---

---

11.08.2025 14:15

How agile is your crypto? Interview study explores the opportunities and challenges of cryptographic update processes

Eva Michely Unternehmenskommunikation
CISPA Helmholtz Center for Information Security

If you think of software as a building, you might say it’s made up of code blocks. Many of these building blocks are custom-built for a specific application. Others are standard components and used in many buildings—cryptographic algorithms and functions are a prime example of this. In a qualitative interview study with 21 international participants, CISPA researcher Alexander Krause explored the challenges faced by experienced software developers when they want to renew existing crypto implementations—or even create better cryptographic building blocks from scratch. The CISPA study will be presented on August 14, 2025, at the Usenix Security Symposium in Seattle, USA.

Crypto Agility—or: Why does crypto become outdated?

Cryptographic algorithms are fundamental building blocks in the development of new applications. They ensure that data and information can be communicated in encrypted form, reliably protected from the prying eyes of unauthorized third parties. Unlike most other code sequences, certain cryptographic implementations lose their effectiveness over time: As other technological fields advance, for example if computers significantly gain processing power, asymmetric encryption can potentially become vulnerable. Quantum computing is a textbook example of this, as CISPA researcher Alexander Krause explains: “If connections are encrypted with TLS, those data streams can’t be decrypted yet—but it’s very likely that this will be possible in the future. Quantum computers will be able to compute far more efficiently, because they’re not just using the binary states 0 and 1, but the three states 0, 1, and 01 simultaneously.” Computing with three possible states enables quantum machines to solve mathematical problems much faster, and to use new, more efficient algorithms that aren’t available on “conventional” computers.

Updating cryptographic implementations is thus a recurring task—and one with far-reaching implications for software users. If crypto updates go awry, the consequences for overall software security can be severe. In this context, Krause refers to the concept of “crypto agility”: “This recurring update process for cryptographic implementations ideally begins with something called ‘crypto agility.’ It means that when developers are designing a software, they already keep in mind that they may need to replace or update the cryptographic implementation at some point in the future.” Thinking ahead in this way is meant to facilitate updating the software later on with state-of-the-art cryptographic methods. However, executing crypto updates requires highly specialized knowledge that many software developers do not possess.

Crypto libraries require maintenance

Cryptographic implementations tend to come from publicly accessible, free crypto libraries that are maintained by specialized developer communities. These open-source projects, which benefit developers around the world, are usually supported by just a handful of individuals who contribute their time on a volunteer basis. “It’s a fundamental principle of software development that developers reuse existing components unless they need a customized solution”, says Krause. “This also means that I don’t write a new implementation for a cryptographic standard from scratch each time—I import a library in the programming language I’m using that already provides the required function.” While reusing existing algorithms and functions makes for efficient programming, it also introduces unique security risks where cryptography is concerned. If crypto libraries are not properly maintained and bugs go unfixed, those vulnerabilities can proliferate across a wide range of applications. In the context of the “supply chain”—that is, a kind of dependency of software projects from other resources—this creates what’s known as a “single point of failure.” If a crypto library is not reliably maintained, it can jeopardize the functionality of all products that rely on it within the supply chain.

How do you recruit expert populations for a study? With hard work

Conducting a qualitative interview study with 21 participants, Alexander Krause and his CISPA colleagues have explored the challenges that software developers, who usually aren’t crypto experts themselves, face when updating cryptographic implementations. Their goal was to find answers to four narrowly defined research questions: How do developers learn about a recommended crypto update? What goals do they pursue with the update? What processes do they follow when planning and executing a crypto update? And finally, what experiences did they gain when carrying out those updates? “There’s already a lot of research on updating software projects in general”, says Krause. “But here, we wanted to explore whether expert populations with highly specialized knowledge have unique requirements, too.”

Recruiting participants for the study was a major challenge. “It was tough to gather those 21 developers—it took a lot of effort”, Krause explains. “We only included experienced developers, and we assessed their experience based on the contributions they already made to software projects.” In addition to reaching out through their professional network, the researchers posted their call for participants on Upwork and contacted many other potential candidates via email. The email recruitment was especially time-consuming, as it required extensive online research to find publicly available contact information for suitable participants. Krause estimates the response rate for the email campaign was only about 1 percent. “People took part in the study for different reasons”, he summarizes. “Some were intrinsically motivated because they saw the research as important and wanted to support it. Others felt personally acknowledged—they said: ‘Oh, you looked at my GitHub code and my project. It’s great that you took notice of my work.’”

Heterogeneous results: Crypto updates are context-dependent

One of the key findings of the interview study is that the information flow around recommended crypto updates is inconsistent and sometimes incomplete. Updates were primarily triggered by information that developers received through sources like blogs, social media, and GitHub. However, depending on their institutional affiliation, some developer groups are more likely to receive information about updates than their colleagues. “If you work for a large company, there are often agreements. They often receive advance notice of vulnerabilities and can be the first to patch them—for example as part of a disclosure process. This information is passed on through private mailing lists that only a few people have access to”, Krause summarizes. “A big takeaway for us was how hard it is to get into these communities. Someone who wants to get started now, how do they get connected? How do they get onto one of these lists?”

The interview study also revealed that there rarely are established, structured processes to manage crypto updates in companies or projects. Prioritization of such updates sometimes depended on available resources such as team size. Decision-making processes and responsibilities around crypto updates were also at times unclear. “That was a negative surprise for us”, Krause says. “Who decides who’s responsible for a crypto update? This varied a lot. Sometimes there actually were leaders assigned to it. In other cases, it was, ‘You just discovered yourself that there is this vulnerability, so it’s your job to fix it.’” As one of their key research contributions, the researchers have outlined such an update process, consolidating the heterogeneous statements that the participants had made. Their multi-step process assigns the three different stakeholder groups (internal, external, and end users) to six phases: trigger, goals, planning, execution, quality assurance, and rollout.

Other study results turned out to be both more positive and predictable for the research team, such as for example the motivations behind implementing cryptographic updates. “We were positively surprised overall that many developers are intrinsically motivated to ensure their software is future-proof”, Krause explains. In addition, preventive updates were performed to gain a security edge over future threats. Feedback was also fairly consistent regarding the perception that crypto updates are onerous and complex. Krause summarizes: “All our participants had very individual backgrounds and very individual projects, but overall, what makes updating crypto difficult is that you need the knowledge to do it—and at the end of the day many don’t have that. We expected this, since it’s the case in many areas of IT security, not just in the area of cryptographic implementations.”

Networking is key: A gap between research and practice

The question of how this knowledge gap could be closed in the interest of IT security continues to occupy Alexander Krause. “Crypto updates will remain a challenge going forward. But we see that people often lack the necessary education to manage them. The biggest challenge that we see—and this extends beyond our paper to crypto research more broadly—is translating new research findings into a format that actually reaches developers.” While gaining access to the relevant mailing lists is often difficult, the responses from the interview study have shown that software developers rarely use academic publication databases to stay informed about new developments. “In our study, those with a higher academic degree—a master’s or PhD—had an advantage here, because they bring the necessary skillset”, Krause explains. Ultimately, obtaining relevant information still largely depends on the personal initiative of individual developers. In this respect, there is a clear gap between research and practice that needs to be bridged—as there is very little overlap between the conferences important for scientific discourse and the trade fairs relevant to developer communities. The CISPA researchers have already made their findings available to all developers who participated in the interview study. They will also present their study to the scientific community on August 14, 2025, at the USENIX Security Symposium in Seattle, USA.

---

Originalpublikation:

Alexander Krause, Harjot Kaur, Jan Klemmer, Oliver Wiese, and Sascha Fahl. 2025. “That’s my perspective from 30 years of doing this”: An Interview Study on Practices, Experiences, and Challenges of Updating Cryptographic Code.
https://doi.org/10.60882/cispa.29581451.v1

---

<
CISPA interview study on cryptographic update processes

Copyright: CISPA

---

Merkmale dieser Pressemitteilung:
Journalisten, Studierende, Wissenschaftler
Informationstechnik
überregional
Forschungsergebnisse
Englisch

---