Secure integration of cryptographic software. By modeling the variability in cryptography components, we help application developers configure the cryptography tasks they need. Presented at ONWARD! '15 in Pittsburgh.

1. ONWARD! ’15
Towards Secure Integration of
Cryptographic Software
Steven
Arzt
Sarah
Nadi
Karim
Ali
Eric
Bodden
Sebastian
Erdweg
Mira
Mezini

2. An Application Developer’s World
2

3. An Application Developer’s World
2
User accounts
Sensitive user
documents
Payment info.

4. An Application Developer’s World
2
User accounts
Sensitive user
documents
Payment info.
How to securely connect
to a server?
How to encrypt data?
Encryption vs
Hashing?
Encryption mode?
Salted hashing?

5. Problem Definition
3
Application developers are not
cryptographic experts!

6. Problem Definition
3
Application developers are not
cryptographic experts!
83% of 269 examined Common Vulnerabilities &
Exposures (CVE) are due to misuse of crypto libraries
[Lazar et al., APSys ’14]

7. Problem Definition
3
Application developers are not
cryptographic experts!
83% of 269 examined Common Vulnerabilities &
Exposures (CVE) are due to misuse of crypto libraries
[Lazar et al., APSys ’14]
Even companies like Amazon & Paypal
misuse SSL certificate validation
[Georgiev et al., CCS ‘12]

8. Problem Definition
3
Application developers are not
cryptographic experts!
83% of 269 examined Common Vulnerabilities &
Exposures (CVE) are due to misuse of crypto libraries
[Lazar et al., APSys ’14]
Even companies like Amazon & Paypal
misuse SSL certificate validation
[Georgiev et al., CCS ‘12] 88% of Android apps misuse
cryptography APIs in at least one way
[Egele et al., CCS ‘13]

9. 4
So what exactly is a misuse?

10. 4
So what exactly is a misuse?
Scope:

11. Java Cryptography Architecture (JCA)
5

12. Example of an API Misuse
6
1 byte[] key = ...
2
3 Cipher cipher = Cipher.getInstance("AES");
4
5 SecretKey keyObj = new SecretKeySpec(key,"AES");
6
7 cipher.init(Cipher.ENCRYPT_MODE, keyObj);
8 byte[] cipherText = cipher.doFinal(input);
Figure 1. Example of using an AES cipher

13. Example of an API Misuse
7
Depending on the provider, default mode
for AES is Electronic Codebook (ECB)
which is insecure
1 byte[] key = ...
2
3 Cipher cipher = Cipher.getInstance("AES");
4
5 SecretKey keyObj = new SecretKeySpec(key,"AES");
6
7 cipher.init(Cipher.ENCRYPT_MODE, keyObj);
8 byte[] cipherText = cipher.doFinal(input);
Figure 1. Example of using an AES cipher
ion must first check the issuer of a certificate before passing
his certificate on to the authentication primitive. Such usage
protocols can then be translated into static analyses that au-

14. Goals
8
Bridge the gap between application
developers & cryptography experts

15. Goals
8
Assist developers in choosing
appropriate components &
configurations
Bridge the gap between application
developers & cryptography experts

16. Goals
8
Assist developers in choosing
appropriate components &
configurations
Support automatic generation of
code that uses cryptography
securely
Bridge the gap between application
developers & cryptography experts

17. Goals
8
Assist developers in choosing
appropriate components &
configurations
Support automatic generation of
code that uses cryptography
securely
Support automatic validation of
code that uses cryptography &
notify developer of any problems
Bridge the gap between application
developers & cryptography experts

18. Long-term Vision
9
Crypto Algorithms &
correct configurations
Available on the
Crypto Store
Configured crypto
tasks

19. Observations
10

20. Observations
11
Different types of cryptography algorithms

21. Different types of cryptography algorithms
Observations
12
Different configurations within one class of algorithms

22. Observations
13
Different types of cryptography algorithms
Different configurations within one class of algorithms
Tasks combine different algorithms
(often with some restrictions)

23. Observations
14
Lots of variability in cryptography!
Tasks combine different algorithms
(often with some restrictions)
Different types of cryptography algorithms
Different configurations within one class of algorithms

24. Proposed Solution: IDE Plugin
15
Task-based
Software Product Line
of
Cryptography Components

25. Working Example: Password-based Encryption
16
1 // Key generation code
2 SecureRandom random = new SecureRandom();
3 byte[] salt = new byte[32];
4 random.nextBytes(salt);
5 PBEKeySpec spec = new PBEKeySpec(pwdChar, salt, 1000, 128);
6 SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
7 SecretKey key = skf.generateSecret(spec);
8
9 // Encryption code
0 Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
1 cipher.init(Cipher.ENCRYPT_MODE, key);
2 byte[] cipherText = cipher.doFinal(inputMsg);
Figure 3. Example of password-based encryption which requires the composition
1 abstract Algorithm

26. 17

27. Modeling Language
18

28. Modeling Language
18
Attribute-based feature models with support for referencing

29. Modeling Language
18
Attribute-based feature models with support for referencing
www.clafer.org

30. Cryptography Feature Model in Clafer
19
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13

31. 3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
Cryptography Feature Model in Clafer
20
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]

32. Cryptography Feature Model in Clafer
21
17 [memory >=1 && memory
18 }
19
20 abstract SymmetricCipher : Ci
21 keySize -> integer
22
23 abstract SymmetricBlockCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCiph
32 [ name = "AES with 128b
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
37 [ name = "AES with 256bit key"]
38 [ performance = 3 ]
39 [ secure ]
40 [ memory = 1 ]
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
78 kda -> KeyDerivationAlgorithm
79 digest -> Digest
80 cipher -> SymmetricBlockCipher

33. Cryptography Feature Model in Clafer
22
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
37 [ blockSize = 128 ]
38
39 AES256 : SymmetricBlockCipher
40 [ name = "AES with 256bit key"]
41 [ performance = 3 ]
42 [ secure ]
43 [ memory = 1 ]
44 [ keySize = 256 ]
45 [ blockSize = 128 ]
Figure 4. Clafer model for sample hash functions ciph
based encryption task
hash function) is a type of algorithm. It includes all pro
ties from Algorithm, but also adds more specific proper
such as outputSize. The outputSize property determi
orithm
tring
ce -> integer //Levels 1 - 4 (4 fastest)
mance >=1 && performance <= 4]
s
e
est : Algorithm
e -> integer //in bits
DerivationAlgorithm : Algorithm
46 DES: SymmetricBlockCipher
47 [ name = "DES"]
48 [ performance = 2 ]
49 [ memory = 2 ]
50 [ secure ]
51 [ keySize = 56 ]
52 [ blockSize = 64 ]
53
54 DigestAlgorithms
55 md5: Digest
56 [name = "MD5"]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
37 [ blockSize = 128 ]
38
39 AES256 : SymmetricBlockCipher
40 [ name = "AES with 256bit key"]
41 [ performance = 3 ]
46 DES: SymmetricBlockCipher
47 [ name = "DES"]
48 [ performance = 2 ]
49 [ memory = 2 ]
50 [ secure ]
51 [ keySize = 56 ]
52 [ blockSize = 64 ]
53
54 DigestAlgorithms
55 md5: Digest
56 [name = "MD5"]
57 [performance = 4]
58 [insecure]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
75 [name = "PBKDF"]
76 [performance = 2]
77 [secure]
78 }
79
80 PasswordBasedEncryption : Task
81 [name = "Encrypt data based on a password"]
82 kda -> KeyDerivationAlgorithm
83 digest -> Digest
84 cipher -> SymmetricBlockCipher
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
37 [ name = "AES with 256bit key"]
38 [ performance = 3 ]
39 [ secure ]
40 [ memory = 1 ]
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
78 kda -> KeyDerivationAlgorithm
79 digest -> Digest
80 cipher -> SymmetricBlockCipher

34. Cryptography Feature Model in Clafer
23
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
37 [ blockSize = 128 ]
38
39 AES256 : SymmetricBlockCipher
40 [ name = "AES with 256bit key"]
41 [ performance = 3 ]
42 [ secure ]
43 [ memory = 1 ]
44 [ keySize = 256 ]
45 [ blockSize = 128 ]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
75 [name = "PBKDF"]
76 [performance = 2]
77 [secure]
78 }
79
80 PasswordBasedEncryption : Task
81 [name = "Encrypt data based on a pass
82 kda -> KeyDerivationAlgorithm
83 digest -> Digest
84 cipher -> SymmetricBlockCipher
85 [cipher.keySize > 128]
Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model als
based encryption task
hash function) is a type of algorithm. It includes all proper-
ties from Algorithm, but also adds more specific properties
such as outputSize. The outputSize property determines
the fixed length of the output produced by this hash func-
tion, measured in bits. Generally, the higher the number, the
harder it is to conduct a brute force attack against the hash
function. Similarly, Line 13 introduces an abstract Clafer
called KeyDerivationAlgorithm. In our example, it does
not have any additional properties. Lines 15–24 define the
different types of ciphers and the additional properties each
type might add to Algorithm. Lines 26–27 define an abstract
clafer called Task that we use to represent a cryptography-
related task (e.g., secure password storage, email transmis-
sion, data encryption, etc.).
Lines 30–71 define several instances of Cipher and
property to 4 and the outputSize to
variability for these properties. Simi
one instance of a key-derivation alg
as opposed to regular feature mode
actual instances and not just rely o
ble instances from Digest or Ciphe
combinations do not exist. For exam
pher with a key of 100 bits is a va
corresponding algorithm that suppor
A task that developers can later c
figurator is represented by a concrete
abstract clafer Task. Line 80 define
cryption task. Such a task needs a k
(Line 82), a digest to use with the k
(Line 83), and a cipher to perform
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
46 DES: SymmetricBlockCipher
47 [ name = "DES"]
48 [ performance = 2 ]
49 [ memory = 2 ]
50 [ secure ]
51 [ keySize = 56 ]
52 [ blockSize = 64 ]
53
54 DigestAlgorithms
55 md5: Digest
56 [name = "MD5"]
57 [performance = 4]
58 [insecure]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
37 [ blockSize = 128 ]
38
39 AES256 : SymmetricBlockCipher
40 [ name = "AES with 256bit key"]
41 [ performance = 3 ]
46 DES: SymmetricBlockCipher
47 [ name = "DES"]
48 [ performance = 2 ]
49 [ memory = 2 ]
50 [ secure ]
51 [ keySize = 56 ]
52 [ blockSize = 64 ]
53
54 DigestAlgorithms
55 md5: Digest
56 [name = "MD5"]
57 [performance = 4]
58 [insecure]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
75 [name = "PBKDF"]
76 [performance = 2]
77 [secure]
78 }
79
80 PasswordBasedEncryption : Task
81 [name = "Encrypt data based on a password"]
82 kda -> KeyDerivationAlgorithm
83 digest -> Digest
84 cipher -> SymmetricBlockCipher
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
37 [ name = "AES with 256bit key"]
38 [ performance = 3 ]
39 [ secure ]
40 [ memory = 1 ]
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
78 kda -> KeyDerivationAlgorithm
79 digest -> Digest
80 cipher -> SymmetricBlockCipher
ipher
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf2 : KeyDerivationAlgorithm
72 [name = "PBKDF2"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task

35. Cryptography Feature Model in Clafer
24
cCipher
67 [insecure]
68 [outputSize = 160]
69
70 sha_256: Digest
71 [name = "SHA-256"]
72 [outputSize = 256 ]
73 [secure]
74 [performance = 2]
75
76 KeyDerivationAlgorithms
77 pbkdf : KeyDerivationAlgorithm
78 [name = "PBKDF"]
79 [performance = 2]
80 [secure]
81 }
82
83 PasswordBasedEncryption : Task
84 [name = "Encrypt data using a given password"]
85 kda -> KeyDerivationAlgorithm
86 cipher -> SymmetricBlockCipher
87 [cipher.keySize = kda.outputKeySize]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
37 [ blockSize = 128 ]
38
39 AES256 : SymmetricBlockCipher
40 [ name = "AES with 256bit key"]
41 [ performance = 3 ]
46 DES: SymmetricBlockCipher
47 [ name = "DES"]
48 [ performance = 2 ]
49 [ memory = 2 ]
50 [ secure ]
51 [ keySize = 56 ]
52 [ blockSize = 64 ]
53
54 DigestAlgorithms
55 md5: Digest
56 [name = "MD5"]
57 [performance = 4]
58 [insecure]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
75 [name = "PBKDF"]
76 [performance = 2]
77 [secure]
78 }
79
80 PasswordBasedEncryption : Task
81 [name = "Encrypt data based on a password"]
82 kda -> KeyDerivationAlgorithm
83 digest -> Digest
84 cipher -> SymmetricBlockCipher
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
37 [ name = "AES with 256bit key"]
38 [ performance = 3 ]
39 [ secure ]
40 [ memory = 1 ]
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
78 kda -> KeyDerivationAlgorithm
79 digest -> Digest
80 cipher -> SymmetricBlockCipher
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
37 [ name = "AES with 256bit key"]
38 [ performance = 3 ]
39 [ secure ]
40 [ memory = 1 ]
41 [ keySize = 256 ]
42 [ blockSize = 128 ]
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf2 : KeyDerivationAlgorithm
72 [name = "PBKDF2"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
78 kda -> KeyDerivationAlgorithm
79 digest -> Digest
80 cipher -> SymmetricBlockCipher
81 [cipher.keySize > 128]
Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model also inclu
based encryption task
hash function) is a type of algorithm. It includes all proper-
ties from Algorithm, but also adds more specific properties
such as outputSize. The outputSize property determines
the fixed length of the output produced by this hash func-
tion, measured in bits. Generally, the higher the number, the
harder it is to conduct a brute force attack against the hash
function. Similarly, Line 12 introduces an abstract Clafer
called KeyDerivationAlgorithm. In our example, it does
not have any additional properties. Lines 14–22 define the
different types of ciphers and the additional properties each
type might add to Algorithm. Lines 24–25 define an abstract
clafer called Task that we use to represent a cryptography-
related task (e.g., secure password storage, email transmis-
one instance of a key-derivation algorithm.
as opposed to regular feature modeling, w
actual instances and not just rely on gene
ble instances from Digest or Cipher, simpl
combinations do not exist. For example, ev
pher with a key of 100 bits is a valid insta
corresponding algorithm that supports that.
A task that developers can later choose t
figurator is represented by a concrete clafer
abstract clafer Task. Line 76 defines a pass
cryption task. Such a task needs a key deriv
(Line 78), a digest to use with the key deriv
(Line 79), and a cipher to perform the ac
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
37 [ blockSize = 128 ]
38
39 AES256 : SymmetricBlockCipher
40 [ name = "AES with 256bit key"]
41 [ performance = 3 ]
42 [ secure ]
43 [ memory = 1 ]
44 [ keySize = 256 ]
45 [ blockSize = 128 ]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
75 [name = "PBKDF"]
76 [performance = 2]
77 [secure]
78 }
79
80 PasswordBasedEncryption : Task
81 [name = "Encrypt data based on a pass
82 kda -> KeyDerivationAlgorithm
83 digest -> Digest
84 cipher -> SymmetricBlockCipher
85 [cipher.keySize > 128]
Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model als
based encryption task
hash function) is a type of algorithm. It includes all proper-
ties from Algorithm, but also adds more specific properties
such as outputSize. The outputSize property determines
the fixed length of the output produced by this hash func-
tion, measured in bits. Generally, the higher the number, the
harder it is to conduct a brute force attack against the hash
function. Similarly, Line 13 introduces an abstract Clafer
called KeyDerivationAlgorithm. In our example, it does
not have any additional properties. Lines 15–24 define the
different types of ciphers and the additional properties each
type might add to Algorithm. Lines 26–27 define an abstract
clafer called Task that we use to represent a cryptography-
related task (e.g., secure password storage, email transmis-
sion, data encryption, etc.).
Lines 30–71 define several instances of Cipher and
property to 4 and the outputSize to
variability for these properties. Simi
one instance of a key-derivation alg
as opposed to regular feature mode
actual instances and not just rely o
ble instances from Digest or Ciphe
combinations do not exist. For exam
pher with a key of 100 bits is a va
corresponding algorithm that suppor
A task that developers can later c
figurator is represented by a concrete
abstract clafer Task. Line 80 define
cryption task. Such a task needs a k
(Line 82), a digest to use with the k
(Line 83), and a cipher to perform
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
46 DES: SymmetricBlockCipher
47 [ name = "DES"]
48 [ performance = 2 ]
49 [ memory = 2 ]
50 [ secure ]
51 [ keySize = 56 ]
52 [ blockSize = 64 ]
53
54 DigestAlgorithms
55 md5: Digest
56 [name = "MD5"]
57 [performance = 4]
58 [insecure]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm

36. Cryptography Feature Model in Clafer
25
Cipher
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
75 [name = "PBKDF"]
76 [performance = 2]
77 [secure]
78 }
79
80 PasswordBasedEncryption : Task
81 [name = "Encrypt data based on a password"]
82 kda -> KeyDerivationAlgorithm
83 digest -> Digest
84 cipher -> SymmetricBlockCipher
85 [cipher.keySize > 128]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
37 [ blockSize = 128 ]
38
39 AES256 : SymmetricBlockCipher
40 [ name = "AES with 256bit key"]
41 [ performance = 3 ]
46 DES: SymmetricBlockCipher
47 [ name = "DES"]
48 [ performance = 2 ]
49 [ memory = 2 ]
50 [ secure ]
51 [ keySize = 56 ]
52 [ blockSize = 64 ]
53
54 DigestAlgorithms
55 md5: Digest
56 [name = "MD5"]
57 [performance = 4]
58 [insecure]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
75 [name = "PBKDF"]
76 [performance = 2]
77 [secure]
78 }
79
80 PasswordBasedEncryption : Task
81 [name = "Encrypt data based on a password"]
82 kda -> KeyDerivationAlgorithm
83 digest -> Digest
84 cipher -> SymmetricBlockCipher
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >= 1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11
12 abstract KeyDerivationAlgorithm : Algorithm
13
14 abstract Cipher : Algorithm
15 memory -> integer //Levels 1 - 4 (1 lowest)
16 [memory >= 1 && memory <= 4]
17
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
37 [ name = "AES with 256bit key"]
38 [ performance = 3 ]
39 [ secure ]
40 [ memory = 1 ]
43 DES: SymmetricBlockCipher
44 [ name = "DES"]
45 [ performance = 2 ]
46 [ memory = 2 ]
47 [ secure ]
48 [ keySize = 56 ]
49 [ blockSize = 64 ]
50
51 DigestAlgorithms
52 md5: Digest
53 [name = "MD5"]
54 [performance = 4]
55 [insecure]
56 [outputSize = 128]
57
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf : KeyDerivationAlgorithm
72 [name = "PBKDF"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
78 kda -> KeyDerivationAlgorithm
79 digest -> Digest
80 cipher -> SymmetricBlockCipher
18 abstract SymmetricCipher : Cipher
19 keySize -> integer
20
21 abstract SymmetricBlockCipher : SymmetricCipher
22 blockSize -> integer
23
24 abstract Task
25 name -> string
26
27 Ciphers
28 AES128 : SymmetricBlockCipher
29 [ name = "AES with 128bit key" ]
30 [ performance = 3 ]
31 [ secure ]
32 [ memory = 1 ]
33 [ keySize = 128 ]
34 [ blockSize = 128 ]
35
36 AES256 : SymmetricBlockCipher
37 [ name = "AES with 256bit key"]
38 [ performance = 3 ]
39 [ secure ]
40 [ memory = 1 ]
41 [ keySize = 256 ]
42 [ blockSize = 128 ]
58 sha_1: Digest
59 [name = "SHA-1"]
60 [performance = 4]
61 [insecure]
62 [outputSize = 160]
63
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf2 : KeyDerivationAlgorithm
72 [name = "PBKDF2"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
78 kda -> KeyDerivationAlgorithm
79 digest -> Digest
80 cipher -> SymmetricBlockCipher
81 [cipher.keySize > 128]
Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model also inclu
based encryption task
hash function) is a type of algorithm. It includes all proper-
ties from Algorithm, but also adds more specific properties
such as outputSize. The outputSize property determines
the fixed length of the output produced by this hash func-
tion, measured in bits. Generally, the higher the number, the
harder it is to conduct a brute force attack against the hash
function. Similarly, Line 12 introduces an abstract Clafer
called KeyDerivationAlgorithm. In our example, it does
not have any additional properties. Lines 14–22 define the
different types of ciphers and the additional properties each
type might add to Algorithm. Lines 24–25 define an abstract
clafer called Task that we use to represent a cryptography-
related task (e.g., secure password storage, email transmis-
one instance of a key-derivation algorithm.
as opposed to regular feature modeling, w
actual instances and not just rely on gene
ble instances from Digest or Cipher, simpl
combinations do not exist. For example, ev
pher with a key of 100 bits is a valid insta
corresponding algorithm that supports that.
A task that developers can later choose t
figurator is represented by a concrete clafer
abstract clafer Task. Line 76 defines a pass
cryption task. Such a task needs a key deriv
(Line 78), a digest to use with the key deriv
(Line 79), and a cipher to perform the ac
cCipher
67 [insecure]
68 [outputSize = 160]
69
70 sha_256: Digest
71 [name = "SHA-256"]
72 [outputSize = 256 ]
73 [secure]
74 [performance = 2]
75
76 KeyDerivationAlgorithms
77 pbkdf : KeyDerivationAlgorithm
78 [name = "PBKDF"]
79 [performance = 2]
80 [secure]
81 }
82
83 PasswordBasedEncryption : Task
84 [name = "Encrypt data using a given password"]
85 kda -> KeyDerivationAlgorithm
86 cipher -> SymmetricBlockCipher
87 [cipher.keySize = kda.outputKeySize]
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
37 [ blockSize = 128 ]
38
39 AES256 : SymmetricBlockCipher
40 [ name = "AES with 256bit key"]
41 [ performance = 3 ]
42 [ secure ]
43 [ memory = 1 ]
44 [ keySize = 256 ]
45 [ blockSize = 128 ]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm
75 [name = "PBKDF"]
76 [performance = 2]
77 [secure]
78 }
79
80 PasswordBasedEncryption : Task
81 [name = "Encrypt data based on a pass
82 kda -> KeyDerivationAlgorithm
83 digest -> Digest
84 cipher -> SymmetricBlockCipher
85 [cipher.keySize > 128]
Figure 4. Clafer model for sample hash functions ciphers and key derivation algorithms. Model als
based encryption task
hash function) is a type of algorithm. It includes all proper-
ties from Algorithm, but also adds more specific properties
such as outputSize. The outputSize property determines
the fixed length of the output produced by this hash func-
tion, measured in bits. Generally, the higher the number, the
harder it is to conduct a brute force attack against the hash
function. Similarly, Line 13 introduces an abstract Clafer
called KeyDerivationAlgorithm. In our example, it does
not have any additional properties. Lines 15–24 define the
different types of ciphers and the additional properties each
type might add to Algorithm. Lines 26–27 define an abstract
clafer called Task that we use to represent a cryptography-
related task (e.g., secure password storage, email transmis-
sion, data encryption, etc.).
Lines 30–71 define several instances of Cipher and
property to 4 and the outputSize to
variability for these properties. Simi
one instance of a key-derivation alg
as opposed to regular feature mode
actual instances and not just rely o
ble instances from Digest or Ciphe
combinations do not exist. For exam
pher with a key of 100 bits is a va
corresponding algorithm that suppor
A task that developers can later c
figurator is represented by a concrete
abstract clafer Task. Line 80 define
cryption task. Such a task needs a k
(Line 82), a digest to use with the k
(Line 83), and a cipher to perform
1 abstract Algorithm
2 name -> string
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
46 DES: SymmetricBlockCipher
47 [ name = "DES"]
48 [ performance = 2 ]
49 [ memory = 2 ]
50 [ secure ]
51 [ keySize = 56 ]
52 [ blockSize = 64 ]
53
54 DigestAlgorithms
55 md5: Digest
56 [name = "MD5"]
57 [performance = 4]
58 [insecure]
59 [outputSize = 128]
60
61 sha_1: Digest
62 [name = "SHA-1"]
63 [performance = 4]
64 [insecure]
65 [outputSize = 160]
66
67 sha_256: Digest
68 [name = "SHA-256"]
69 [outputSize = 256 ]
70 [secure]
71 [performance = 2]
72
73 KeyDerivationAlgorithms
74 pbkdf : KeyDerivationAlgorithm

37. 26

38. 27

39. • Support method order restrictions
• Support parameter restrictions
Usage Protocol Language
28

40. • Support method order restrictions
• Support parameter restrictions
Usage Protocol Language
28
TS4J
[Bodden, SOAP ’14]

41. • Relies on fluent interfaces to build a domain specific
language (DSL), in Java
• Underlying typestate analysis
Typestate for Java (TS4J)
29

42. • Relies on fluent interfaces to build a domain specific
language (DSL), in Java
• Underlying typestate analysis
Typestate for Java (TS4J)
29
String CONS =
"<javax.crypto.Cipher: javax.crypto.Cipher getInstance(java.lang.String)>";
return UsageProtocolAPI
.atCallTo(CONS)
.ifParameter(0, p -> !p.contains("/") || p.contains("/ECB"))
.reportError("Insecure block cipher mode");
Figure 6. TSJ4 Specification for Checking Block Cip
ert Java developers. Since our goal is to allow crypto-

43. Mapping to Code & Usage Protocols
30
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
46 DE
47 [
48 [
49 [
50 [
51 [
52 [
53
54 Digest
55 md5:
56 [n
57 [p
58 [i
59 [o
60
61 sha_
62 [n
63 [p
64 [i
65 [o
66
67 sha_
68 [n
69 [o
70 [s
71 [p
72
73 KeyDer
74 pbkd
75 [n
76 [p
77 [s
78 }
79
1 public class KeyDeriv {
2 private String algorithm = "";
3
4 public SecretKey getKey(String pwd) throws ... {
5 SecureRandom r = new SecureRandom();
6 byte[] salt = new byte[32];
7 r.nextBytes(salt);
8
9 PBEKeySpec spec = new
PBEKeySpec(pwd.toCharArray(), salt, 1000,
128);
10 SecretKeyFactory skf =
SecretKeyFactory.getInstance(algorithm);
11 return skf.generateSecret(spec);
12 }
13 }
Figure 7. Generic key derivation code
1 public class KeyDeriv {
2 private String algorithm = "PBKDF2WithHmacSHA1";
1 String CONS =
2 "<javax.crypto.spec.PBEKEYSpec: void
<init>(char[],byte[],int,int)>";
3
4 return UsageProtocolAPI
5 .atCallTo(CONS)
6 .ifParameter(2, p -> p < 500)
7 .reportError("Not enough iterations");
Figure 5. TSJ4 Specification for Checking PBEKey
Iteration Count
by view count and score) asked on StackOverflow. W
currently preparing a questionnaire to extract more info
tion on the concrete problems faced by these developer
the causes of requesting help from the community. In
allel, we are currently conducting an empirical study o
uses of cryptography in real-world application code to
Code Template
Usage protocol

44. Mapping to Code & Usage Protocols
30
3 performance -> integer //Levels 1 - 4 (4 fastest)
4 [performance >=1 && performance <= 4]
5 xor status
6 secure
7 insecure
8
9 abstract Digest : Algorithm
10 outputSize -> integer //in bits
11 }
12
13 abstract KeyDerivationAlgorithm : Algorithm
14
15 abstract Cipher : Algorithm
16 memory -> integer //Levels 1 - 4 (1 lowest)
17 [memory >=1 && memory <= 4]
18 }
19
20 abstract SymmetricCipher : Cipher
21 keySize -> integer
22
23 abstract SymmetricBlockCipher : SymmetricCipher
24 blockSize -> integer
25
26 abstract Task
27 name -> string
28 }
29
30 Ciphers
31 AES128 : SymmetricBlockCipher
32 [ name = "AES with 128bit key" ]
33 [ performance = 3 ]
34 [ secure ]
35 [ memory = 1 ]
36 [ keySize = 128 ]
46 DE
47 [
48 [
49 [
50 [
51 [
52 [
53
54 Digest
55 md5:
56 [n
57 [p
58 [i
59 [o
60
61 sha_
62 [n
63 [p
64 [i
65 [o
66
67 sha_
68 [n
69 [o
70 [s
71 [p
72
73 KeyDer
74 pbkd
75 [n
76 [p
77 [s
78 }
79
1 public class KeyDeriv {
2 private String algorithm = "";
3
4 public SecretKey getKey(String pwd) throws ... {
5 SecureRandom r = new SecureRandom();
6 byte[] salt = new byte[32];
7 r.nextBytes(salt);
8
9 PBEKeySpec spec = new
PBEKeySpec(pwd.toCharArray(), salt, 1000,
128);
10 SecretKeyFactory skf =
SecretKeyFactory.getInstance(algorithm);
11 return skf.generateSecret(spec);
12 }
13 }
Figure 7. Generic key derivation code
1 public class KeyDeriv {
2 private String algorithm = "PBKDF2WithHmacSHA1";
1 String CONS =
2 "<javax.crypto.spec.PBEKEYSpec: void
<init>(char[],byte[],int,int)>";
3
4 return UsageProtocolAPI
5 .atCallTo(CONS)
6 .ifParameter(2, p -> p < 500)
7 .reportError("Not enough iterations");
Figure 5. TSJ4 Specification for Checking PBEKey
Iteration Count
by view count and score) asked on StackOverflow. W
currently preparing a questionnaire to extract more info
tion on the concrete problems faced by these developer
the causes of requesting help from the community. In
allel, we are currently conducting an empirical study o
uses of cryptography in real-world application code to
Code Template
Usage protocol

45. Mapping to Code & Usage Protocols
31
3
4 public SecretKey getKey(String pwd) throws ... {
5 SecureRandom r = new SecureRandom();
6 byte[] salt = new byte[32];
7 r.nextBytes(salt);
8
9 PBEKeySpec spec = new
PBEKeySpec(pwd.toCharArray(), salt, 1000,
128);
10 SecretKeyFactory skf =
SecretKeyFactory.getInstance(algorithm);
11 return skf.generateSecret(spec);
12 }
13 }
Figure 7. Generic key derivation code
1 public class KeyDeriv {
2 private String algorithm = "PBKDF2WithHmacSHA1";
3
4 public SecretKey getKey(String pwd) throws ... {
5 return original(pwd);
6 }
7 }
Figure 8. Refining the generic key derivation code in Fig-
ure 7 using FeatureHouse to use the PBKDF2 algorithm
challenge to detect such inconsistencies and report them to
the developer in an understandable terminology.
Code Template
No additional usage
protocol necessary
64 sha_256: Digest
65 [name = "SHA-256"]
66 [outputSize = 256 ]
67 [secure]
68 [performance = 2]
69
70 KeyDerivationAlgorithms
71 pbkdf2 : KeyDerivationAlgorithm
72 [name = "PBKDF2"]
73 [performance = 2]
74 [secure]
75
76 PasswordBasedEncryption : Task
77 [name = "Encrypt data based on a password"]
78 kda -> KeyDerivationAlgorithm
79 digest -> Digest
80 cipher -> SymmetricBlockCipher
81 [cipher.keySize > 128]
unctions ciphers and key derivation algorithms. Model also includes a pas
cludes all proper- one instance of a key-derivation algorithm. Note he

46. 32

47. 32
Boundary between feature model
& usage protocol?

48. 33

49. Configurator
34

50. Configurator
35

51. Configurator
36
PasswordBasedEncryption
kda = pbkdf2
cipher = AES with 128bit key

52. Composer
37
Composer
PBKDF2
1 public class KeyDeriv {
2 private String algorithm = "";
3
4 public SecretKey getKey(String pwd) throws ... {
5 SecureRandom r = new SecureRandom();
6 byte[] salt = new byte[32];
7 r.nextBytes(salt);
8
9 PBEKeySpec spec = new
PBEKeySpec(pwd.toCharArray(), salt, 1000,
128);
10 SecretKeyFactory skf =
SecretKeyFactory.getInstance(algorithm);
11 return skf.generateSecret(spec);
12 }
13 }
Figure 7. Generic key derivation code
1 public class KeyDeriv {
2 private String algorithm = "PBKDF2WithHmacSHA1";
3
4 public SecretKey getKey(String pwd) throws ... {
5 return original(pwd);
6 }
7 }
Figure 8. Refining the generic key derivation code in Fig-
ure 7 using FeatureHouse to use the PBKDF2 algorithm
challenge to detect such inconsistencies and report them to
the developer in an understandable terminology.
In the background, ClaferIG uses a SAT solver to gener-
ate the instances that satisfy the given constraints7
. We are
currently developing the configurator as an Eclipse plugin
and exploring the tradeoffs between a filtering approach and
KeyDerivationAlgorithm
applied
om be-
ery call
omplex
rameter
ementa-
ensions
urrently
e TS4J
ily ex-
crypto-
thms to
domain
e proto-
he tasks
Clafer
ces that
ces are
straints.
oncrete
shown
xample
es that
s to as-
n other
devel-
laferIG
ble key
n task.
specify
ad a re-
greater
nt from
Line 85
stances
ES_128
not sat-
genera-
on [38].
1 public class KeyDeriv {
2 private String algorithm = "";
3
4 public SecretKey getKey(String pwd) throws ... {
5 SecureRandom r = new SecureRandom();
6 byte[] salt = new byte[32];
7 r.nextBytes(salt);
8
9 PBEKeySpec spec = new
PBEKeySpec(pwd.toCharArray(), salt, 1000,
128);
10 SecretKeyFactory skf =
SecretKeyFactory.getInstance(algorithm);
11 return skf.generateSecret(spec);
12 }
13 }
Figure 7. Generic key derivation code
1 public class KeyDeriv {
2 private String algorithm = "PBKDF2WithHmacSHA1";
3
4 public SecretKey getKey(String pwd) throws ... {
5 return original(pwd);
6 }
7 }
Figure 8. Refining the generic key derivation code in Fig-
ure 7 using FeatureHouse to use the PBKDF2 algorithm
challenge to detect such inconsistencies and report them to
the developer in an understandable terminology.
In the background, ClaferIG uses a SAT solver to gener-
ate the instances that satisfy the given constraints7
. We are
currently developing the configurator as an Eclipse plugin
and exploring the tradeoffs between a filtering approach and
a step-wise approach.
The filtering approach is currently used in the online
Clafer configurator8
where all valid instances of a given
model are generated. Such instances are then filtered based
on the constraints enforced by the user selection. The down-
side to such a solution is that if the configuration space is
large, an extremely large number of instances would be gen-
erated, which is time-consuming.
In a step-wise approach (which is our current design ap-
proach), we present only valid selections to the user at each
step during the configuration process. The idea is that only
1 public class KeyDeriv {
2 private String algorithm = "PBKDF2WithHmacSHA1";
3
4 private SecretKey
getKey__wrappee__KeyDerivation(String pwd)
throws ... {
5 SecureRandom r = new SecureRandom();
6 byte[] salt = new byte[32];
7 r.nextBytes(salt);
8
9 PBEKeySpec spec = new
PBEKeySpec(pwd.toCharArray(), salt, 1000,
128);
10 SecretKeyFactory skf =
SecretKeyFactory.getInstance(algorithm);
11 return skf.generateSecret(spec);
12 }
13
14 public SecretKey getKey(String pwd) throws ... {
15 return getKey__wrappee__KeyDerivation(pwd);
16 }
17 }
Figure 9. Resulting composition of Figure 7 and Figure 8
3.4 Composer
Now that the right features (i.e., algorithms) needed to per
form the task have been selected by the configurator, we
[FeatureIDE, Thüm et al. 2014 & FeatureHouse, Apel et al. 2009]
FeatureHouse
(Feature-oriented programming
+ superimposition)

53. 38

54. 38
Feature interactions
during composition?

55. 39

56. Challenges/Future Work
40
Mapping user’s selections
to parameters
Finding secure
code snippets
Different libraries
& library versions
Cryptography & library
evolution
More user-friendly
specification languages

57. 41
Towards Secure Integration of
Cryptographic Software
S. Arzt, S. Nadi, K. Ali, E. Bodden, S. Erdweg, M. Mezini
Check out our poster
@6pm tonight