Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Bug Google Security Software The Internet

Google Releases Tool To Find Common Crypto Bugs (onthewire.io) 22

Trailrunner7 quotes a report from On the Wire: Google has released a new set of tests it uses to probe cryptographic libraries for vulnerabilities to known attacks. The tests can be used against most kinds of crypto algorithms and the company already has found 40 new weaknesses in existing algorithms. The tests are called Project Wycheproof, and Google's engineers designed them to help developers implement crypto libraries without having to become experts. Cryptographic libraries can be quite difficult to implement and making errors can lead to serious security problems. Attackers often will look for weak crypto implementations as a means of circumventing strong encryption in a target app. Among the issues that Google's engineers found with the Project Wycheproof tests is one in ECDH that allows an attacker to recover the private key in some circumstances. The bug is the result of some libraries not checking the elliptic curve points that they get from outside sources. "In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means," Daniel Bleichenbacher and Thai Duong, security engineers at Google, said in a post announcing the tool release. "Encodings of public keys typically contain the curve for the public key point. If such an encoding is used in the key exchange then it is important to check that the public and secret key used to compute the shared ECDH secret are using the same curve. Some libraries fail to do this check," Google's documentation says.
This discussion has been archived. No new comments can be posted.

Google Releases Tool To Find Common Crypto Bugs

Comments Filter:
  • by slew ( 2918 ) on Monday December 19, 2016 @05:56PM (#53517435)

    Google's engineers designed them to help developers implement crypto libraries without having to become experts .

    I'm not sure if I am supposed to be happy or depressed about this claim...

    • Re: (Score:3, Insightful)

      by coolmoe2 ( 3414211 )
      Well just think about if you had to have a decades worth of knowledge to implement SSL on your website. I think most normal admins would agree that is a high bar to jump to ensure nobody is snooping on data coming over that connection.

      I get where your coming from but standards and guidelines are key to making the web what it is today.

      Okay well the modern Internet is a fuckin mess so maybe not the best example but you know that I mean.

    • by networkBoy ( 774728 ) on Monday December 19, 2016 @06:16PM (#53517587) Journal

      I'm going with happy.
      Bugs happen and open unit tests that we can all apply against our software stacks is a good thing indeed!
      -nB

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Monday December 19, 2016 @09:12PM (#53519033) Journal

      Google's engineers designed them to help developers implement crypto libraries without having to become experts .

      I'm not sure if I am supposed to be happy or depressed about this claim...

      Happy. Because developers are not going to become experts.

      Keep in mind that the class of expert we're talking about here includes Daniel Bleichenbacher, a world-class cryptographer and cryptanalyst best known for the "million-message attack", one of the first practical attacks on RSA-based PKI systems and Thai Duong, co-creator of several practical attacks against SSL and older versions of TLS. The worldwide supply of such experts is measured in hundreds. Automated tools that package and deliver (a little of) their expertise in a form that the average developer can use are a good thing.

    • Depending on where you live and work, you might get some medical marijuana and become depressingly happy...
      The happy part is you, the depressing part is for whoever else has to read your code.
      Until it's bots all the way down, then it's just depressing for everyone.
      At which point you qualify for medical marijuana, and Welcome* Aboard!
      *(bring your own cheetos, dammit!)
    • I'm not sure if I am supposed to be happy or depressed about this claim...

      Don't worry it will be just like all the other static analysis tools which gather dust in the IDE's tools menu

  • It would be nice if they found a bug in Wikileaks' insurance files encryption algo...
  • Comment removed based on user account deletion
  • It might help if Google had an add-on to E-Mail and Google that specifically checked ALL software that entered the system for Crypto Bugs!

Fast, cheap, good: pick two.

Working...