Software often handles delicate and private information, requiring some level of encryption to help protect information from attacks. Unfortunately, no matter how good cryptography is, new vulnerabilities are found almost daily, requiring constant patching. Project Wycheproof hopes to make it easier for software engineers to find bugs by letting them test their software libraries against previously identified vulnerabilities and then fix them before they might be exploited…
Amazon Kindle Paperwhite
Project Wycheproof, announced this morning, so far has over 80 different test cases which have identified, fixed, or are in the process of patching over 40 different bugs.
Google explains why Project Wycheproof is vital for cryptography:
In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades’ worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means.
The project is named after Mount Wycheproof which is the smallest mountain in the world. Google says they named it this because “the main motivation for the project is to have an achievable goal … the smaller the mountain the easier it is to climb it!”
Project Wycheproof currently has tests which work with some of the most popular crypto algorithms including AES-EAX, AES-GCM, DH, DHIES, DSA, ECDH, ECDSA, ECIES, and RSA. These tests also determine if any of the software libraries are vulnerable to invalid curve attacks, biased nonces in digital signature schemes, all of the different Bleichenbacher’s attacks, and much more.
As mentioned by Google, having your software library pass their tests does not mean that it is fully secure. There are new vulnerabilities being found every day which means that Project Wycheproof will continue to grow with the help of contributors.
Find out more about Project Wycheproof on Github.