Most companies don’t have a resident cryptography expert who can assess the encryption in their software projects, so they’re often vulnerable to attacks that seek to exploit poorly implemented code.

Daniel Bleichenbacher and Thai Duong of Google Inc. want to help mitigate the threat with Project Wycheproof. The newly open-sourced toolkit provides a set of pre-configured test procedures for assessing the strength of an application’s encryption. According to a post that the two researchers have published on the search giant’s security blog, their toolkit supports over 80 exploit detection methods on launch, which they claim covers “most”  known attacks against cryptographic libraries.

Previously, performing such a broad examination would  have required an engineer to pore over hundreds of security white papers and write a proportional amount of custom code. Thanks to Project Wycheproof, they can now simply drop Google’s readymade tests into their workflows. Bleichenbacher and Duong wrote that their procedures are modeled after the so-called unit tests used in the development world, which aim to individually examine how an application’s components behave by placing them under realistic operating conditions.

Project Wycheproof works with most of the encryption libraries on the market, including the ubiquitous RSA protocol, elliptic curve algorithms and authenticated encryption systems. Google has already used the toolkit to find over 40 vulnerabilities in common cryptographic modules, some of which are still being kept under wraps because a fix is not yet available.

But showing how unit tests don’t provide a catch-all solution for finding bugs, Wycheproof can’t identify every encryption flaw due to the fast-evolving nature of security threats. Google’s researchers openly acknowledged the limitations of the project in their blog post. Bleichenbacher and Duong wrote that they merely want to help companies realize an “achievable goal” for application security.

That’s how they got the idea to name the toolkit after Mount Wycheproof, a granite outcrop in southeastern Australia that ranks as the world’s smallest mountain at a mere 141 feet tall. According to Wikipedia, the area apparently also contains its own unique mineral that is not found anywhere else and has been appropriately named Wycheproofite.

Other security experts applauded the effort. “This is great for developers who have considered security in the first place to make sure that they get encryption right,” Adam Brown, manager of security solutions at the chip design software company Synopsys, said in an email. “In our testing activities in the field where we take a data centric approach, we frequently see weak encryption or no cryptography at all.”

Project Wycheproof is available on GitHub under an Apache v2.0 license. Organizations will presumably deploy the toolkit alongside vulnerability detection tools such as OWASP Dependency-Check, which is used to scan encryption modules and other libraries for publicly known security flaws. 

Image via Pixabay