Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Google Introduces Open Source Cross-Platform Crypto Library

Google last week took the wraps off Tink, an open source, multi-language, cross-platform cryptographic library designed to help simplify common encryption operations.

Under development for the past two years, the cryptographic library has been available on GitHub since its early days and has already attracted a few external contributors. 

Google last week took the wraps off Tink, an open source, multi-language, cross-platform cryptographic library designed to help simplify common encryption operations.

Under development for the past two years, the cryptographic library has been available on GitHub since its early days and has already attracted a few external contributors. 

Now at version 1.2.0 and with support for cloud, Android, iOS, and more, the library is already being used to secure data of Google products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, and others. 

Built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, Tink also includes a series of countermeasures that aim at mitigating weaknesses that Google’s Project Wycheproof discovered in those libraries. 

Tink can simplify many common cryptographic operations. Data encryption, digital signatures, and more would only require a few lines of code, the Internet giant claims.

The library is providing cryptographic APIs that Google says are secure, as well as easy to use correctly, but harder to misuse. 

“Tink aims to eliminate as many potential misuses as possible. For example, if the underlying encryption mode requires nonces and nonce reuse makes it insecure, then Tink does not allow the user to pass nonces,” Google explains. 

The goal when building the library was to make it easy to improve product security. Thus, Tink shows the claimed security properties right in the interfaces, so that both security auditors and automated tools can quickly find instances where the security guarantees don’t match the security requirements. 

Furthermore, the library isolates APIs for potentially dangerous operations, thus enabling the discovery, restriction, monitoring, and logging of these APIs’ usage. 

Support for key management was also included in the library, including key rotation and phasing out deprecated ciphers, Google says. 

Also designed to be extensible, Tink simplifies the addition of custom cryptographic schemes or in-house key management systems. All of Tink’s components are easy to replace or remove, all “are composable, and can be selected and assembled in various combinations,” Google says. 

This means that anyone who only needs digital signatures, for example, can simply exclude symmetric key encryption components from the library, thus minimizing code size in their application. 

Related: Google Announces New Security Tools for Cloud Customers

Related: Google Shares Details of Its Security Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...