Software developers are failing to implement crypto correctly, data reveals by Lucian Constantin.
From the post:
Despite a big push over the past few years to use encryption to combat security breaches, lack of expertise among developers and overly complex libraries have led to widespread implementation failures in business applications.
The scale of the problem is significant. Cryptographic issues are the second most common type of flaws affecting applications across all industries, according to a report this week by application security firm Veracode.
It is a deeply amusing post, with cryptography folks urging better education of programmers and programmers whining cryptography should be easier than it is.
Too many programmers think that they can just link to a crypto library and they’re done, but cryptography is hard to implement robustly if you don’t understand the finer aspects of it, like checking certificates properly, protecting the encryption keys, using appropriate key sizes or using strong pseudo-random number generators.
“All this ultimately comes down to better education of programmers to understand all the pitfalls when implementing strong crypto,” Eiram said.
But it’s not only the developers’ fault. Matthew Green, a professor of cryptography engineering at Johns Hopkins University in Baltimore, thinks that many crypto libraries are “downright bad” from a usability perspective because they’ve been designed by and for cryptographers.
“Forcing developers to use them is like expecting someone to fly an airplane when all they have is a driver’s license,” he said via email.
Green believes that making cryptographic software easier to use — ideally invisible so that people don’t even have to think about it — would be a much more efficient approach than training developers to be cryptographers.
While I like the flying an airplane on a driver’s license line, any cryptography that doesn’t require people to think about it is likely deeply flawed.
The lesson to draw from Lucian’s post is claims of encryption are valueless. Testing encryption is not a task for the same developers who wrote the encryption. Tested encryption is of value up to the extent of its testing but only that far.
Someday cryptography libraries will improve and developers will become better educated but until then, don’t accept software using encryption without testing. (That means never.)