1 # Project Wycheproof 2 https://github.com/google/wycheproof 3 4 *Project Wycheproof is named after 5 [Mount Wycheproof](https://en.wikipedia.org/wiki/Mount_Wycheproof), the smallest 6 mountain in the world. The main motivation for the project is to have a goal 7 that is achievable. The smaller the mountain the more likely it is to be able to 8 climb it.* 9 10 [TOC] 11 12 ## Introduction 13 14 Project Wycheproof tests crypto libraries against known attacks. It is developed 15 and maintained by members of Google Security Team, but it is not an official 16 Google product. 17 18 At Google, we rely on many third party cryptographic software libraries. 19 Unfortunately, in cryptography, subtle mistakes can have catastrophic 20 consequences, and we found that libraries fall into such implementation 21 pitfalls much too often and for much too long. Good implementation guidelines, 22 however, are hard to come by: understanding how to implement cryptography 23 securely requires digesting decades' worth of academic literature. We recognize 24 that software engineers fix and prevent bugs with unit testing, and we found 25 that cryptographic loopholes can be resolved by the same means. 26 27 These observations have prompted us to develop Project Wycheproof, a collection 28 of unit tests that detect known weaknesses or check for expected behaviors of 29 some cryptographic algorithm. Project Wycheproof provides tests for most 30 cryptographic algorithms, including RSA, elliptic curve crypto and 31 authenticated encryption. Our cryptographers have systematically surveyed the 32 literature and implemented most known attacks. We have over 80 test cases which 33 have uncovered more than [40 bugs](doc/bugs.md). For 34 example, we found that we could recover the private key of widely-used DSA and 35 ECDHC implementations. 36 37 While we are committed to develop as many attacks as possible, Project 38 Wycheproof is by no means complete. Passing the tests does not imply that the 39 library is secure, it just means that it is not vulnerable to the attacks that 40 Project Wycheproof tests for. Cryptographers are also constantly discovering 41 new attacks. Nevertheless, with Project Wycheproof developers and users now can 42 check their libraries against a large number of known attacks, without having 43 to spend years reading academic papers or become cryptographers themselves. 44 45 For more information on the goals and strategies of Project Wycheproof, please 46 check out our [doc](doc/). 47 48 ### Coverage 49 50 Project Wycheproof has tests for the most popular crypto algorithms, including 51 52 - AES-EAX 53 - AES-GCM 54 - [DH](doc/dh.md) 55 - DHIES 56 - [DSA](doc/dsa.md) 57 - [ECDH](doc/ecdh.md) 58 - ECDSA 59 - ECIES 60 - [RSA](doc/rsa.md) 61 62 The tests detect whether a library is vulnerable to many attacks, including 63 64 - Invalid curve attacks 65 - Biased nonces in digital signature schemes 66 - Of course, all Bleichenbachers attacks 67 - And many more -- we have over 80 test cases 68 69 Our first set of tests are written in Java, because Java has a common 70 cryptographic interface. This allowed us to test multiple providers with a 71 single test suite. While this interface is somewhat low level, and should not 72 be used directly, we still apply a "defense in depth" argument and expect that 73 the implementations are as robust as possible. For example, we consider weak 74 default values to be a significant security flaw. We are converting as many 75 tests into sets of test vectors to simplify porting the tests to other 76 languages. We provide ready-to-use test runners for Java Cryptography 77 Architecture providers such as [Bouncy Castle](http://bouncycastle.org), 78 [Spongy Castle](https://rtyley.github.io/spongycastle/), and the default 79 providers in [OpenJDK](http://openjdk.java.net/). 80 81 ### Usage 82 83 - Install [Bazel](https://bazel.build/). 84 85 - Install [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction 86 Policy 87 Files](http://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters): 88 this enables tests with large key sizes. Otherwise you'll see a lot of 89 "illegal key size" exceptions. 90 91 - Check out the tests 92 93 ``` 94 git clone https://github.com/google/wycheproof.git 95 ``` 96 97 - To test latest stable version of Bouncy Castle: 98 99 ``` 100 bazel test BouncyCastleAllTests 101 ``` 102 103 - To test other versions, e.g., v1.52: 104 105 ``` 106 bazel test BouncyCastleAllTests_1_52 107 ``` 108 109 - To test all known versions (warning, will take a long time): 110 111 ``` 112 bazel test BouncyCastleAllTests_* 113 ``` 114 115 - To test a local jar, set the `WYCHEPROOF_BOUNCYCASTLE_JAR` environment 116 variable: 117 118 ```shell 119 $ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/bouncycastle 120 $ bazel test BouncyCastleTestLocal 121 $ bazel test BouncyCastleAllTestsLocal 122 ``` 123 124 Note: bazel does not currently invalidate the build on environment changes. If 125 you change the `WYCHEPROOF_BOUNCYCASTLE_JAR` environment variable, run `bazel 126 clean` to force a rebuild: 127 128 ```shell 129 $ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/bouncycastle 130 $ bazel test BouncyCastleTestLocal 131 $ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/other/jar 132 $ bazel clean 133 $ bazel test BouncyCastleTestLocal 134 ``` 135 136 - To test [Spongy Castle](https://rtyley.github.io/spongycastle/), replace 137 BouncyCastle with SpongyCastle in your commands, for example 138 139 ``` 140 bazel test SpongyCastleAllTests 141 ``` 142 143 - To test your current installation of 144 [OpenJDK](http://openjdk.java.net/): 145 146 ``` 147 bazel test OpenJDKAllTests 148 ``` 149 150 Note that OpenJDKAllTests expects that OpenJDK is your default JDK, so it might 151 refuse to run or its results might be incorrect if you are using some other JDK. 152 If you downloaded your JDK from Oracle or https://java.com, you're probably 153 using Oracle JDK, which should be compatible with OpenJDK, thus the tests should 154 run correctly. 155 156 Some tests take a very long time to finish. If you want to exclude them, use 157 BouncyCastleTest, SpongyCastleTest or OpenJDKTest -- these targets exclude all 158 slow tests (which are annotated with @SlowTest). 159 160 Most test targets are failing, and each failure might be a security issue. To 161 learn more about what a failed test means, you might want to check out [our 162 documentation](doc/bugs.md) or the comments on top of the corresponding test 163 function and test class. 164 165 ### Hall of Bugs 166 167 Here are some of the notable vulnerabilities that are uncovered by 168 Project Wycheproof: 169 170 - OpenJDK's SHA1withDSA leaks private keys > 1024 bits 171 - Test: testBiasSha1WithDSA in 172 [DsaTest](https://github.com/google/wycheproof/blob/master/java/com/google/security/wycheproof/testcases/DsaTest.java). 173 - This bug is the same as 174 [CVE-2003-0971 - GnuPG generated ElGamal signatures that leaked the private key] 175 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0971). 176 177 - Bouncy Castle's ECDHC leaks private keys 178 - Test: testModifiedPublic and testWrongOrderEcdhc in 179 [EcdhTest](https://github.com/google/wycheproof/blob/master/java/com/google/security/wycheproof/testcases/EcdhTest.java). 180 181 ### Maintainers 182 183 Project Wycheproof is maintained by: 184 185 - Daniel Bleichenbacher 186 - Thai Duong 187 - Emilia Kasper 188 - Quan Nguyen 189 190 ### Contact and mailing list 191 192 If you want to contribute, please read [CONTRIBUTING](CONTRIBUTING.md) and send 193 us pull requests. You can also report bugs or request new tests. 194 195 If you'd like to talk to our developers or get notified about major new 196 tests, you may want to subscribe to our 197 [mailing list](https://groups.google.com/forum/#!forum/wycheproof-users). To 198 join, simply send an empty mail to wycheproof-users+subscribe (a] googlegroups.com. 199
