There’s a tiny hill located in the plains of Australia, dubbed Mount Wycheproof. Though it be little, it is registered as the world’s smallest mountain.
A group of members of the Google Security Team wanted to set a small, easily-achievable goal, so it was fitting to name their newly open-sourced project after the tiny mountain; a mountain that doesn’t take much effort to climb.
The team calls it Project Wycheproof, and its job is to test crypto libraries against known attacks. Although it is named after something small, the project itself helps developers in a pretty big way. The Google Security Team wrote on its GitHub page that Google relies on third-party cryptographic software libraries, and sometimes they can have mistakes that end up causing major pitfalls for teams.
The team understands that implementation guidelines for libraries are hard to come by, which is why they created Project Wycheproof: a collection of unit tests that detect known weaknesses or check for behaviors of cryptographic algorithms.
According to its GitHub page, Google relies on third-party cryptographic software libraries, which can often have mistakes that end up causing major pitfalls for teams. Google Security Team members found a way to fix cryptographic loopholes, similar to how software engineers fix and prevent bugs with unit tests.
Project Wycheproof is not complete, but right now it is a collection of unit tests that can detect weaknesses and provide tests for most cryptographic algorithms, including “RSA, elliptic curve crypto, and authenticated encryption,” according to the GitHub page.
“Cryptographers are also constantly discovering new attacks. Nevertheless, with Project Wycheproof, developers and users now can check their libraries against a large number of known attacks, without having to spend years reading academic papers or become cryptographers themselves.”
Project Wycheproof detects whether a library is vulnerable to attacks like invalid curve attacks, biased nonces in digital signature schemes, Bleichenbacher’s, and more. Overall, the cryptographers have 80 test cases, which have uncovered 40 bugs, including the ability to recover the private key of widely used DSA and ECDHC implementations.
The first set of tests are written in Java, and the team is converting more tests into sets of test vectors to “simplify porting the tests to other languages,” according to the GitHub page.
Side note: Although Project Wycheproof was developed by several members of the Google Security Team, it is not an official Google product. More coverage of the project is available here.
Hmm…something appears to be broken
GitHub’s trending “this week” tab has been broken and/or slow these last couple of weeks. No worries; we listed some trending projects of the day instead.