Project Wycheproof Reveals Bugs In Popular Crypto Libraries
Written by Nikos Vaggalis
Wednesday, 21 December 2016
Google has released Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses. Having developed over 80 test cases more than 40 security bugs have been uncovered.
In order to have good cryptography two ingredients require to be in place. The first is the strength of the cipher primitive itself. This is a property that classifies it as suitable or not to build an application on. For example in the TLS protocol, documented in "SSL and TLS Deployment Best Practices-Use Secure Cipher Suites" not all ciphers are recommended for use. In that list for example, we find some obsolete cryptographic primitives that are not secure and must be avoided:
Anonymous Diffie-Hellman (ADH) suites do not provide authentication
NULL cipher suites provide no encryption
Suites with weak ciphers (typically of 40 and 56 bits) use encryption that can easily be broken
Code auditing is the norm when looking for such bugs, and now Google engineers join the cause with Project Wycheproof in an attempt to address the concerns regarding the (in)security of software libraries, as a direct result of internal code audits of the crypto components that Google uses in its products, that finally found its way to the public as well.
Project Wycheproof is thus a collection of unit tests that check cryptographic software libraries for known weaknesses in RSA, elliptic curve crypto and authenticated encryption.
In the short amount of time that the project is alive, more than 40 bugs were already uncovered through undertaking 80 complete unit tests. The tests available on GitHub cover some of the most widely used algorithms like :
against their implementations in Java Cryptography Architecture providers such as Bouncy Castle, Spongy Castle, and the default providers in OpenJDK.
In order to run those tests, say for Bouncy Castle or OpenJDK, you need to have Bazel installed and then run the test as following:
bazel test BouncyCastleAllTests
bazel test OpenJDKAllTests
One of the most worrisome of the bugs uncovered is the leakage of private keys by Bouncy Castle's ECDHC implementation, since ECDCH will totally replace RSA for key transporting in the forthcoming TLS 1.3 version, as such a library hosting a weak implementation poses a matter of prime importance.
Many things can go wrong when implementing algorithms, and as a matter of fact in the TLS 1.3 draft there is a whole section dedicated to implementation pitfalls that can be potentially encountered when designing a library or application:
What countermeasures do you use to prevent timing attacks?
When verifying RSA signatures, do you accept both NULL and missing parameters? Do you verify that the RSA padding doesn't have additional data after the hash value?
When using Diffie-Hellman key exchange, do you correctly preserve leading zero bytes in the negotiated key ?
Does your TLS client check that the Diffie-Hellman parameters sent by the server are acceptable?
Do you use a strong and, most importantly, properly seeded random number generator when generating Diffie-Hellman private values, the ECDSA "k" parameter, and other security-critical values? It is RECOMMENDED that implementations implement "deterministic ECDSA" as specified in [RFC6979].
Do you zero-pad Diffie-Hellman public key values to the group size?
Do you verify signatures after making them to protect against RSA-CRT key leaks?
As such Project Wycheproof becomes a valuable addition to the pursuit of applying cryptography correctly, as getting it right is much too difficult, therefore the case for rigorous testing or the use of proven secure products such as in the CMS field, Paragonie's open source AirShip CMS in contrast to the known vulnerable ones the likes of Drupal, Joomla or Wordpress.
Today we celebrate the birth on December 26th, 1791 of Charles Babbage, the man who invented calculating machines that, although they were never realised in his lifetime, are rightly seen as the [ ... ]
New Year, new projects and a time of flux. Have you ever calculated the cost of losing a senior developer and needing a replacement? Specialist recruitment agency Devskiller has, and this infographic [ ... ]