The Complete Magazine on Open Source

Project Wycheproof by Google examines flaws in cryptographic libraries

/ 1951 0

Google Project Wycheproof

Google has developed its Project Wycheproof to enable easy identification of security flaws in cryptographic libraries. The open source offering consists of over 80 test cases that can discover a total of 40 security bugs at the initial stage.

With an aim to help developers find subtle mistakes in open source cryptographic libraries, Project Wycheproof includes different types of attacks against cryptographic algorithms. Google cryptographers are touted to have surveyed various cryptographic libraries and material while designing Wycheproof.

“We recognise that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means. These observations have prompted us to develop Project Wycheproof,” Google’s security engineers Daniel Bleichenbacher and Thai Duong write in a blog post.

Project Wycheproof is named after Mount Wycheproof, which is the smallest mountain in the world. The ideology behind this name is to have an achievable goal. Similarly, in cryptography, subtle mistakes can have long-term consequences. Small mistakes in open source cryptographic libraries are repeated too often and remain undiscovered for long.

The test cases in Project Wycheproof assure to help developers test certain cryptographic libraries including algorithms like RSA. During the initial tests conducted using Wycheproof, Google has discovered about 40 severe security flaws in cryptographic algorithms such as Digital Signature Algorithm (DSA), Elliptic Curve Diffle-Hellman Cryptography (ECDHC).

Further, the first set of tests in Wycheproof is in Java. The popular adoption of Java helped Google in running tests with multiple providers using single test suite.

Project Wycheproof is Google’s second test service for open source software. The search giant wants to help developers find critical issues using these test suites. It also clarified that the latest project is not a complete one today.

Simply passing the test does not guarantee the security level of the library. Google will continue to update the test suite as cryptographers discover new weaknesses in the library protocols.

You can check the Project Wycheproof code through GitHub. It also includes the bugs that are yet to be fixed by vendors.