QCon San Francisco 2021 November 1-5, 2021 | | Abstractions to Help Developers Write Good Crypto

What You’ll Learn

Find out what are some of the mistakes people make using cryptography.
Hear why googling for a cryptography answer to a problem may lead to the wrong solution.
Learn from code samples the correct way to use certain Android cryptography libraries.

Abstract

More developers are writing cryptographic code, especially in regulated sectors like health care and financial services, but the code suffers from a combination of poor programming interfaces and a lack of developer training. In one study, 83% of cryptographic flaws (CVEs) were due to programmer misuse of otherwise correct libraries. While solutions like LetsEncrypt have made HTTPS cheaper, encryption of data in transit only covers a small part of the problem space. End-to-end crypto is an important approach, and is getting more widespread, but can programmers implement it securely?

In this talk, we will discuss the impact of programming abstractions on the correctness of cryptographic code, and show why some cryptographic libraries succeed in helping the programmers Do The Right Thing, and why some fail.

Question:

Tell us about what you are doing.

Answer:

Tozny is a cryptography company that builds software tools for computer programmers. Just as cryptography is difficult for end users, cryptography software tools for developers are quite challenging too. Our focus is to make those tools easier to use for developers.

Question:

What is the motivation for your talk?

Answer:

We did some research to understand what mistakes people make in implementing cryptography. This came about because I asked a developer to implement something for me using a basic cipher, and the implementation they came back with was incorrect. To fix it, I tried to find an example of a correct implementation on Stack Overflow, but I could not actually find one that was correct! I had to do a significant amount of research myself in making sure that I was using the Java/Android libraries for cryptography correctly, and eventually we actually built an open source library that's very popular. It's used by Fortune 500 companies, and big or small open source projects. It does one thing and it does it well: it encrypts strings using the Android / Java cryptographic libraries correctly. So, the motivation for this talk is helping people understand what's hard and what's easy about cryptography, and the fact that solving problems in cryptography is not exactly the same as a lot of other areas. Googling for answers or finding them on Stack Overflow is not going to work well for cryptography problems.

Question:

What is the structure of the talk?

Answer:

First, I’ll set the context of the problem by reviewing some of the research that academics have done, that commercial industry has done, and a little bit of what we did to ourselves to validate the problem. There is good academic research out there showing that 80% of cryptography CVEs are misuse of libraries. That’s programmers using otherwise correct cryptographic libraries incorrectly. I’ll illustrate this with a few Java examples since the QCon audience is mostly very familiar with Java; these examples will resonate very well with them. These include some clear examples of what you would find if you tried to solve a simple problem, for example how to encrypt strings in Android. You can try to solve that problem using the typical approach of just Googling for the answer or finding code that seems to work. Then I will dive in some specific code problems. It's like 10 lines of code but there are five errors in it. I go into each of those errors and help people understand why it's a problem. What security property that you've now lost because you used this code. And then we'll take a deep dive in a couple of those to give people some intuition for the statistics of why key generation works in one way versus another way, and that would be fairly visual.

We'll use our library as an example of how to do things more correctly. It's open source, it is all free. We won't be marketing it, but we used the open source library to validate that this was a big problem, then we built a whole product that's cross-platform to address it in a more robust way. This is something anyone can try out for free of course.

In the end, we want everyone to come away with some new knowledge of common pitfalls and a few nice reasoning and technical tools they can apply to the problem of securing private information.

Speaker: Isaac Potoczny-Jones

Founder @Tozny & Authentication and Privacy Specialist

Isaac is the founder and CEO of Tozny, LLC, a privacy and security company specializing in easy to use cryptographic toolkits for developers. Isaac’s work in cybersecurity spans open source, the public sector, and commercial companies. His projects have included end-to-end encryption for privacy in human subject research, secure cross-domain collaboration, identity management, anonymous authorization, mobile password-free authentication, anti-forgery in hardware devices, and privacy-preserving authentication. He has worked with agencies including DARPA, the Navy, Air Force Research Laboratory, the Department of Homeland Security, the National Institute of Standards and Technologies, and other elements of the DoD and intelligence communities. Isaac is an active open source developer in the areas of cryptography and programming languages. Education: B.S. in computer science, M.S. in Cybersecurity.