Google has released Project Wycheproof, a set of security tests that developers can use to check for known vulnerabilities in cryptographic software libraries. This will help them find and fix some security bugs more easily. Here’s what you need to know.
The project, named after the world’s smallest mountain (located in Australia), contains a number of tests that can be used to check common crypto algorithms for vulnerabilities like invalid curve attacks, biased nonces in digital signature schemes and all Bleichenbacher’s attacks, named after Daniel Bleichenbacher, security engineer at Google.
There are 80 tests cases available that can identify more than 40 vulnerabilities. Crypto algorithms covered by the tests include:
- AES-EAX
- AES-GCM
- DH
- DHIES
- DSA
- ECDH
- ECDSA
- ECIES
- RSA
At Google, we rely on many third party cryptographic software libraries. Unfortunately, in cryptography, subtle mistakes can have catastrophic consequences, and we found that libraries fall into such implementation pitfalls much too often and for much too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades’ worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that cryptographic loopholes can be resolved by the same means.
The first set of tests are written in Java, mainly because it has a common cryptographic interface. Even if a library passes all the tests in this project, you should still
If your library passes all Project Wycheproof tests, you shouldn’t consider it secure. The project still has a long way to go so even if your library passes all the tests that doesn’t guarantee that it’s absolutely secure; new vulnerabilities are being discovered everyday. Click on the link below to check out the tests at GitHub.
Comments