Google today released Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses being used in attacks. The project, named after Mount Wycheproof, the smallest mountain in the world, is available for free on GitHub.
Project Wycheproof includes over 80 test cases, and Google says they have already uncovered more than 40 security bugs. The list of bugs is available here, though Google notes not all are currently listed as some are still being fixed by vendors. The same goes for some of the tests — they will be released once the affected cryptographic libraries have been patched.
The tests encompass the most popular crypto algorithms, including AES-EAX, AES-GCM, DH DHIES, DSA, ECDH, ECDSA, ECIES, and RSA. The tests detect whether a library is vulnerable to many attacks, including invalid curve attacks, biased nonces in digital signature schemes, and all of Bleichenbacher’s attacks. In short, Project Wycheproof allows developers and users to check libraries against a large number of known attacks without having to “sift through hundreds of academic papers or become cryptographers themselves.”
Google explains its motivation for Project Wycheproof:
In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades’ worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means.
Google wants to develop as many tests as possible and encourages external contributions. You’ll want to read the Contributing document before sending a pull request.
If your library passes all Project Wycheproof tests, you shouldn’t consider it secure. The project is by no means complete, and even if it was, new weaknesses in cryptographic protocols are constantly being discovered.