Google makes cryptography more secure with open-sourced Project Wycheproof

top tech stories 05 12 2017 google logo hq headquarters sign name
Google security engineers Daniel Bleichenbacher and Thai Duong announced the launch of Project Wycheproof on Monday, a set of security tests that look for known weaknesses and check for expected behaviors in cryptographic software. It’s named after the smallest mountain in the world, Mount Wycheproof, because “the smaller the mountain the easier it is to climb it.” Project Wycheproof is provided on GitHub via open source to download and use for testing popular cryptographic algorithms such as AES-EAX and AES-GCM, and related software libraries.

Overall, Project Wycheproof includes more than 80 test cases that have already uncovered more than 40 security bugs. However, a portion of these bugs and tests are not included on GitHub for the moment, as many vendors are still addressing issues reported by Google. The project also includes tools to check Java Cryptography Architecture providers, such as the default providers in OpenJDK and Bouncy Castle.

The project stems from the need to address the mistakes that appear “too often” in open source cryptographic solutions. This is what is used to encrypt/secure the transmission of data across local networks, across the internet, through the air, and when data is in an idle state. As Monday’s announcement points out, a single mistake in cryptography can have “catastrophic consequences,” and there needs to be a solution in place to fix and prevent cryptographic issues. Providing a batch of unit tests should help the overall issue.

“Our first set of tests are written in Java, because Java has a common cryptographic interface,” Monday’s blog states. “This allowed us to test multiple providers with a single test suite. While this interface is somewhat low level, and should not be used directly, we still apply a ‘defense in depth’ argument and expect that the implementations are as robust as possible.”

Cryptographic software relies on a “library,” which is a collection of resources stored alongside the software that includes needed information like documentation, configuration data, values, and more. The tests enable cryptographic software vendors to check these libraries for problems, but the results won’t mean the libraries will be 100-percent secure. The positive results simply mean that the libraries aren’t vulnerable to attacks Project Wycheproof is targeting.

Project Wycheproof will check the most popular cryptographic algorithms, and software libraries supporting those algorithms. The library testing aspect includes checking for invalid curve attacks, all Bleichenbacher’s attacks, digital signature schemes, and many more.

Ultimately, the goal of Project Wycheproof is to allow developers and vendors to easily check the security of their libraries as a substitute for of becoming cryptographers themselves, or for pouring through “hundreds of academic papers” to verify library integrity. Still, Google acknowledges that Project Wycheproof isn’t complete, and is a work in progress. Those who want to contribute to the project can head here and read Google’s requirements.

To use the new open-source tests, users will first need to install Google’s Bazel tool for building software. The Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files will need to be installed as well. The GitHub listing provides full instructions to get started.

Emerging Tech

Awesome Tech You Can’t Buy Yet: Robo sidekicks, AC for your bed, and more

Check out our roundup of the best new crowdfunding projects and product announcements that hit the Web this week. You can't buy this stuff yet, but it sure is fun to gawk!

Google working on quick charging fix for Pixel after Android 9.0 Pie update

Google's Pixel smartphone may be running the latest software, but it still has its fair share of issues. We've rounded up some of the more common Google Pixel problems, along with a few solutions for addressing them.
Emerging Tech

Don’t get burned! How to back crowdfunding projects the smart way

In the world of crowdfunding, there’s no such thing as a sure thing. There's a million reasons why a project might fail. But with this handy guide, you'll be able to spot the signs of a sketchy project and decrease your chances of getting…
Home Theater

Firmware update brings Alexa to Bose’s QuietComfort 35 II wireless headphones

Google Assistant is no longer the only voice-powered virtual assistant integrated directly into the Bose QuietComfort 35 II headphones, as a recent software update brings Amazon's Alexa assistant to the party.

Intel serves up ‘Bean Canyon’ NUCs revved with ‘Coffee Lake’ CPUs

Looking for a super-compact PC for streaming media that doesn’t break the bank? Intel updated its NUC family with its new “Bean Canyon” kits. Currently, there are five with a starting price of $300 packing eighth-generation Intel Core…

Save hundreds with the best MacBook deals for August 2018

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.

Asus claims ‘world’s thinnest’ title with its new Zephyrus S gaming laptop

The Republic of Gamers arm at Asus is claiming “world’s thinnest” with the introduction of its new Zephyrus S gaming laptop measuring just 0.58 inches at its thinnest point. The company also revealed the Strix SCAR II.

Lost without 'Print Screen'? Here's how to take a screenshot on a Chromebook

Chrome OS has a number of built-in screenshot options, and can also be used with Chrome screenshot extensions for added flexibility. You have a lot of options, but learning how to take a screenshot on a Chromebook is easy.

Gaming on a laptop has never been better. These are your best options

Gaming desktops are powerful, but they tie you down to your desk. For those of us who prefer a more mobile experience, here are the best gaming laptops on the market, ranging from budget machines to maxed-out, wallet-emptying PCs.

A dead pixel doesn't mean a dead display. Here's how to repair it

Dead pixel got you down? We don't blame you. Check out our guide on how to fix a dead pixel and save yourself that costly screen replacement, or an unwanted trip to your local repair shop.

Intel teases new dedicated graphics card slated for 2020 release

Intel has confirmed plans to launch a dedicated graphics card in 2020. Although precious few details exist for the card at this time, it was silhouetted in a recent Intel video showcased at Siggraph 2018.

AMD Threadripper 2990WX hits 6GHz under liquid nitrogen overclock

AMD's Threadripper 2990WX was already powerful when it debuted with 32 cores and 64 threads, but one overclocker has used liquid nitrogen to push a single core up to 6GHz for a new world record.

Arm’s future CPU designs may finally catch up with Intel in laptops by 2020

Arm publicly revealed its CPU road map for the first time, covering designs to be released through 2020. Typically disclosed under an NDA, Arm revealed its plans to show how its CPU designs will advance the always-on laptop.

Color grading pushes Pinnacle Studio 22 toward more pro video editing features

Designed for videographers that aren't pros but aren't basic users either, Pinnacle Studio 22 expands its advanced tools with color grading and four-point editing. The updates bring more advanced tools to the platform.