One of the most important aspects of writing a software product which handles sensitive personal or bank information is security. And the widely popular way used for protecting info obtained through the service is encryption. This also enables the developer to protect their data from intrusion by hackers. But how does one exactly know if their encryption methods are up to the mark?
Thus, a couple of Google security researchers Daniel Bleichenbacher and Thai Duong have today shared the details for ‘Project Wycheproof.’ It is a set of security tools which enables developers to check cryptographic software libraries using a collection of unit tests — a prominent method used by software engineers to fix and prevent bugs. It will enable them to detect known vulnerabilities or unexpected behaviors and fix them before they’re exploited by attackers.
While working with Google, the duo discovered that third-party cryptographic software libraries are highly unreliable and can often lead to some major undetected security loopholes in your applications. This is their motivation for developing Project Wycheproof, which has been named after Mount Wycheproof, the smallest mountain in the world.
Unfortunately, in cryptography, subtle mistakes can have catastrophic consequences, and we found that libraries fall into such implementation pitfalls much too often and for much too long.
Project Wycheproof has been released with over 80 different test cases for crypto algorithms which have been used to uncover as much as 40 bugs. It provides tests for most cryptographic algorithms, including RSA, elliptic curve crypto, Bleichenbacher’s attacks, biased nonces in digital signature schemes, and authenticated encryption, among others.
While the security tools developed by Google researchers enable developers to check their libraries against a large number of known attacks, without having to spend scouring for the correct procedure and bug. The database of test cases for checking the libraries is not yet complete and the researchers are now adding more test cases to help you detect even more vulnerabilities in your apps.
While we are committed to develop as many attacks as possible, Project Wycheproof is by no means complete. Passing the tests does not imply that the library is secure, it just means that it is not vulnerable to the attacks that Project Wycheproof tests for. Cryptographers are also constantly discovering new attacks.
The project is now available on GitHub.
