Google has released a multi-language, cross-platform cryptographic library called Tink. The idea is that it has cryptographic APIs that are secure, easy to use correctly, and harder to misuse.

Tink is open source, and is built on top of existing libraries such as BoringSSL and Java Cryptography Architecture. However, the developers have improved on the algorithms to overcome problems that were discovered by Google developers working on Project Wycheproof. Wycheproof is used to test crypto libraries against known attacks. It is developed and maintained by members of Google Security Team, but isn't an official Google product. Wycheproof provides tests for most cryptographic algorithms, including RSA, elliptic curve crypto and authenticated encryption.

The developers have set out to have Tink help programmers using it avoid potential security problems in their code. One example given is where the underlying encryption mode requires nonces and nonce reuse makes it insecure. In this case, Tink stops the user passing nonces.

Another way Tink works is by isolating APIs for potentially dangerous operations such as loading cleartext keys from disk), making it possible for developers to discover and restrict the dangerous usage.

Tink supports the following primitives:

• AEAD (Authenticated Encryption with Associated Date)
• MAC (Message Authentication Codes)
• Digital Signatures
• Hybrid Encryption

A primitive is an interface that specifies what operations are offered by the primitive. It can have multiple implementations, and the user chooses which implementation will be used by specifying a key of corresponding type. The key structure is a protocol buffer that contains all the material and parameters needed to make the primitive work.

Alongside the cryptographic features, Tink can be used for key management, and supports remote key management systems (KMS). The current version supports Google Cloud KMS, Amazon KMS, and Android Keystore. Supprt for Apple iOS KeyChain is planned for a future version. In terms of language support, Tink can be used with Java, C++, and Objective-C. Support for C#, Go, and JavaScript/Node is planned for the next version.

More Information

Tink on Github

Related Articles

Chaff Bugs Make Your Code More Secure

Project Wycheproof Reveals Bugs In Popular Crypto Libraries

Airship, a truly secure PHP CMS

Open Source Homomorphic Cryptography

Public Key Cryptography Set To Fail In Five Years

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info