Google has introduced a test suite Wycheproof

Yesterday, Google’s official information security blog presented a new project called Wycheproof.

We are pleased to announce the launch of the Wycheproof project - a set of security tests that check cryptographic software libraries for known vulnerabilities. We have developed more than 80 tests for different cases, thanks to which we discovered more than 40 security errors. For example, we found that we could restore the private-key DSA and ECDHC . We also added ready-to-use tools to test the Java Cryptography Architectire, which is offered, for example, by Bouncy Castle or OpenJDK .

The blog notes that the name of the project was chosen for a reason. Wycheproof is the smallest mountain in the world, which symbolizes the realism and attainability of the task set by the developers, which they successfully coped with.
')
To the development of the project, the authors were prompted by the observation that open source libraries often have cryptographic vulnerabilities that may not be detected for years. However, they pose a serious security threat. As a result, a product was created that tests most of the algorithms, such as RSA, AES and ACC.

At the same time, the authors of the project point out that: “passing tests does not mean that the library is safe. It simply means that it is not vulnerable to attacks that Wycheproof tests for. Cryptographers are constantly finding new weaknesses in encryption protocols. ”

The development of Google engineers will allow their colleagues around the world to check their libraries automatically. This is relevant and not only for reasons of convenience: for a clear understanding of the principles of encryption with the help of various algorithms requires a huge academic base and years to study and practice it. In fact, a vulnerability in encryption, not previously noticed, but dangerous, can be detected only by highly qualified specialists in this narrow area.

Based on the announcement in the Google blog, Wycheproof will continue its development. New vulnerabilities are constantly found and tests for their search will be added to the toolkit. Also, the project is placed in free access on Github.

Wycheproof project on Github