Google Introduces Open Source Cross-Platform Crypto Library
5.9.2018 securityweek Crypto
Google last week took the wraps off Tink, an open source, multi-language, cross-platform cryptographic library designed to help simplify common encryption operations.
Under development for the past two years, the cryptographic library has been available on GitHub since its early days and has already attracted a few external contributors.
Now at version 1.2.0 and with support for cloud, Android, iOS, and more, the library is already being used to secure data of Google products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, and others.
Built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, Tink also includes a series of countermeasures that aim at mitigating weaknesses that Google’s Project Wycheproof discovered in those libraries.
Tink can simplify many common cryptographic operations. Data encryption, digital signatures, and more would only require a few lines of code, the Internet giant claims.
The library is providing cryptographic APIs that Google says are secure, as well as easy to use correctly, but harder to misuse.
“Tink aims to eliminate as many potential misuses as possible. For example, if the underlying encryption mode requires nonces and nonce reuse makes it insecure, then Tink does not allow the user to pass nonces,” Google explains.
The goal when building the library was to make it easy to improve product security. Thus, Tink shows the claimed security properties right in the interfaces, so that both security auditors and automated tools can quickly find instances where the security guarantees don’t match the security requirements.
Furthermore, the library isolates APIs for potentially dangerous operations, thus enabling the discovery, restriction, monitoring, and logging of these APIs’ usage.
Support for key management was also included in the library, including key rotation and phasing out deprecated ciphers, Google says.
Also designed to be extensible, Tink simplifies the addition of custom cryptographic schemes or in-house key management systems. All of Tink’s components are easy to replace or remove, all “are composable, and can be selected and assembled in various combinations,” Google says.
This means that anyone who only needs digital signatures, for example, can simply exclude symmetric key encryption components from the library, thus minimizing code size in their application.