ABSTRACT
Lack of usability of security Application Programming Interfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that provide cryptographic functionalities such as password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API to identify usability issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution using Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experience for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.
- Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic apis. In Security and Privacy (SP), 2017 IEEE Symposium on. IEEE, 154--171.Google ScholarCross Ref
- Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle Mazurek, and Sascha Fahl. 2017. Security Developer Studies with GitHub Users: Exploring a Convenience Sample. In Symposium on Usable Privacy and Security (SOUPS). Google ScholarDigital Library
- Tehmina Basit. 2003. Manual or electronic? The role of coding in qualitative data analysis. Educational research 45, 2 (2003), 143--154.Google Scholar
- Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017. Stack overflow considered harmful? the impact of copy&paste on android application security. In Security and Privacy (SP), 2017 IEEE Symposium on. IEEE, 121--136.Google ScholarCross Ref
- Peter Leo Gorski and Luigi Lo Iacono. 2016. Towards the Usability Evaluation of Security APIs.. In HAISA. 252--265.Google Scholar
- Matthew Green and Matthew Smith. 2016. Developers are not the enemy!: The need for usable security apis. IEEE Security & Privacy 14, 5 (2016), 40--46. Google ScholarDigital Library
- Mohit Kumar. 2017. Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online. https://thehackernews.com/2017/12/data-breach-password-list.html. (2017). Accessed: 2018-03-26.Google Scholar
- Kai Mindermann. 2016. Are easily usable security libraries possible and how should experts work together to create them?. In Proceedings of the 9th international workshop on cooperative and human aspects of software engineering. ACM, 62--63. Google ScholarDigital Library
- Samantha Murphy. 2012. LinkedIn Confirms, Apologizes for Stolen Password Breach. https://mashable.com/2012/06/06/linkedin- passwords-hacked- confirmation/#Gs9W57eXuuqr. (2012). Accessed: 2018-03-26.Google Scholar
- Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 311--328. Google ScholarDigital Library
- Colin Percival and Simon Josefsson. 2016. The scrypt password-based key derivation function. Technical Report.Google Scholar
- Thomas Scheller and Eva Kühn. 2015. Automated measurement of API usability: The API concepts framework. Information and Software Technology 61 (2015), 145--162. Google ScholarDigital Library
- MW Van Someren, YF Barnard, and JAC Sandberg. 1994. The think aloud method: a practical approach to modelling cognitive. (1994).Google Scholar
- Chamila Wijayarathna, Nalin AG Arachchilage, and Jill Slay. 2017. A Generic Cognitive Dimensions Questionnaire to Evaluate the Usability of Security APIs. In International Conference on Human Aspects of Information Security, Privacy, and Trust. Springer, 160--173.Google ScholarDigital Library
- Glenn Wurster and Paul C van Oorschot. 2009. The developer is the enemy. In Proceedings of the 2008 New Security Paradigms Workshop. ACM, 89--97. Google ScholarDigital Library
Recommendations
Why Johnny can't encrypt: a usability evaluation of PGP 5.0
SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium - Volume 8User errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent. Is this simply due to a failure to apply standard user interface design techniques to security? ...
Users' Perceptions of Recognition-Based Graphical Passwords: A Qualitative Study on Culturally Familiar Graphical Passwords
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksIn user authentication, alphanumeric passwords suffer from several weaknesses. They are hard to remember if they have been created from a random mix of letters and numbers. Recognition-based graphical passwords were proposed to increase memorability and ...
Comments