Pierluigi Paganini December 21, 2016

Google released the Project Wycheproof, an open source tool designed to test most popular cryptographic software libraries against known attacks.

Google presented the Project Wycheproof, an open source Crypto Library Testing Tool that was launched to allow development teams to discover security vulnerabilities in popular cryptographic software libraries.

“Project Wycheproof tests crypto libraries against known attacks. It is developed and maintained by members of Google Security Team, but it is not an official Google product.” states the description of the project.

“At Google, we rely on many third party cryptographic software libraries. Unfortunately, in cryptography, subtle mistakes can have catastrophic consequences, and we found that libraries fall into such implementation pitfalls much too often and for much too long.”

The Project Wycheproof is completely developed in Java and implements tests for the most popular cryptographic libraries, including AES-EAX, AES-GCM, DH, DHIES, DSA, ECDH, ECDSA, ECIES and RSA. The more than 80 test cases developed by Google experts have led to the discovery of over 40 bugs in RSA, DSA.

In a single platform, researchers at Google included more than 80 test cases that cover known attacks scenarios against the crypto libraries. Google wants to share its experience to improve the security in development processes.

“Project Wycheproof is named after Mount Wycheproof, the smallest mountain in the world. The main motivation for the project is to have a goal that is achievable. The smaller the mountain the more likely it is to be able to climb it.” states Google.

The researchers who developed the platform explained that Project Wycheproof help them to discover the bugs present in the third party cryptographic software libraries they use for their projects. The testing tool allowed them to uncover more than 40 bugs.

“We have over 80 test cases which have uncovered more than 40 bugs. For example, we found that we could recover the private key of widely-used DSA and ECDHC implementations.” continues Google.

The Project Wycheproof is maintained by members of the Google Security Team, but it is not an official Google product. It is an open project, this means that everyone could share its experience to add another testing cases.

The maintainers will include them only after the development teams behind vulnerable libraries will patch them.

The bug discovered by the security experts that will be submitted to the Google Team qualify for a reward if the maintainers of the affected library cover it with a bug bounty program.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Project Wycheproof, encryption)