Interview Study:
Cryptographic Standard Experiences
Studying the experiences with implementing cryptographic standards in the open source community.
We conduct an interview study with open source developers of cryptographic software. If you have any insights that you can share, we would love to interview you. If you want to participate, please shoot us an email at huaman@sec.uni-hannover.de or directly schedule an interview via Calendly.
- Who: We are looking to interview open source developers with experience in implementing cryptographic standards (e.g. RFCs).
- We: We are a group of usable security and cryptography researchers from the Leibniz University Hannover, the Paderborn University, and the CISPA Helmholtz-Center for Information Security.
- How: Interviews will be virtual and take about 60 minutes. We plan to offer a compensation for participating in our research.
- When: We aim to conduct the interviews from June until August 2023. Interview slots can be flexibly scheduled.
About
Open source cryptography is crucial for the security of the modern digital society. Therefore, cryptographic standards need to be verifiable, open, correct, and easy-to-implement.
Motivation
We aim to investigate the experiences open source software developers make when implementing cryptographic standards, common implementation failures, and other pitfalls. Therefore, we interview open source developers who implemented cryptographic standards in the past. Based on the interview findings, we hope to provide recommendations for improving cryptographic standards and their secure implementation.
Who we are
Interviews
We conduct interviews with open source developers experienced in implementing cryptographic standards. The interviews include questions about software projects, questions related to how standards are used, and questions about experiences with cryptography.
We are particularly interested in your experiences with and opinions on cryptographic standards, challenges, and obstacles you stumbled over in the past. Furthermore, we want to know about the things you would like to see addressed in future standards to make the implementation process easier and less error-prone.
A few examples of questions we might ask:
- S1Q2.1 Projects: What projects did you work on recently?
- S2Q1 Considered Resources: Which resources do you consider when you are implementing crypto standards?
- S4Q4.2 Formats: Can you describe the Ideal Format of a standard?
- S5Q2 Selection: What non-functional requirement do standards have to fulfill to end up in your projects?
- S6Q3 Trust: How much do you trust your implementations? Please elaborate how you come to that conclusion.
Informed Consent
The purpose of this study is to gain insights into the challenges of implementing cryptographic standards and to publish a scientific paper using anonymized data from the information you provide, including anonymized quotes from the interview.
Eligibility is open to individuals (1.) over the age of 18 (2.) who work in any capacity with the realization or implementation of cryptographic standards in open source software.
Method: You will be interviewed in a semi-structured interview. The goal is to collect data about your experiences and opinions on working with cryptographic standards in open source software.
The duration of the interview is around 60 minutes minutes.
Data collection and processing: The interview will be recorded and transcribed (converted to text) for analysis purposes by a GDPR-compliant external service (Amberscript). The results of this survey will be stored by a GDPR-compliant external service (Qualtrics).
Personal or project-related information (e.g., your name, company name, project name) will be removed from the transcription and survey (anonymized). We may only publish aggregated data or short quotes in our subsequent publication, without any traceability to you.
Storage location: Potential threats to the confidentiality of this study are minimized by securing all data on your device and storing it in a secure cloud storage system. Only authorized researchers will have access to this data.
Your name and personal identification information will be stored only for the purpose of enabling your participation and to document your consent. This data will not be kept together with your study data and will be deleted immediately after your participation.
Results from this study may be presented at conferences or published in scientific journals. As data is anonymous, it is not possible to draw any conclusions about your identity.
Storage duration: Anonymized data and study documents are kept for the period of 10 years.
Your Rights:
- You have the right to information, correction, deletion, restriction of processing, data portability, as well as a right of appeal to a supervisory authority of your choice.
- Your participation is voluntary. If you decide to participate, you can cancel your participation at any time and revoke this declaration of consent with effect for the future. In this case, we will also delete all data collected from you until then. Please note that after completion of the study, all data will be anonymized and therefore deletion of your data is no longer possible from this point on.
- If you decide to end your participation, if you have any questions, concerns, or complaints, or if you wish to report a violation related to the study, please contact the person(s) responsible for this study.
- This study was reviewed in accordance with Saarland University ERB guidelines for research involving human subjects.
The risks to your participation in this online study are those associated with basic computer tasks, including boredom, fatigue, mild stress, or breach of confidentiality. The benefits to you are a monetary compensation and the learning experience from participating in a research study. The benefit to society is the contribution to scientific knowledge.
Compensation: All participants who complete the interview will receive a compensation in the form of $60 donated to an open source project of your choice within our guidelines and possibilities, for example via GitHub Donations.
Your participation is voluntary. You can withdraw from the study at any time by informing the interviewer. If you choose to do so, your data will not be used in the study. You will not be compensated should you decide to do so. You may at any point during or after the study request for your data to be removed from the dataset. Note that anonymized and aggregated data cannot be removed after publication.
For any questions about this research, you may contact:
- Nicolas Huaman (Project Lead, PhD student, huaman@sec.uni-hannover.de)
- Prof. Dr. Sascha Fahl (Supervising Professor, fahl@cispa.de)
- General contact: contact@teamusec.de
- Responsible for Data Processing: CISPA – Helmholtz Center for Information Security gGmbH - Stuhlsatzenhaus 5 - 66123 Saarbrücken - Germany - front-office@cispa.de
- Data Protection Officer: dsb@cispa.de
By giving your consent, you confirm that:
- You are at least 18 years old.
- You have read or have been read this declaration of consent and information on data protection.
- Your questions on this have been answered to your satisfaction.
- You are voluntarily participating in this survey.