"You have to read 50 different RFCs that contradict each other": An Interview Study on the Experiences of Implementing Cryptographic Standards

Authors: 

Nicolas Huaman and Jacques Suray, Leibniz University Hannover; Jan H. Klemmer, CISPA Helmholtz Center for Information Security; Marcel Fourné, Paderborn University; Sabrina Amft, CISPA Helmholtz Center for Information Security; Ivana Trummová, Czech Technical University in Prague; Yasemin Acar, Paderborn University & The George Washington University; Sascha Fahl, CISPA Helmholtz Center for Information Security

Abstract: 

Implementing cryptographic standards is a critical process for the cryptographic ecosystem. Cryptographic standards aim to support developers and engineers in implementing cryptographic primitives and protocols. However, past security incidents suggest that implementing cryptographic standards can be challenging and might jeopardize software and hardware security. We need to understand and mitigate the pain points of those implementing cryptographic standards to support them better.

To shed light on the challenges and obstacles of implementing cryptographic standards, we conducted 20 semi-structured interviews with experienced cryptographers and cryptographic software engineers. We identify common practices when implementing standards, including the criticality of reference and third-party implementations, test vectors to verify implementations, and the open standard community as central support for questions and reviews of implementations.

Based on our findings, we recommend transparent standardization processes, strong (ideally formal) verification, improved support for comparing implementations, and covering updates and error handling in the standardization process.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299846,
author = {Nicolas Huaman and Jacques Suray and Jan H. Klemmer and Marcel Fourn{\'e} and Sabrina Amft and Ivana Trummov{\'a} and Yasemin Acar and Sascha Fahl},
title = {"You have to read 50 different {RFCs} that contradict each other": An Interview Study on the Experiences of Implementing Cryptographic Standards},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {7249--7266},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/huaman},
publisher = {USENIX Association},
month = aug
}