Google has currently released Project Wycheproof, a set of security tests that tests cryptographic software libraries for known weaknesses which can be used in attacks. The project has been named after the smallest mountain in the world, Mount Wycheproof, and it is now available for free on
GitHub.
“The main motivation for the project is to have an achievable goal. That’s why we’ve named it after the Mount Wycheproof, the smallest mountain in the world. The smaller the mountain the easier it is to climb it!”
Project Wycheproof includes 80 test cases and Google states that they have already uncovered more than 40 security bugs. You can check the list of bugs here, however, the company has stated that not all bugs are listed at the moment and some are still being fixed by the vendors. The same is for the tests which the company will release once the affected cryptographic libraries have been patched.
The company states,
“We’re excited to announce the release of Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses. We’ve developed over 80 test cases which have uncovered more than 40 security bugs.”
The tests encompass the most popular crypto algorithms, which includes AES-EAX, AES-GCM, DH DHIES, DSA, ECDH, ECDSA, ECIES, and RSA. The tests also consider invalid curve attacks, biased nonces in digital signature schemes, and all of Bleichenbacher’s attacks while determining if a library is defenseless to numerous attacks. In simple words, Project Wycheproof allows developers as well as users to check libraries against a large number of known attacks without having to “sift through hundreds of academic papers or become cryptographers themselves.”
The company states,
“In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means.”
Google wants to develop as many tests as possible, hence encourages external contributions. In order to read the contributing documents, check
here.