Open Source

Keyczar: another open source security tool from Google

Google has done it again: just over a month since the open source release of RatProxy comes a cryptographic toolkit called Keyczar.

On the third of July, I discussed Google's Web vulnerability scanner, RatProxy -- and the fact that Google released it under an open source license. Now, Google's at it again. A post to the Google Online Security Blog yesterday announced that Keyczar has been released under an open source license.

The Keyczar Website describes it as:

an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications

The license terms for Keyczar are those of the Apache 2.0 license, the same Copyfree, Free Software, and Open Source license used for RatProxy.

Keyczar offers simple Java and Python APIs, and a C++ API is promised. Usage code examples in both Java and Python are extremely simple, living up to the promise of "a simple API".

As the Keyczar homepage puts it:

Cryptography is easy to get wrong. Developers can choose improper cipher modes, use obsolete algorithms, compose primitives in an unsafe manner, or fail to anticipate the need for key rotation. Keyczar abstracts some of these details by choosing safe defaults, automatically tagging outputs with key version information, and providing a simple programming interface.

Keyczar is designed to be open, extensible, and cross-platform compatible. It is not intended to replace existing cryptographic libraries like OpenSSL, PyCrypto, or the Java JCE, and in fact is built on these libraries.

In short, Google is doing things right with regard to security software development. In my 22 May article, Not Invented Here has no place in open source development, I discussed in brief how isolated development leads to flawed security software. Needless reinvention is an all too common way for people to create security vulnerabilities where they didn't exist before.

I'm increasingly encouraged by evidence of Google's commitment to improving the selection of security tools available, and I look forward to more from the Google Security Team.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

4 comments
BALTHOR
BALTHOR

And the telephone rings with telemarketing when I log on to your site---

apotheon
apotheon

Do you have a use for Keyczar, or expect to have one soon? What do you think of the Google Security Team's recent open source releases of security tools?

boxfiddler
boxfiddler

ever thought about doing stand-up? I suspect you'd do fairly well at it. ;)

rkuhn040172
rkuhn040172

Google should spend some more time trying to keep their servers on-line and keeping their vendors from leaking private data. Oh yeah, and maybe spend less time infringing on my privacy all the time.