The Google Security Team has a new set of security tests to check cryptographic software libraries for known weaknesses. The company has already used Project Wycheproof to create more than 80 test cases that have so far uncovered more than 40 security bugs.
The project is developed and maintained by members of the Google Security Team, but isn’t an official Google product. It’s named after Mount Wycheproof, the smallest mountain in the world.
“The main motivation for the project is to have a goal that is achievable,” Google security engineers Daniel Bleichenbacher and Thai Duong wrote in the company’s security blog. “The smaller the mountain the more likely it is to be able to climb it!”
Security holes already uncovered using Project Wycheproof include the ability to recover the private key of widely used DSA and ECDHC implementations. As part of the project, the team provides “ready-to-use” tools to check Java Cryptography Architecture providers such as Bouncy Castle and the default providers in OpenJDK.