In cryptography, some mistakes can have fatal responses and mistakes in open source cryptographic software libraries. Such mistakes repeats too often and remain unfound for too long. To sort this issue, Google has announced a new project Wycheproof on Monday.
Project Wycheproof is a set of security sets that check cryptographic software libraries for known weaknesses. It consists more than 80 test cases which have identified, fixed or are in the process of patching over 40 different bugs.
Mount Wycheproof is actually is the smallest mountain in the world. Google says they named it this because “the main motivation for the project is to have an achievable goal. The smaller the mountain the easier it is to climb it!”
The team tested surveyed the literature and implemented most known attacks. As a result, Project Wycheproof provides tests for most cryptographic algorithms, including RSA, elliptic curve crypto, and authenticated encryption.
Currently, the team is working with some of the most popular crypto algorithms. For example, AES-EAX, AES-GCM, DH, DHIES, DSA, ECDH, ECDSA, ECIES, and RSA.
Daniel Bleichenbacher and Thai Duong said, “A collection of unit tests that detect known weaknesses or check for expected behaviors of some cryptographic algorithm. ”
The first set of test is written in Java. Because, Java has a common cryptographic interface. This allowed testing multiple providers with a single test suite. The tests also detect whether a library is vulnerable to attacks, including invalid curve attacks, biased nonces in digital signature schemes and Bleichenbacher’s attacks.
Through this project Wycheproof, developers, and users now can check their libraries against a large number of known attacks without having to sift through hundreds of academic papers or become cryptographers themselves.
Having software library pass their tests does not mean that it is fully secure. It only means that it is not vulnerable to the attacks that Project Wycheproof tests for.