New Google test auto-checks encryption
When it comes to encryption, the underlying math is very rarely compromised. Successful crypto hacks typically take advantage of implementation flaws in the software, which uses algorithms to secure data or communications.
Now, Google is out with a new open-source software package designed to run automated checks on crypto implementations, scanning software libraries for known vulnerabilities and flawed implementations.
In a blog post Monday, Google security engineers Daniel Bleichenbacher and Thai Duong introduced Project Wycheproof, “a collection of unit tests that detect known weaknesses or check for expected behaviors of some cryptographic algorithms.”
The initial tests are written in Java, because that language “has a common cryptographic interface. This allowed us to test multiple providers with a single test suite.”
“We are converting as many tests into sets of test vectors to simplify porting the tests to other languages,” they add.
They caution that Project Wycheproof “is by no means complete. Passing the tests does not imply that the library is secure, it just means that it is not vulnerable to the attacks that Project Wycheproof tries to detect.”
Nonetheless, they conclude “developers and users now can check their libraries against a large number of known attacks without having to sift through hundreds of academic papers or become cryptographers themselves.”
The project is named after Australia’s Mount Wycheproof, which, at 141 feet high, is the smallest mountain in the world. The developers said it was because they wanted “an achievable goal … The smaller the mountain, the easier it is to climb it!”