Security experts from Google have developed a test suite that allows developers to find weaknesses in their cryptographic libraries and implementations.
The company’s Project Wycheproof, which was released on GitHub, contains more than 80 test cases for widely used cryptographic algorithms, including RSA, AES-GCM, AES-EAX, Diffie-Hellman, Elliptic Curve Diffie-Hellman (ECDH), and the digital signature algorithm (DSA).
Google’s researchers have developed these tests by implementing some of the most common cryptographic attacks. So far, the tests have helped them uncover more than 40 security bugs in cryptographic libraries, and they have been reported to affected vendors.
“In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long,” Google security engineers Daniel Bleichenbacher and Thai Duong wrote in a blog post. “Good implementation guidelines, however, are hard to come by: Understanding how to implement cryptography securely requires digesting decades’ worth of academic literature.”
The Google researchers hope that by releasing these tests publicly, developers and users alike can test the cryptographic implementations they create or use. Some crypto libraries are popular and are included in many commercial products or are used in enterprise applications.
The tests released so far are written in Java, but the Google researchers are working on converting them to test vectors so they can be ported easily to other programming languages.
Passing the Project Wycheproof tests doesn’t mean that a library is secure and doesn’t have any flaws, but at least it can be used to establish a baseline where the code is protected against the most common attacks.