Project Wycheproof Reveals Bugs In Popular Crypto Libraries
Written by Nikos Vaggalis
Wednesday, 21 December 2016
Google has released Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses. Having developed over 80 test cases more than 40 security bugs have been uncovered.
In order to have good cryptography two ingredients require to be in place. The first is the strength of the cipher primitive itself. This is a property that classifies it as suitable or not to build an application on. For example in the TLS protocol, documented in "SSL and TLS Deployment Best Practices-Use Secure Cipher Suites" not all ciphers are recommended for use. In that list for example, we find some obsolete cryptographic primitives that are not secure and must be avoided:
Anonymous Diffie-Hellman (ADH) suites do not provide authentication
NULL cipher suites provide no encryption
Suites with weak ciphers (typically of 40 and 56 bits) use encryption that can easily be broken
Code auditing is the norm when looking for such bugs, and now Google engineers join the cause with Project Wycheproof in an attempt to address the concerns regarding the (in)security of software libraries, as a direct result of internal code audits of the crypto components that Google uses in its products, that finally found its way to the public as well.
Project Wycheproof is thus a collection of unit tests that check cryptographic software libraries for known weaknesses in RSA, elliptic curve crypto and authenticated encryption.
In the short amount of time that the project is alive, more than 40 bugs were already uncovered through undertaking 80 complete unit tests. The tests available on GitHub cover some of the most widely used algorithms like :
against their implementations in Java Cryptography Architecture providers such as Bouncy Castle, Spongy Castle, and the default providers in OpenJDK.
In order to run those tests, say for Bouncy Castle or OpenJDK, you need to have Bazel installed and then run the test as following:
bazel test BouncyCastleAllTests
bazel test OpenJDKAllTests
One of the most worrisome of the bugs uncovered is the leakage of private keys by Bouncy Castle's ECDHC implementation, since ECDCH will totally replace RSA for key transporting in the forthcoming TLS 1.3 version, as such a library hosting a weak implementation poses a matter of prime importance.
Many things can go wrong when implementing algorithms, and as a matter of fact in the TLS 1.3 draft there is a whole section dedicated to implementation pitfalls that can be potentially encountered when designing a library or application:
What countermeasures do you use to prevent timing attacks?
When verifying RSA signatures, do you accept both NULL and missing parameters? Do you verify that the RSA padding doesn't have additional data after the hash value?
When using Diffie-Hellman key exchange, do you correctly preserve leading zero bytes in the negotiated key ?
Does your TLS client check that the Diffie-Hellman parameters sent by the server are acceptable?
Do you use a strong and, most importantly, properly seeded random number generator when generating Diffie-Hellman private values, the ECDSA "k" parameter, and other security-critical values? It is RECOMMENDED that implementations implement "deterministic ECDSA" as specified in [RFC6979].
Do you zero-pad Diffie-Hellman public key values to the group size?
Do you verify signatures after making them to protect against RSA-CRT key leaks?
As such Project Wycheproof becomes a valuable addition to the pursuit of applying cryptography correctly, as getting it right is much too difficult, therefore the case for rigorous testing or the use of proven secure products such as in the CMS field, Paragonie's open source AirShip CMS in contrast to the known vulnerable ones the likes of Drupal, Joomla or Wordpress.
The first issue of a new open access journal with the title The Art, Science, and Engineering of Programming is now available on arxiv.org. It is published under the auspices of AOSA in conjuncti [ ... ]
Microsoft continues an aggressive campaign to get Windows 10 users to use its default web browser. The latest ploy is popup tips pointing out that Edge is safer and faster than Chrome. This really nee [ ... ]