Skip to main content
SpringerLink
Log in

API Usability of Stateful Signature Schemes

  • Conference paper
  • First Online:
Advances in Information and Computer Security (IWSEC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11689))

Included in the following conference series:

Abstract

The rise of quantum computers poses a threat to asymmetric cryptographic schemes. With their continuing development, schemes such as DSA or ECDSA are likely to be broken in a few years’ time. We therefore must begin to consider the use of different algorithms that would be able to withstand powerful quantum computers. Among the considered algorithms are hash-based signature schemes, some of which, including XMSS, are stateful. In comparison to stateless algorithms, these stateful schemes pose additional implementation challenges for developers, regarding error-free usage and integration into IT systems. As the correct use of cryptographic algorithms is the foundation of a secure IT system, mastering these challenges is essential.

This work proposes an easy-to-use API design for stateful signature schemes, using XMSS(MT) as an example. Our design is based on findings from literature as well as on a series of interviews with software developers. It has been prototypically implemented and evaluated in small-scale user-studies. Our results show that the API can manage the stateful keys in a way that is transparent to the user. Furthermore, a preliminary online-study has shown that the API’s documentation and applicability are comprehensible. However, due to the transparent state management, many of the study’s participants were unaware of using a stateful scheme. This might lead to possible obstacles. Our current API design will serve as the basis for a larger user-study in order to review our preliminary findings in the next step.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://csrc.nist.gov/Projects/Post-Quantum-Cryptography (2019-02-12).

  2. 2.

    https://eugdpr.org (2019-06-07).

  3. 3.

    https://cve.mitre.org (2019-03-09).

  4. 4.

    https://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/pqc/jcajce/provider/xmss/package-frame.html (2019-02-21).

  5. 5.

    https://github.com/joostrijneveld/xmss-reference (2019-03-09).

  6. 6.

    https://www.bouncycastle.org (2019-03-09).

  7. 7.

    https://docs.oracle.com/javase/8/docs/api/java/security/Provider.html (2019-03-09).

  8. 8.

    https://stackoverflow.com (2019-03-09).

  9. 9.

    https://github.com/google/tink (2019-03-09).

  10. 10.

    https://github.com/google/keyczar (2019-03-17).

  11. 11.

    These were sent invitations by e-mail that had previously been extracted from git commits.

  12. 12.

    https://docs.microsoft.com/en-us/windows/desktop/seccng (2019-02-27).

  13. 13.

    https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html (2019-02-21).

  14. 14.

    https://www.oracle.com/technetwork/java/javase/downloads/jdk11-downloads-5066655.html (2019-02-21).

  15. 15.

    Source code available at https://github.com/azeier-ucs/EasySigner-API.

  16. 16.

    It was the most popular programming language in the StackOverflow developer survey 2018: https://insights.stackoverflow.com/survey/2018/ (2019-03-07).

  17. 17.

    They are referred to as predefined values within the API’s documentation, since the term profiles proved to be confusing in the first iteration of our usability tests.

  18. 18.

    https://docs.oracle.com/javase/tutorial/essential/concurrency/syncmeth.html (2019-03-13).

  19. 19.

    Developer Observatory, including setup guide, is available for download at https://github.com/developer-observatory/developer-observatory (2019-03-09).

  20. 20.

    http://jupyter.org (2019-03-09).

  21. 21.

    https://github.com/scijava/scijava-jupyter-kernel (2019-03-09).

References

  1. Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 154–171 (2017). https://doi.org/10.1109/SP.2017.52

  2. Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: the impact of information sources on code security. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 289–305 (2016). https://doi.org/10.1109/SP.2016.25

  3. Acar, Y., Stransky, C., Wermke, D., Weir, C., Mazurek, M.L., Fahl, S.: Developers need support, too: a survey of security advice for software developers. In: 2017 IEEE Cybersecurity Development (SecDev), pp. 22–26 (2017). https://doi.org/10.1109/SecDev.2017.17

  4. Bernstein, D., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_15

    Chapter  Google Scholar 

  5. Bloch, J.: Slides on how to design a good API and why it matters. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications. ACM (2006)

    Google Scholar 

  6. Brooke, J.: SUS - a quick and dirty usability scale. Usability Eval. Ind. 189(194), 4–7 (1996)

    Google Scholar 

  7. Brooke, J.: SUS: retrospective. J. Usability Stud. 8(2), 29–40 (2013)

    Google Scholar 

  8. Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_8

    Chapter  Google Scholar 

  9. Butin, D., Wälde, J., Buchmann, J.: Post-quantum authentication in OpenSSL with hash-based signatures. In: 2017 Tenth International Conference on Mobile Computing and Ubiquitous Network (ICMU), pp. 1–6. IEEE (2017). https://doi.org/10.23919/ICMU.2017.8330093

  10. Chen, L., et al.: Report on Post-Quantum Cryptography. US Department of Commerce, National Institute of Standards and Technology (2016). https://doi.org/10.6028/NIST.IR.8105

  11. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why Eve and Mallory Love Android: an analysis of Android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012). https://doi.org/10.1145/2382196.2382205

  12. Gorski, P.L., et al.: Developers deserve security warnings, too: on the effect of integrated security advice on cryptographic API misuse. In: Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018, pp. 265–281. USENIX Association (2018)

    Google Scholar 

  13. Green, M., Smith, M.: Developers are not the enemy!: the need for usable security APIs. IEEE Secur. Priv. 14(5), 40–46 (2016). https://doi.org/10.1109/MSP.2016.111

    Article  Google Scholar 

  14. Housley, R.: Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms. BCP 201, RFC Editor (2015)

    Google Scholar 

  15. Hülsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle Signature Scheme. RFC 8391, RFC Editor, May 2018

    Google Scholar 

  16. Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40588-4_14

    Chapter  Google Scholar 

  17. Johnson, A.F., Millett, L.I. (eds.): Cryptographic Agility and Interoperability: Proceedings of a Workshop. The National Academies Press, Washington, DC (2017). https://doi.org/10.17226/24636

    Book  Google Scholar 

  18. Krüger, S., et al.: CogniCrypt: supporting developers in using cryptography. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, pp. 931–936. IEEE Press (2017). https://doi.org/10.1109/ASE.2017.8115707

  19. Lazar, D., Chen, H., Wang, X., Zeldovich, N.: Why does cryptographic software fail? A case study and open problems. In: Proceedings of 5th Asia-Pacific Workshop on Systems, pp. 1–7. ACM Press (2014). https://doi.org/10.1145/2637166.2637237

  20. McGrew, D., Curcio, M., Fluhrer, S.: Leighton-Micali Hash-Based Signatures. RFC 8554, RFC Editor, April 2019

    Google Scholar 

  21. McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, S.-L., Butin, D., Buchmann, J.: State management for hash-based signatures. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 244–260. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49100-4_11

    Chapter  Google Scholar 

  22. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21

    Chapter  Google Scholar 

  23. Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do Java developers struggle with cryptography APIs? In: Proceedings of the 38th International Conference on Software Engineering, pp. 935–946. ACM Press (2016). https://doi.org/10.1145/2884781.2884790

  24. Nelson, D.: Crypto-Agility Requirements for Remote Authentication Dial-In User Service (RADIUS). RFC 6421, RFC Editor (2011)

    Google Scholar 

  25. Nielsen, J.: Usability Engineering. Elsevier, Amsterdam (1994)

    MATH  Google Scholar 

  26. Scheller, T., Kuhn, E.: Influencing factors on the usability of API classes and methods. In: 2012 IEEE 19th International Conference and Workshops on Engineering of Computer-Based Systems, pp. 232–241 (2012). https://doi.org/10.1109/ECBS.2012.27

  27. Scheller, T., Kühn, E.: Usability evaluation of configuration-based API design concepts. In: Holzinger, A., Ziefle, M., Hitz, M., Debevc, M. (eds.) SouthCHI 2013. LNCS, vol. 7946, pp. 54–73. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39062-3_4

    Chapter  Google Scholar 

  28. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). https://doi.org/10.1137/S0097539795293172

    Article  MathSciNet  MATH  Google Scholar 

  29. Stransky, C., et al.: Lessons learned from using an online platform to conduct large-scale, online controlled security experiments with software developers. In: 10th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2017 (2017)

    Google Scholar 

  30. Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? In: 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), pp. 161–164 (2011). https://doi.org/10.1109/VLHCC.2011.6070393

Download references

Acknowledgements

This project (HA proj. no. 633/18-56) is financed with funds of LOEWE – Landes-Offensive zur Entwicklung Wissenschaftlich-ökonomischer Exzellenz, Förderlinie 3 (State Offensive for the Development of Scientific and Economic Excellence). We thank our reviewers and the shepherd for their valuable feedback.

Author information

Authors and Affiliations

  1. Darmstadt University of Applied Sciences, Haardtring 100, 64295, Darmstadt, Germany

    Alexander Zeier, Alexander Wiesmaier & Andreas Heinemann

Authors
  1. Alexander Zeier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexander Wiesmaier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andreas Heinemann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander Zeier .

Editor information

Editors and Affiliations

  1. National Institute of Advanced Industrial Science and Technology, Tokyo, Japan

    Nuttapong Attrapadung

  2. NTT Security (Japan) KK, Tokyo, Japan

    Takeshi Yagi

Appendix.    API Usability Score of the Online Study

Appendix.    API Usability Score of the Online Study

Table 2. API usability score of the online study.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zeier, A., Wiesmaier, A., Heinemann, A. (2019). API Usability of Stateful Signature Schemes. In: Attrapadung, N., Yagi, T. (eds) Advances in Information and Computer Security. IWSEC 2019. Lecture Notes in Computer Science(), vol 11689. Springer, Cham. https://doi.org/10.1007/978-3-030-26834-3_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-26834-3_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-26833-6

  • Online ISBN: 978-3-030-26834-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation