Google launches tests to detect crypto vulnerabilities
Google has launched a project called ‘Wycheproof’. This consists of a number of tests that allow developers to detect vulnerabilities in cryptographic libraries. For example, there are tests for rsa and aes encryption.
Google security officers write in their announcement that small mistakes when applying encryption can often have major consequences. Google, like other developers, uses third-party cryptographic libraries, often without implementation guidelines. That’s why they created the project, which actually consists of a collection of about 80 unit tests. These tests allow developers to identify known vulnerabilities in crypto implementations.
By conducting the tests itself, Google’s security team was able to detect 40 bugs. Not all of these have been made public yet, as some of them have yet to be fixed by the respective developers. An example of a bug found is that the private key could be retrieved in common implementations of dsa and ecdhc. The Google employees warn that passing the tests does not mean that an implementation is safe. The tests should help developers who don’t know much about cryptography to fend off known attacks.
The Google team’s first tests are written in Java, as the language has a common cryptographic interface. The team is working on facilitating porting the tests to other languages. There are now tests for providers within the JCA framework, such as Bouncy Castle, and the standard capabilities in OpenJDK.
The project is named after the smallest mountain in the world, Wycheproof, which is 43 meters high. The reason behind that is that the project must have an achievable goal, ‘just like climbing a small mountain’.