Google Releases an Open Source Cryptography Toolkit

Google has just released an open source cryptographic toolkit: Keyczar. The company is aiming to make inherently complex cryptography easier and safer for developers to implement. In addition to the Google Code page where you can get the toolkit, there is this information page, and a link to a discussion group. Keyczar is released under an Apache 2.0 license. What does it offer?

Keyczar is built on OpenSSL, PyCrypto, and the Java JCE libraries, and is "not intended to replace existing cryptographic libraries," according to Google Code. It works with both symmetric and asymmetric keys, and there is this introduction on the Google Code page:

"Cryptography is easy to get wrong. Developers can often choose the wrong cipher mode, use obsolete algorithms, compose primitives in an unsafe manner, or fail to anticipate the need for key rotation. Keyczar abstracts some of these details by choosing safe defaults, automatically tagging outputs with key version information, and providing a simple interface."

I've talked to many leading people in the field of cryptography, and "easy to get wrong" is an understatement. One of the reasons we don't see more of our content encrypted--from e-mail messaging to encrypted storage archives--is the sheer complexity of cryptography. I was amused to see that Google has provided a "non-goals" page for Keyczar, where it clarifies that it is not intended for tasks such as encrypting very "short blobs of data."

If you want to take a gander at some example uses of Keyczar, see the "illustrative use" cases on this page.There, you'll find actual code that, say, a Python developer might use to encrypt a URL parameter value with a symmetric key.

Keyczar was developed within the Google Security Team. Steve Weis of Google and Arkajit Dey of MIT were among the lead developers.