tasks
22
Sarah Nadi
Common Cryptography Tasks
23
10% of analyzed GitHub repos
Top task by 64% of S3 participants
Avg. Rank of 3.95 by 28 S4 participants
6% of analyzed GitHub repos
Top task by 34% of S3 participants
Avg. Rank 2.22, 35 S4 participants
64% of analyzed GitHub repos
37% of analyzed StackOverflow posts
Avg. rank 5.03, 25 S4 participants
User Authentication
Secure Communication
Symmetric Encryption
Sarah Nadi
What do Developers Want?
24
Sarah Nadi
What do Developers Want?
25
Better Documentation
“Better documentation with examples
and deeper layers of documentations
with theoretical knowledge” (S4-P23)
“better examples” (S4-P2)
“More/better example code, access to API source code and
high quality JavaDoc with cross references” (S4-P12)
“A real documentation would be very helpful. Some kind of best
practice methodology for a crypto API usage could also help” (S4-P18)
Sarah Nadi
What do Developers Want?
26
Higher Abstraction Level
“Make [the] API simpler, e.g., have a class with
the name AES or RSA[;] getInstance(‘whatever’) is
bad API design” (S4-P36)
“[I want something that] just takes input
[…]. Short and sweet” (S3-P3)
“Higher level task oriented APIs for things like
public key crypto, key exchanges, ..” (S4-P27)
“High level APIs [that] can't be used
incorrectly..” (S4-P8)
“A library providing simple API calls (one
or two methods and simple parameters)
for different use cases.” (S4-P7)
“Standardized task-based API” (S4-P1)
“…Providing higher-level APIs, .. would go
along way to making sure developers don't
do something dumb.” (S4-P27)
Sarah Nadi
What do Developers Want?
27
“Test tooling that understands encryption and
verifies if encryption is used where it should be.
Source scanners that identify configuration
mistakes, weak algorithms etc.” (S4-P17)
Tool Assistance
“Some kind of testing tool…” (S4-P13)
“Special CryptoDebugger” (S4-P11)
“Templates for common used patterns” (S4-P7)
“IDE Plugin generating code pattern
for specific use cases” (S4-P6)
Sarah Nadi 28
Better Documentation
Higher Abstraction Level
Tool Assistance
Sarah Nadi 29
Better Documentation
Higher Abstraction Level
Tool Assistance
How Can We Move Forward?
Sarah Nadi
The Ideal Tool Assistance
30
COMMON
TASKS
TO
SUPPORT
STEPS
TO
SUPPORT
Sarah Nadi
The Ideal Tool Assistance
30
COMMON
TASKS
TO
SUPPORT
STEPS
TO
SUPPORT
Sarah Nadi
The Ideal Tool Assistance
30
COMMON
TASKS
TO
SUPPORT
STEPS
TO
SUPPORT
Sarah Nadi
The Ideal Tool Assistance
30
BlockCipher
AES
keySize (128, 192, 256)
mode (ECB, CBC, …)
padding (PKCS5Padding, NoPadding)
DES
COMMON
TASKS
TO
SUPPORT
STEPS
TO
SUPPORT
Sarah Nadi
The Ideal Tool Assistance
30
BlockCipher
AES
keySize (128, 192, 256)
mode (ECB, CBC, …)
padding (PKCS5Padding, NoPadding)
DES
COMMON
TASKS
TO
SUPPORT
STEPS
TO
SUPPORT
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256);
SecretKey secretKey = keyGen.generateKey();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7PADDING");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
cipher.doFinal(inputMsg);
Sarah Nadi
The Ideal Tool Assistance
30
BlockCipher
AES
keySize (128, 192, 256)
mode (ECB, CBC, …)
padding (PKCS5Padding, NoPadding)
DES
COMMON
TASKS
TO
SUPPORT
STEPS
TO
SUPPORT
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256);
SecretKey secretKey = keyGen.generateKey();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7PADDING");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
cipher.doFinal(inputMsg);
Sarah Nadi
“The ability to just perform some
simple cryptographic tasks in Java
without jumping through hoops
would be brilliant…” (S4-P10)
31
“Jumping Through Hoops”
Why do Java Developers Struggle With
Cryptography APIs?
Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden
sarahnadi.org@sarahnadi

More Related Content

Viewers also liked

топ10 (підсумковий проект)
топ10 (підсумковий проект)топ10 (підсумковий проект)
топ10 (підсумковий проект)Наталія Горя
 
вставка фігур в презентацію
вставка фігур в презентаціювставка фігур в презентацію
вставка фігур в презентаціюНаталія Горя
 
Polar Express Power Point
Polar Express Power PointPolar Express Power Point
Polar Express Power PointCarol Tonhauser
 
подорож з кімнатними рослинами
подорож з кімнатними рослинамиподорож з кімнатними рослинами
подорож з кімнатними рослинамиЮрій Сиротюк
 
designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...Billy Choi
 
BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight Billy Choi
 

Viewers also liked (9)

топ10 (підсумковий проект)
топ10 (підсумковий проект)топ10 (підсумковий проект)
топ10 (підсумковий проект)
 
Intro to Jeroo Python
Intro to Jeroo PythonIntro to Jeroo Python
Intro to Jeroo Python
 
вставка фігур в презентацію
вставка фігур в презентаціювставка фігур в презентацію
вставка фігур в презентацію
 
Polar Express Power Point
Polar Express Power PointPolar Express Power Point
Polar Express Power Point
 
Natural place
Natural placeNatural place
Natural place
 
подорож з кімнатними рослинами
подорож з кімнатними рослинамиподорож з кімнатними рослинами
подорож з кімнатними рослинами
 
designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...
 
Virtual memory ppt
Virtual memory pptVirtual memory ppt
Virtual memory ppt
 
BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight
 

Similar to Why Java Developers Struggle With Cryptography APIs?

Raya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readabilityRaya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readabilityAbdel Hady Muhammad
 
Web 3.0 Summit.pdf
Web 3.0 Summit.pdfWeb 3.0 Summit.pdf
Web 3.0 Summit.pdfTejasMane18
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Software design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparksSoftware design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparksTheavuth NHEL
 
Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018Mark Stimson
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
ICSME2014
ICSME2014ICSME2014
ICSME2014swy351
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveRobert Grupe, CSSLP CISSP PE PMP
 
Software Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill SparksSoftware Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill SparksPhill Sparks
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfJasonCravens
 
The Death of Flaky Tests by Dave Haeffner
The Death of Flaky Tests by Dave HaeffnerThe Death of Flaky Tests by Dave Haeffner
The Death of Flaky Tests by Dave HaeffnerSauce Labs
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Chamila Wijayarathna
 
Understanding Log Lines using Development Knowledge
Understanding Log Lines using Development KnowledgeUnderstanding Log Lines using Development Knowledge
Understanding Log Lines using Development KnowledgeSAIL_QU
 
Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Carl Brown
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...apidays
 

Similar to Why Java Developers Struggle With Cryptography APIs? (20)

Raya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readabilityRaya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readability
 
To Mock or Not To Mock
To Mock or Not To MockTo Mock or Not To Mock
To Mock or Not To Mock
 
Web 3.0 Summit.pdf
Web 3.0 Summit.pdfWeb 3.0 Summit.pdf
Web 3.0 Summit.pdf
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Software design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparksSoftware design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparks
 
Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
ICSME2014
ICSME2014ICSME2014
ICSME2014
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
 
Software Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill SparksSoftware Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill Sparks
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdf
 
The Death of Flaky Tests by Dave Haeffner
The Death of Flaky Tests by Dave HaeffnerThe Death of Flaky Tests by Dave Haeffner
The Death of Flaky Tests by Dave Haeffner
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
 
Understanding Log Lines using Development Knowledge
Understanding Log Lines using Development KnowledgeUnderstanding Log Lines using Development Knowledge
Understanding Log Lines using Development Knowledge
 
Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
 

Recently uploaded

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistandanishmna97
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 

Recently uploaded (20)

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 

Why Java Developers Struggle With Cryptography APIs?

  • 1. “Jumping Through Hoops” Why do Java Developers Struggle With Cryptography APIs? Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden sarahnadi.org@sarahnadi ICSE ’16 — May 20th, 2016
  • 2. Sarah Nadi An Application Developer’s World 2 Application
  • 3. Sarah Nadi User accounts Payment info. An Application Developer’s World 2 Application Sensitive user documents
  • 4. Sarah Nadi User accounts Payment info. How to encrypt data? Encryption vs Hashing? Encryption mode? Salted hashing? How to securely connect to a server? An Application Developer’s World 2 Application Sensitive user documents
  • 5. Sarah Nadi Application Developers in The Wild 3 83% of 269 Vulnerabilities are due to misuse of crypto libraries [Lazar et al., APSys ’14] Even Amazon & Paypal misuse SSL certificate validation [Georgiev et al., CCS ‘12] 88% of ~12,000 Android apps misuse crypto APIs [Egele et al., CCS ‘13]
  • 6. Sarah Nadi 4 So what exactly is a misuse?
  • 7. Sarah Nadi Example of an API Misuse 5 Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
  • 8. Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); Example of an API Misuse 6 “Algorithm/Mode/Padding”
  • 9. Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); Example of an API Misuse 6 “Algorithm/Mode/Padding” In some API implementations, default mode for AES is Electronic Codebook (ECB) — which is insecure
  • 10. Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Example of an API Misuse 6 “Algorithm/Mode/Padding” In some API implementations, default mode for AES is Electronic Codebook (ECB) — which is insecure
  • 11. Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs?
  • 12. Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What obstacles do developers face?
  • 13. Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What are the common cryptography tasks developers perform? What obstacles do developers face?
  • 14. Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What are the common cryptography tasks developers perform? What tools/methods would help developers use cryptography more effectively? What obstacles do developers face?
  • 15. Sarah Nadi Empirical Investigation Study 1 Study 2 Study 4Study 3 8
  • 16. Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> (Sorted by view count & score) Goal: Find obstacles
  • 17. Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> top 100 (Sorted by view count & score) Goal: Find obstacles
  • 18. Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> top 100 Question topic? Likely obstacle? (Sorted by view count & score) Goal: Find obstacles
  • 19. Sarah Nadi Study 2 (S2) Design 10 javax.crypto Goal: Find tasks
  • 20. Sarah Nadi Study 2 (S2) Design 10 random 100 repos javax.crypto Goal: Find tasks
  • 21. Sarah Nadi Study 2 (S2) Design 10 random 100 repos What crypto task is performed? javax.crypto Goal: Find tasks
  • 22. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Goal: Find obstacles, tasks, & suggestions
  • 23. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Goal: Find obstacles, tasks, & suggestions
  • 24. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Goal: Find obstacles, tasks, & suggestions
  • 25. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Goal: Find obstacles, tasks, & suggestions
  • 26. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Goal: Find obstacles, tasks, & suggestions
  • 27. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Obstacles (free-text + rated) Goal: Find obstacles, tasks, & suggestions
  • 28. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Obstacles (free-text + rated) Goal: Find obstacles, tasks, & suggestions
  • 29. Sarah Nadi Survey Process & Participant Recruitment 12 Study 4 Study 3
  • 30. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 Study 3
  • 31. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 11 participants Study 3
  • 32. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 11 participants Study 3 Refine
  • 33. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Snowball sampling Emailed related committers + Study 4 11 participants Study 3 Refine
  • 34. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Snowball sampling Emailed related committers 37 participants+ Study 4 11 participants Study 3 Refine
  • 36. Sarah Nadi What Obstacles do Developers Face? 14
  • 37. Sarah Nadi What Obstacles do Developers Face? 15 Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
  • 38. Sarah Nadi What Obstacles do Developers Face? 15 S3 participants mention: poor documentation, bad API design,and missing cryptography knowledge Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
  • 39. Sarah Nadi What Obstacles do Developers Face? 15 S3 participants mention: poor documentation, bad API design,and missing cryptography knowledge 65% of S4 Participants find the APIs hard to use Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
  • 40. Sarah Nadi Obstacle Category 1: Domain Knowledge 16 11% 24% 38% 27% Frequently Occasionally Rarely Never Don't know Identify correct cryptography algorithm 14% 41% 43% 3% Frequently Occasionally Rarely Never Don't know Identify relevant cryptography concepts
  • 41. Sarah Nadi Obstacle Category 1: Domain Knowledge 17 11% 24% 38% 27% Frequently Occasionally Rarely Never Don't know Identify correct cryptography algorithm 14% 41% 43% 3% Frequently Occasionally Rarely Never Don't know Identify relevant cryptography concepts Developers may not always know the correct cryptography algorithm to use
  • 42. Sarah Nadi Obstacle Category 2: Setting Up 18 27% 32% 27% 11% 3% Frequently Occasionally Rarely Never Don't know Identify relevant Java API 22% 41% 30% 5% 3% Frequently Occasionally Rarely Never Don't know Select provider 22% 27% 32% 16% 3% Frequently Occasionally Rarely Never Don't know Setup environment
  • 43. Sarah Nadi Obstacle Category 2: Setting Up 19 27% 32% 27% 11% 3% Frequently Occasionally Rarely Never Don't know Identify relevant Java API 22% 41% 30% 5% 3% Frequently Occasionally Rarely Never Don't know Select provider 22% 27% 32% 16% 3% Frequently Occasionally Rarely Never Don't know Setup environment Finding the right API/library to use & setting it up is often an obstacle in itself
  • 44. Sarah Nadi 19% 54% 22% 5% Frequently Occasionally Rarely Never Don't know 32% 43% 19% 5% Frequently Occasionally Rarely Never Don't know 35% 46% 11% 8% Frequently Occasionally Rarely Never Don't know Obstacle Category 3: API Use 20 Identify sequence of method calls Identify parameters Understand API error messages
  • 45. Sarah Nadi 19% 54% 22% 5% Frequently Occasionally Rarely Never Don't know 32% 43% 19% 5% Frequently Occasionally Rarely Never Don't know 35% 46% 11% 8% Frequently Occasionally Rarely Never Don't know Obstacle Category 3: API Use 21 Identify sequence of method calls Identify parameters Understand API error messages The most frequently faced obstacle is identifying the sequence of API method calls
  • 47. Sarah Nadi Common Cryptography Tasks 23 10% of analyzed GitHub repos Top task by 64% of S3 participants Avg. Rank of 3.95 by 28 S4 participants 6% of analyzed GitHub repos Top task by 34% of S3 participants Avg. Rank 2.22, 35 S4 participants 64% of analyzed GitHub repos 37% of analyzed StackOverflow posts Avg. rank 5.03, 25 S4 participants User Authentication Secure Communication Symmetric Encryption
  • 48. Sarah Nadi What do Developers Want? 24
  • 49. Sarah Nadi What do Developers Want? 25 Better Documentation “Better documentation with examples and deeper layers of documentations with theoretical knowledge” (S4-P23) “better examples” (S4-P2) “More/better example code, access to API source code and high quality JavaDoc with cross references” (S4-P12) “A real documentation would be very helpful. Some kind of best practice methodology for a crypto API usage could also help” (S4-P18)
  • 50. Sarah Nadi What do Developers Want? 26 Higher Abstraction Level “Make [the] API simpler, e.g., have a class with the name AES or RSA[;] getInstance(‘whatever’) is bad API design” (S4-P36) “[I want something that] just takes input […]. Short and sweet” (S3-P3) “Higher level task oriented APIs for things like public key crypto, key exchanges, ..” (S4-P27) “High level APIs [that] can't be used incorrectly..” (S4-P8) “A library providing simple API calls (one or two methods and simple parameters) for different use cases.” (S4-P7) “Standardized task-based API” (S4-P1) “…Providing higher-level APIs, .. would go along way to making sure developers don't do something dumb.” (S4-P27)
  • 51. Sarah Nadi What do Developers Want? 27 “Test tooling that understands encryption and verifies if encryption is used where it should be. Source scanners that identify configuration mistakes, weak algorithms etc.” (S4-P17) Tool Assistance “Some kind of testing tool…” (S4-P13) “Special CryptoDebugger” (S4-P11) “Templates for common used patterns” (S4-P7) “IDE Plugin generating code pattern for specific use cases” (S4-P6)
  • 52. Sarah Nadi 28 Better Documentation Higher Abstraction Level Tool Assistance
  • 53. Sarah Nadi 29 Better Documentation Higher Abstraction Level Tool Assistance How Can We Move Forward?
  • 54. Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
  • 55. Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
  • 56. Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
  • 57. Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT
  • 58. Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); SecretKey secretKey = keyGen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7PADDING"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
  • 59. Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); SecretKey secretKey = keyGen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7PADDING"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
  • 60. Sarah Nadi “The ability to just perform some simple cryptographic tasks in Java without jumping through hoops would be brilliant…” (S4-P10) 31
  • 61. “Jumping Through Hoops” Why do Java Developers Struggle With Cryptography APIs? Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden sarahnadi.org@sarahnadi