Google security engineers Daniel Bleichenbacher and Thai Duong announced the launch of Project Wycheproof on Monday, a set of security tests that look for known weaknesses and check for expected behaviors in cryptographic software. It’s named after the smallest mountain in the world, Mount Wycheproof, because “the smaller the mountain the easier it is to climb it.” Project Wycheproof is provided on GitHub via open source to download and use for testing popular cryptographic algorithms such as AES-EAX and AES-GCM, and related software libraries.
Overall, Project Wycheproof includes more than 80 test cases that have already uncovered more than 40 security bugs. However, a portion of these bugs and tests are not included on GitHub for the moment, as many vendors are still addressing issues reported by Google. The project also includes tools to check Java Cryptography Architecture providers, such as the default providers in OpenJDK and Bouncy Castle.
The project stems from the need to address the mistakes that appear “too often” in open source cryptographic solutions. This is what is used to encrypt/secure the transmission of data across local networks, across the internet, through the air, and when data is in an idle state. As Monday’s announcement points out, a single mistake in cryptography can have “catastrophic consequences,” and there needs to be a solution in place to fix and prevent cryptographic issues. Providing a batch of unit tests should help the overall issue.
“Our first set of tests are written in Java, because Java has a common cryptographic interface,” Monday’s blog states. “This allowed us to test multiple providers with a single test suite. While this interface is somewhat low level, and should not be used directly, we still apply a ‘defense in depth’ argument and expect that the implementations are as robust as possible.”
Cryptographic software relies on a “library,” which is a collection of resources stored alongside the software that includes needed information like documentation, configuration data, values, and more. The tests enable cryptographic software vendors to check these libraries for problems, but the results won’t mean the libraries will be 100-percent secure. The positive results simply mean that the libraries aren’t vulnerable to attacks Project Wycheproof is targeting.
Project Wycheproof will check the most popular cryptographic algorithms, and software libraries supporting those algorithms. The library testing aspect includes checking for invalid curve attacks, all Bleichenbacher’s attacks, digital signature schemes, and many more.
Ultimately, the goal of Project Wycheproof is to allow developers and vendors to easily check the security of their libraries as a substitute for of becoming cryptographers themselves, or for pouring through “hundreds of academic papers” to verify library integrity. Still, Google acknowledges that Project Wycheproof isn’t complete, and is a work in progress. Those who want to contribute to the project can head here and read Google’s requirements.
To use the new open-source tests, users will first need to install Google’s Bazel tool for building software. The Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files will need to be installed as well. The GitHub listing provides full instructions to get started.