Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

KeyCzar, an open source cryptographic toolkit is released

The Google Security Team has developed and released an open source cryptographic toolkit that makes it easier and safer for developers to use cryptography in their applications. It supports authentication and encryption with both symmetric and asymmetric keys as well as

  • A simple API
  • Key rotation and versioning
  • Safe default algorithms, modes, and key lengths
  • Automated generation of initialization vectors and ciphertext signatures
  • Java and Python implementations (C++ coming soon)
  • International support in Java (Python coming soon)

The website gives a simple introduction:

Why Keyczar?

Cryptography is easy to get wrong. Developers can choose improper cipher modes, use obsolete algorithms, compose primitives in an unsafe manner, or fail to anticipate the need for key rotation. Keyczar abstracts some of these details by choosing safe defaults, automatically tagging outputs with key version information, and providing a simple programming interface.

Keyczar is designed to be open, extensible, and cross-platform compatible. It is not intended to replace existing cryptographic libraries like OpenSSL, PyCrypto, or the Java JCE, and in fact is built on these libraries.

An illustrative use case

Suppose an application needs to encrypt a URL parameter value with a symmetric key. Normally, a developer would need to decide which algorithm to use, the key length to use, the mode of operation, how to handle initialization vectors, how to rotate keys, and how to sign ciphertexts. Keyczar simplifies these choices. Using an existing keyset, a Java developer would just need to call the following:

Crypter crypter = new Crypter("/path/to/your/keys");
String ciphertext = crypter.encrypt("Secret message");

Similarly a Python developer would just call the following:

crypter = Crypter.Read("/path/to/your/keys");
ciphertext = crypter.Encrypt("Secret message");


Originally posted on Mon Aug 18, 2008



How is this any better/easier then existing solutions like libssl and OpenPGP options?

More hype/buzzwordery?

Advertisement • Hide