Interview Study:
Cryptographic API Design
How are cryptographic APIs developed?

We are looking for participants for this interview study on the design and implementation of cryptographic library APIs!

People who

  • have been involved in the design or implementation of an API of a cryptographic library
  • are 18 years of age or older
  • are comfortable with participating in an interview on this topic in English

Participants will

  • fill in a short preparatory questionnaire
  • book a time slot for an interview of about 60 minutes
  • answer questions on their experiences and opinions during the interview
  • be offered a compensation of $60 for their time
Signup for our study here!

About this study #

In this interview study, we investigate the processes and stakeholders in the design and development of cryptographic APIs, aiming to shed light on how design and implementation decisions are made, and to derive recommendations for the future.

Motivation #

Cryptographic libraries provide software developers with interfaces to cryptographic primitives, algorithms and protocols to secure their applications. Previous work on the security and usability of cryptographic libraries found that developers often struggle with correctly and securely using them, introducing vulenrabilities through incorrrect use. The programming interfaces of different cryptographic libraries vastly vary, ranging from low level access to cryptographic algorithms, key sizes, and initialization vectors to use case driven, high level access such as file encryption or transport layer security. As a result, the flexibility and usability of libraries differs a lot. Until now, it is widely unknown how such design and implementation decisions for cryptographic libraries are made and which stakeholders are involved.

Research questions #

  • RQ1: How are design and implementation decisions for cryptographic libraries made?
  • RQ2: What guidelines, policies, and standards are available to cryptographic library designers and implementers?
  • RQ3: How can cryptographic library designers and implementers be better supported to improve the security and usability of their products?

Study procedure and participation #

We value and appreciate your contribution in our study. As briefly described above, participation includes a small sign-up questionnaire of 5-10 minutes, at the end of which you can freely choose an interview time from our available slots. Participation in an interview will take about about 60 minutes. During the interview, we are interested in your experiences and opinions on the design and implementation proccess of cryptographic library APIs.

We are committed to maintaining your privacy and confidentiality of all data you provide. We will only use short quotes from the interviews in our publication with your approval, and make sure that you cannot be identified from our reporting. After the interview, we offer a compensation of $60 for your time and effort.

Signup for our study here!

Who we are #

We are a research team from the state-funded CISPA Helmholtz Center for Information Security in Germany. Our group studies the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.

You can find our publications here.

Researchers

Juliane Schm├╝ser | Researcher & PhD Student (CISPA).
Contact: juliane.schmueser@cispa.de

Philip Klostermeyer | Researcher & PhD Student (CISPA)
Prof. Dr. Sascha Fahl | Principal Investigator, Tenured Faculty (CISPA) and Full Professor (Leibniz University Hannover)

Institutions

LUH logo

Leibniz University Hannover

CISPA logo

CISPA Helmholtz-Center for Information Security