Developers' crypto design choices from Richard L. Barnes on 2013-11-14 (public-webcrypto@w3.org from November 2013)

From: Richard L. Barnes <rbarnes@bbn.com>
Date: Thu, 14 Nov 2013 01:28:04 -0800
To: "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
Message-ID: <EA0DA55CEB8243B3B40642A6F2381FF6@bbn.com>

At CCS last week, an interesting paper was presented looking at crypto choices made by Android developers across a sample of around 12,000 apps.   
<http://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf>

Of those apps, 88% made bad crypto design decisions from the following list (selected by the authors):  

1. Using ECB (because it’s the BouncyCastle default)
2. Using a constant symmetric key
3. Using ECB (by choice)  
4. Using a constant IV
5. Using <1000 iterations for PBKDF
6. Seeding PRNG with a static value
7. Using static salt for PBKDF

It seems worth observing that providing safe parameters by default (IVs, salt, iterations) and providing recommended default algorithms (not ECB) would have prevented literally thousands of apps from having vulnerabilities in their use of cryptography.

I’m seriously not trying to re-open the issue of auto-generation (beyond ISSUE-44).  But it does seem like these results sort of undermine the claim that this API will only be used by “experienced cryptographers”.

—Richard

Received on Thursday, 14 November 2013 09:28:32 UTC