Cryptographic libraries are difficult to use. Various empirical studies have shown that software developers commonly struggle to correctly encrypt, sign or hash data processed within their software. Common APIs of cryptographic libraries are powerful, yet require a lot of configuration. For example, symmetric block ciphers must be configured with block modes, padding schemes, and the algorithm's key length. While the fine-grained crypto APIs allow software developers customized and flexible implementations, slight misconfigurations easily yield insecure and broken code. In other words, the APIs are designed for crypto experts, although their target audience are software developers.
The Eclipse plugin CogniCrypt bridges this gap between crypto experts and software developers. CogniCrypt continuously assists software developers within their IDE, warns as soon as a cryptographic API is used incorrectly and suggests possible fixes. CogniCrypt makes cryptography usable for developers and thereby facilitates secure software implementations.
In this talk we showcase CogniCrypt, give an overview of its features, dive into some technical details, such as the underlying domain-specific language and the static analysis. We further demonstrate how CogniCrypt can be customized to detect misused APIs also in other domains.
Oh and before we forget - CogniCrypt also warns you when you leave your beloved password in your code. So you better change it.