Application Programming Interfaces (APIs) in cryptography typically impose concealed usage constraints. The violations of these usage constraints can lead to software crashes or security vulnerabilities. Several professional tools can detect these constraints (API misuses) in cryptography; however, in the educational programs, the focus has been less on helping students implement an application without cryptographic API misuses that are caused by either a lack of cryptographic knowledge or programming mistakes. To address the problem, we present an intelligent tutoring approach SSDTutor for educating Secure Software Development. Our tutoring approach helps students or developers repair cryptographic API misuse defects by leveraging an automated program repair technique based on the usage patterns of cryptographic APIs. We studied the best practices of cryptographic implementations and encoded eight cryptographic API usage patterns. For quality feedback, we leverage a clone detection technique to recommend related feedback for helping students understand why their programs are incorrect, rather than blindly accepting repairs. We evaluated SSDTutor on 456 open source subject projects implemented with cryptographic APIs. SSDTutor successfully detected 1,553 out of 1,573 misuse defects with 98.9% accuracy and repaired 1,551 out of 1,573 misuse defects with 99.3% accuracy. In a user study involving 22 students, the participants reported that interactive SSDTutor's feedback recommendation could be valuable for novice students to learn about the correct usages of cryptography APIs. •An intelligent tutoring approach for educating secure software development.•An automated repair approach for cryptographic API misuse defects.•Eight cryptographic API usage patterns for the best practices of cryptographic implementations.•Quality feedback to understand why programs are incorrect, rather than blindly accepting repairs.