Footguns and factorisation: how to make users of your cryptographic library successful
Yuma Theatre | Sun 16 Jan 3:45 p.m.–4:30 p.m.
Presented by
-
Lindsay Holmwood
@auxesis
https://fractio.nl
Lindsay Holmwood is a product and engineering leader based in Australia. He currently works at CipherStash as Chief Product Officer. Previously, he served as the Head of Technology at the Australian federal government's Digital Transformation Agency, as an Engineering Manager at Envato, and Director of Product at Section.
Since bringing DevOps to Australia by running the second ever DevOpsDays conference in 2010, he runs the the longest running DevOps meetup in the world in Sydney. He regularly speaks on technology culture, DevOps, digital transformation, and building high performing teams. He also won third place at the 1996 Sydney Royal Easter Show LEGO building competition.
Lindsay Holmwood
@auxesis
https://fractio.nl
Abstract
Cryptography forms the backbone of how we securely use information online, but most developers don’t have more than a surface level understanding of cryptography.
Shannon's maxim states that “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them”. Open source makes this feasible for cryptography, with open source cryptographic libraries handling a huge proportion of information on the internet in flight and at rest.
Developers place a lot of trust in the authors of these libraries to get the cryptography engineering right.
But when basic usability issues result in developers using the libraries incorrectly, that trust and painstaking cryptography engineering can be for naught. Worse still, developers often believe they have used the libraries to build something that is secure. But that belief is often mistaken — their use of these libraries is actually insecure.
In this talk, attendees will learn:
1. What research says about how the usability of cryptographic libraries impacts the ability of users to deliver code that handles data securely
2. What common usability traps open source cryptography projects fall into
3. How authors, maintainers, and communities around open source cryptographic library can make their users successful
Cryptography forms the backbone of how we securely use information online, but most developers don’t have more than a surface level understanding of cryptography. Shannon's maxim states that “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them”. Open source makes this feasible for cryptography, with open source cryptographic libraries handling a huge proportion of information on the internet in flight and at rest. Developers place a lot of trust in the authors of these libraries to get the cryptography engineering right. But when basic usability issues result in developers using the libraries incorrectly, that trust and painstaking cryptography engineering can be for naught. Worse still, developers often believe they have used the libraries to build something that is secure. But that belief is often mistaken — their use of these libraries is actually insecure. In this talk, attendees will learn: 1. What research says about how the usability of cryptographic libraries impacts the ability of users to deliver code that handles data securely 2. What common usability traps open source cryptography projects fall into 3. How authors, maintainers, and communities around open source cryptographic library can make their users successful