FluentCrypto: Cryptography in Easy Mode
This addresses the problem of secure cryptography adoption for mainstream developers in Node.js, but it is incremental as it builds on existing API design principles.
The paper tackles the problem of developers finding cryptography concepts hard to understand and APIs challenging to use securely by developing FluentCrypto, a fluent API for Node.js that hides low-level complexities and uses expert rules for secure configurations, resulting in it being hard to misuse, easier to use, and enabling faster development of secure solutions compared to the standard API.
Research has shown that cryptography concepts are hard to understand for developers, and secure use of cryptography APIs is challenging for mainstream developers. We have developed a fluent API named FluentCrypto to ease the secure and correct adoption of cryptography in the Node.js JavaScript runtime environment. It provides a task-based solution i.e., it hides the low-level complexities that involve using the native Node.js cryptography API, and it relies on the rules that crypto experts specify to determine a secure configuration of the API. We conducted an initial study and found that FluentCrypto is hard to misuse even for developers who lack cryptography knowledge, and compared to the standard Node.js crypto API, it is easier to use for developers and helps them to develop secure solutions in a shorter time.