Google Releases Crypto Test Suite

Google has released Project Wycheproof -- a test suite designed to test cryptographic libraries against a series of known attacks. From a blog post:

In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means

The tool has already found over 40 security bugs in cryptographic libraries, which are (all? mostly?) currently being fixed.

News article. Slashdot thread.

Posted on December 20, 2016 at 6:12 AM • 11 Comments


BillBDecember 20, 2016 6:30 AM

Looks very promising. I have to say when designing a new protocol, API, or writing a program that uses encryption in any way, the challenges are quite daunting. I took the Stanford online crypto course (recommended) and it's still tricky to use crypto safely. Certainly I use existing well regarded libraries whenever possible, but finding resources on improving security has been an ongoing challenge.

ab praeceptisDecember 20, 2016 6:43 AM

"... to probe cryptographic libraries for vulnerabilities to known attacks. The tests can be used against most kinds of crypto algorithms and the company already has found 40 new weaknesses in existing algorithms."

I consider that nice but largely meaningless.

But in case it's very user-friendly (read: idiot proof and comfy) it might be of some use.

Also note the downside: Quite some dark hats will translate that as "hurray! Those are the crypto vulnerabilities google considers important and rather frequent. Let's use that and hack servers!"

Steve B.December 20, 2016 8:20 AM

Ironically, On The Wire is using an expired certificate on its site. That was at 9:06 Eastern on 9/20.

CallMeLateForSupperDecember 20, 2016 8:59 AM

@Steve B.
Oh yeah. My browser hit the brakes so hard it left skid marks.

Let's Encrypt. Sorta. Well, for a while, at least.

panaxDecember 20, 2016 12:50 PM

ECDH: "Some libraries do not check if the elliptic curve points received from another party are points on the curve."

It may also be useful to check to see if the resultant shared secret lies on the curve to ensure that the entire computation completed successfully. If trying to prevent side channel leakage in a physical environment using the standard Montgomery ladder, then it may be necessary to perform this check after each double and add operation during the multiplication to prevent leakage from glitch attacks. Otherwise the attacker can determine each secret bit by glitching during one of the point additions and observing whether or not the output was affected and iterating. This does add quite a fair amount of overhead though. There is another multiplication algorithm though which does not leak information when glitching point addition and so does not require this checking and still operates in constant time.

hawkDecember 21, 2016 7:16 AM

Once again, all anyone is doing is testing the implementation. And this is made to sound the same as testing the security itself. They're two different things. And Google's comment about decades of research publications is posturing, nothing more. Google's intention is to bundle crypto then stick it way up on the top shelf where it is hard to reach, except for them. And cut out the academic crap.

ljonesDecember 21, 2016 6:14 PM

I just have two quick thoughts on this. Firstly, what if google's project in itself contains some sort of bug or vunerability? Won't this then give incorrect or false results? Secondly - does this project report everything back to google, and if so what becomes of that?

DroneDecember 21, 2016 10:55 PM

"Project Wycheproof is named after Mount Wycheproof, the smallest mountain in the world. The main motivation for the project is to have a goal that is achievable. The smaller the mountain the more likely it is to be able to climb it."

Gee, with such lofty ambition I'm sure Project Wycheproof will save mankind!

[Everyone gets a trophy, even if they lose...]

Clive RobinsonDecember 21, 2016 11:48 PM

@ Drone,

Mount Wycheproof, the smallest mountain in the world.

Technically it's not a mountain at all as it's 486ft high, less than half the 1000tf ASL hight required to be considered a mountain.

Another much closer contender is Lieth Hill near Dorking in Surrey England. At one time it was thought to be a mountain but surveying technology in the 1600's showed it was to small. Thus in the 1700's Richard Hull built Prospect[1] House to take it clear of 1000ft.

It over looks the village of Coldharbor where I lived for a while, and I used to run up the hill most mornings.

You will find many other places with a much closer claim on being the worlds smallest --true-- mountain, and people get upset about changes in surveying techniques that might rob them of their mountain. There is a Richard Grant movie "The Englishman that went up a hill but came down a mountain" is loosely based on one such event.

[1] It was called "Prospect House" because what we would now call a "spyglass" was called a "prospect glass" in the 1700s.

Kevin CromerFebruary 21, 2017 5:36 AM

The new Samsung Galaxy Note 8 will hopefully avoid the fiasco that was the bane of the Galaxy Note 7. With the Korean giant looking to recoup its multi-billion dollar losses, we have created a Galaxy Note 8 Wishlist of the features which will be seen on the Samsung Galaxy Note 8. We are waiting with baited breath the release of the new device.

ipad air 3March 5, 2017 11:41 AM

When will Apple launch the iPad Air 3 in the UK? And what design, tech specs, new features and UK price should we expect from Apple's next 9.7-inch iPad, whether it's called iPad Air 3, iPad Pro 2, just plain iPad, New iPad or something else? Finally, is Apple killing off the iPad Air brand - or even the entire Air brand, laptops and all?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.