Skip to main content

Google’s Project Wycheproof is a set of security tests for identifying cryptographic vulnerabilities

Software often handles delicate and private information, requiring some level of encryption to help protect information from attacks. Unfortunately, no matter how good cryptography is, new vulnerabilities are found almost daily, requiring constant patching. Project Wycheproof hopes to make it easier for software engineers to find bugs by letting them test their software libraries against previously identified vulnerabilities and then fix them before they might be exploited…

Project Wycheproof, announced this morning, so far has over 80 different test cases which have identified, fixed, or are in the process of patching over 40 different bugs.

Google explains why Project Wycheproof is vital for cryptography:

In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades’ worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means.

The project is named after Mount Wycheproof which is the smallest mountain in the world. Google says they named it this because “the main motivation for the project is to have an achievable goal … the smaller the mountain the easier it is to climb it!”

Project Wycheproof currently has tests which work with some of the most popular crypto algorithms including AES-EAX, AES-GCM, DH, DHIES, DSA, ECDH, ECDSA, ECIES, and RSA. These tests also determine if any of the software libraries are vulnerable to invalid curve attacks, biased nonces in digital signature schemes, all of the different Bleichenbacher’s attacks, and much more.

As mentioned by Google, having your software library pass their tests does not mean that it is fully secure. There are new vulnerabilities being found every day which means that Project Wycheproof will continue to grow with the help of contributors.

Find out more about Project Wycheproof on Github.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Justin Duino Justin Duino

I’m a writer for 9to5Google with a background in IT and Android development. Follow me on Twitter to read my ramblings about tech and email me at justin@jaduino.com. Tips are always welcome.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications