Implementing cryptographic standards is a critical process for the cryptographic ecosystem. Cryptographic standards aim to support developers and engineers in implementing cryptographic primitives and protocols. However, past security incidents suggest that implementing cryptographic standards can be challenging and might jeopardize software and hardware security. We need to understand and mitigate the pain points of those implementing cryptographic standards to support them better.
To shed light on the challenges and obstacles of implementing cryptographic standards, we conducted 20 semi-structured interviews with experienced cryptographers and cryptographic software engineers. We identify common practices when implementing standards, including the criticality of reference and third-party implementations, test vectors to verify implementations, and the open standard community as central support for questions and reviews of implementations.
Based on our findings, we recommend transparent standardization processes, strong (ideally formal) verification, improved support for comparing implementations, and covering updates and error handling in the standardization process.
History
Editor
Balzarotti D ; Xu W
Primary Research Area
Empirical and Behavioral Security
Name of Conference
Usenix Security Symposium (USENIX-Security)
Journal
USENIX Security Symposium
Publisher
USENIX Association
BibTeX
@conference{Huaman:Suray:Klemmer:Fourné:Amft:Trummová:Acar:Fahl:2024,
title = {"You have to read 50 different RFCs that contradict each other": An Interview Study on the Experiences of Implementing Cryptographic Standards.},
author = "Huaman, Nicolas" AND "Suray, Jacques" AND "Klemmer, Jan H" AND "Fourné, Marcel" AND "Amft, Sabrina" AND "Trummová, Ivana" AND "Acar, Yasemin" AND "Fahl, Sascha",
editor = "Balzarotti, Davide" AND "Xu, Wenyuan",
year = 2024,
month = 8,
journal = "USENIX Security Symposium",
publisher = "USENIX Association"
}