Strategies for Evaluating Open-Source Cryptography (S11a)
This talk will explore methodologies for evaluating open-source cryptography libraries and applications based on years of cryptography audit experiences. Open-source cryptography finds widespread use across various industries, yet users often lack insights into the correctness and security of such implementations. The discussion will cover aspects such as adherence to reference papers or RFCs, key management, randomness, protocol flows, and state transitions. Furthermore, analysis of reported vulnerabilities in open-source cryptography libraries will be presented. Future concerns, including post-quantum cryptography and the significance of cryptographic agility, will also be addressed.