badlocklogo2100652000orig
Security

Google researchers help developers test cryptographic implementations

Security experts from Google have developed a test suite that allows developers to find weaknesses in their cryptographic libraries and implementations.

The company's Project Wycheproof, which was released on GitHub, contains more than 80 test cases for widely used cryptographic algorithms, including RSA, AES-GCM, AES-EAX, Diffie-Hellman, Elliptic Curve Diffie-Hellman (ECDH), and the digital signature algorithm (DSA).

Google's researchers have developed these tests by implementing some of the most common cryptographic attacks. So far, the tests have helped them uncover more than 40 security bugs in cryptographic libraries, and they have been reported to affected vendors.

"In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long," Google security engineers Daniel Bleichenbacher and Thai Duong wrote in a blog post. "Good implementation guidelines, however, are hard to come by: Understanding how to implement cryptography securely requires digesting decades' worth of academic literature."

The Google researchers hope that by releasing these tests publicly, developers and users alike can test the cryptographic implementations they create or use. Some crypto libraries are popular and are included in many commercial products or are used in enterprise applications.

The tests released so far are written in Java, but the Google researchers are working on converting them to test vectors so they can be ported easily to other programming languages.

Passing the Project Wycheproof tests doesn't mean that a library is secure and doesn't have any flaws, but at least it can be used to establish a baseline where the code is protected against the most common attacks.

IDG Insider

PREVIOUS ARTICLE

« Cutting the cord: GM tests wireless car chargers for EVs, self-driving cars

NEXT ARTICLE

Why every CIO needs to be a hands-on leader to succeed »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Tech Cynic: VR, the never-popular technology

Tech Cynic – IT without the rose-tinted spectacles

Five months on, GDPR doubts remain for this lawyer

Martin Veitch's inside track on today’s tech trends

How can smart solutions help address Southeast Asia's urban challenges?

Keri Allan looks at the latest trends and technologies

Poll

Is your organization fully GDPR compliant?