Alexander Wiesmaier

Julian Hohm, Andreas Heinemann, Alexander Wiesmaier

This work proposes the Crypto-Agility Maturity Model (CAMM for short), a maturity model for determining the state of crypto-agility of a given software or IT landscape. CAMM consists of five levels, for each level a set of requirements have been formulated based on literature review. Initial feedback from field experts confirms that CAMM has a well-designed structure and is easy to comprehend. Based on our model, the crytographic agility of an IT landscape can be systematically measured and improved step by step. We expect that this will enable companies and to respond better and faster to threats resulting from broken cryptographic schemes. This work serves to promote CAMM and encourage others to apply it in practice and develop it jointly.

Alexander Wiesmaier, Nouri Alnahawi, Tobias Grasmeyer et al.

Besides the development of PQC algorithms, the actual migration of IT systems to such new schemes has to be considered, best by utilizing or establishing crypto-agility. Much work in this respect is currently conducted all over the world, making it hard to keep track of the many individual challenges and respective solutions that have been identified. In consequence, it is difficult to judge for both individual application scenarios and on a global scale, whether all (known) challenges have been addressed respectively or what their current state is. We provide a literature survey and a snapshot of the discovered challenges and solutions categorized in different areas. We use this as starting point for a community project to keep track of the ongoing efforts and the state of the art in this field. Thereby we offer a single entry-point into the subject reflecting the current state in a timely manner.

Alexander Zeier, Alexander Wiesmaier, Andreas Heinemann

Currently, PQC algorithms are being standardized to address the emerging threat to conventional asymmetric algorithms from quantum computing. These new algorithms must then be integrated into existing protocols, applications and infrastructures. Integration problems are to be expected, due to incompatibilities with existing standards and implementations on the one hand, but also due to a lack of knowledge among software developers about how to handle PQC algorithms. To illustrate incompatibilities, we integrate two different PQC algorithms into two different existing software products (the InboxPager email client for the Android OS and the TLS implementation of the Bouncy Castle crypto library). Here, we rely on the highly-abstract crypto library eUCRITE, which hides technical details about the correct usage of classical and PCQ algorithms and thus prevents some potential implementation errors.

Rolf Huesmann, Alexander Zeier, Andreas Heinemann et al.

A good documentation is essential for a good usability of (security) APIs, i.e. especially for the correct use of the APIs. Requirements for good documentation of APIs have been described in several papers, but there is no technical implementation (hereinafter referred to as a documentation system) that implements these requirements. The requirements can be divided into requirements for the documentation system and requirements for the documentation content. Out of 13 identified requirements for a documentation system itself, 9 were implemented in a prototype and evaluated in a user study with 22 test persons using a cryptographic API. It turned out that the implementation of the requirement 'Enable quick use of the API' depends on the one hand on the quality of the content entered, but on the other hand also includes 5 other requirements or their implementation. The two other implemented requirements ('classic reference' and 'question and answer function') were hardly or not at all used by the test persons. Their usefulness and relevance should be investigated in a long-term study.