Why does cryptographic software fail?

David Lazar, Haogang Chen, Xi Wang, Nickolai Zeldovich
2014 Proceedings of 5th Asia-Pacific Workshop on Systems - APSys '14  
Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just
more » ... 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.
doi:10.1145/2637166.2637237 dblp:conf/apsys/LazarCWZ14 fatcat:upwjoelmfbhxnketl7jjazgiwe