Not logged in » Login
Dec 30 2016

Google: “Project Wycheproof” Checks Crypto Security

Allegedly named after the world's smallest mountain, Google's latest software-related initiative has nonetheless set high goals for itself: the idea is to scan the world's most popular cryptographic libraries for known weaknesses in order to help IT departments and CISOs set up secure implementations.

Like it or not, man-made software is rarely bulletproof. This rule applies in all areas of the development process, regardless of whether we're talking about applications, operating systems or even crucial building blocks such as software libraries. To make matters worse, flaws not only exist in regular software products, but also in those deemed essential for a company's or individual's security – for instance, in APIs, frameworks, protocols and algorithms designed to enable robust encryption. Vulnerabilities in these products and components have cost organizations and individual users billions of dollars over the years. 

Against this backdrop, it's not much of a surprise that software vendors as well as IT service providers have often sought to iron out existing bugs. However, performing such checks can be complicated and time-consuming, especially if you assess each problem on an individual basis. A simpler and more convenient way of doing this would be to apply a set of standardized tests that scan the aforementioned crypto components for known weaknesses and check whether the programs behave as expected or not. That's where Google's Project Wycheproof comes into play: company experts have developed a total of 80 unit tests that help to detect some 40 security bugs in widely used cryptography products and standard implementations. As a result of those tests, the researchers were able to "recover" (i.e. compromise) private keys generated and distributed via key agreement processes using the ECDH protocol. Likewise, they found recurring bugs in various areas of the popular RSA public key cryptosystem. So far, most tests are written in Java; but that may change as the project expands.

Project Wycheproof is led by security engineers Daniel Bleichenbacher and Thai Duong and currently has a rather limited number of participants. More contributors will be welcome to develop and improves as many tests as possible. The project's homepage can be found on GitHub.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now