Google Releases an Open Source Cryptography Toolkit

by Sam Dean - Aug. 12, 2008Comments (5)

Google has just released an open source cryptographic toolkit: Keyczar. The company is aiming to make inherently complex cryptography easier and safer for developers to implement. In addition to the Google Code page where you can get the toolkit, there is this information page, and a link to a discussion group. Keyczar is released under an Apache 2.0 license. What does it offer?

Keyczar is built on OpenSSL, PyCrypto, and the Java JCE libraries, and is "not intended to replace existing cryptographic libraries," according to Google Code. It works with both symmetric and asymmetric keys, and there is this introduction on the Google Code page:

"Cryptography is easy to get wrong. Developers can often choose the wrong cipher mode, use obsolete algorithms, compose primitives in an unsafe manner, or fail to anticipate the need for key rotation. Keyczar abstracts some of these details by choosing safe defaults, automatically tagging outputs with key version information, and providing a simple interface."

I've talked to many leading people in the field of cryptography, and "easy to get wrong" is an understatement. One of the reasons we don't see more of our content encrypted--from e-mail messaging to encrypted storage archives--is the sheer complexity of cryptography. I was amused to see that Google has provided a "non-goals" page for Keyczar, where it clarifies that it is not intended for tasks such as encrypting very "short blobs of data."

If you want to take a gander at some example uses of Keyczar, see the "illustrative use" cases on this page.There, you'll find actual code that, say, a Python developer might use to encrypt a URL parameter value with a symmetric key.

Keyczar was developed within the Google Security Team. Steve Weis of Google and Arkajit Dey of MIT were among the lead developers.

 


Browse Blog

Dawn Giorgio uses OStatic to support Open Source, ask and answer questions and stay informed. What about you?



5 Comments
 

Google is just doing a tremendous job of capturing developer-mindshare. Still not clear on how moves such as these are going to benefit Google (in $) over the long-term or is it purely a brand building exercise?

0 Votes

To the above comment, perhaps they are just trying to help developers create more secure applications ?

0 Votes

more secure apps = more ebiz = more net advertising = google $$

0 Votes

I don't think that this is a Google project, it is hosted there but I didn't see any indication that it is actually developed or supported by the company.

0 Votes

is this guy for real? you don't even know what Google code is and you are writing about software development :). Good luck with that! Just because it is hosted on Google server (Google code) doesn't mean Google have anything do do with it :) expect for hosting it.

0 Votes
Share Your Comments

If you are a member, to have your comment attributed to you. If you are not yet a member, Join OStatic and help the Open Source community by sharing your thoughts, answering user questions and providing reviews and alternatives for projects.