Google Releases Tool To Find Common Crypto Bugs (onthewire.io)

← Back to Stories (view on slashdot.org)

Google Releases Tool To Find Common Crypto Bugs (onthewire.io)

Posted by BeauHD on Monday December 19, 2016 @10:45AM from the come-out-come-out-wherever-you-are dept.

Trailrunner7 quotes a report from On the Wire: Google has released a new set of tests it uses to probe cryptographic libraries for vulnerabilities to known attacks. The tests can be used against most kinds of crypto algorithms and the company already has found 40 new weaknesses in existing algorithms. The tests are called Project Wycheproof, and Google's engineers designed them to help developers implement crypto libraries without having to become experts. Cryptographic libraries can be quite difficult to implement and making errors can lead to serious security problems. Attackers often will look for weak crypto implementations as a means of circumventing strong encryption in a target app. Among the issues that Google's engineers found with the Project Wycheproof tests is one in ECDH that allows an attacker to recover the private key in some circumstances. The bug is the result of some libraries not checking the elliptic curve points that they get from outside sources. "In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means," Daniel Bleichenbacher and Thai Duong, security engineers at Google, said in a post announcing the tool release. "Encodings of public keys typically contain the curve for the public key point. If such an encoding is used in the key exchange then it is important to check that the public and secret key used to compute the shared ECDH secret are using the same curve. Some libraries fail to do this check," Google's documentation says.

22 comments

Min score:

Reason:

Sort:

That inspires confidence by slew · 2016-12-19 10:56 · Score: 4, Insightful

Google's engineers designed them to help developers implement crypto libraries without having to become experts .
I'm not sure if I am supposed to be happy or depressed about this claim...
1. Re:That inspires confidence by Anonymous Coward · 2016-12-19 11:10 · Score: 0
  
  Google's engineers designed them to help developers implement crypto libraries without having to become experts .
  I'm not sure if I am supposed to be happy or depressed about this claim...
  I suspect next they'll introduce a tool that allows you to craft an expert system without being an "expert". Oh, wait....that's Mirosoft.
2. Re:That inspires confidence by coolmoe2 · 2016-12-19 11:13 · Score: 2, Insightful
  
  Well just think about if you had to have a decades worth of knowledge to implement SSL on your website. I think most normal admins would agree that is a high bar to jump to ensure nobody is snooping on data coming over that connection.
  I get where your coming from but standards and guidelines are key to making the web what it is today.
  Okay well the modern Internet is a fuckin mess so maybe not the best example but you know that I mean.
3. Re:That inspires confidence by networkBoy · 2016-12-19 11:16 · Score: 3, Insightful
  
  I'm going with happy.
  Bugs happen and open unit tests that we can all apply against our software stacks is a good thing indeed!
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
4. Re:That inspires confidence by Anonymous Coward · 2016-12-19 11:30 · Score: 0
  
  Go with "hopeful". It is a good test suite.
  You still need to be fired if you are trying to implement crypto without being a researcher in that field.
  And you still need to be fired if you are selecting crypto modules without doing due research on where it came from.
5. Re:That inspires confidence by Anonymous Coward · 2016-12-19 11:46 · Score: 0
  
  With these tools, your coder can be reasonably confident that the crypto library they are using is reasonably secure. They won't have to rely on what the snake oil sales person tells them.
6. Re:That inspires confidence by swillden · 2016-12-19 14:12 · Score: 3, Insightful
  
  Google's engineers designed them to help developers implement crypto libraries without having to become experts .
  I'm not sure if I am supposed to be happy or depressed about this claim...
  Happy. Because developers are not going to become experts.
  Keep in mind that the class of expert we're talking about here includes Daniel Bleichenbacher, a world-class cryptographer and cryptanalyst best known for the "million-message attack", one of the first practical attacks on RSA-based PKI systems and Thai Duong, co-creator of several practical attacks against SSL and older versions of TLS. The worldwide supply of such experts is measured in hundreds. Automated tools that package and deliver (a little of) their expertise in a form that the average developer can use are a good thing.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
7. Re:That inspires confidence by FatdogHaiku · 2016-12-19 15:26 · Score: 1
  
  Depending on where you live and work, you might get some medical marijuana and become depressingly happy...
  The happy part is you, the depressing part is for whoever else has to read your code.
  Until it's bots all the way down, then it's just depressing for everyone.
  At which point you qualify for medical marijuana, and Welcome* Aboard!
  *(bring your own cheetos, dammit!)
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
8. Re: That inspires confidence by Anonymous Coward · 2016-12-20 00:49 · Score: 0
  
  Yeah, except for the fact that management and the incompetent H1-Bs they outsource your job to will claim that because their crappy code passes these automated tests that it's good enough to use.
  Meanwhile, the vulnerabilities that the NSA managed to get left out of the detector tools by whatever means will be exploited for years. Someone will discover one and everybody will act surprised.
9. Re:That inspires confidence by Big+Hairy+Ian · 2016-12-20 01:16 · Score: 1
  
  I'm not sure if I am supposed to be happy or depressed about this claim...
  Don't worry it will be just like all the other static analysis tools which gather dust in the IDE's tools menu
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Bug in Wikileaks' Insurance Files Encryption? by maybe111 · 2016-12-19 11:28 · Score: 1

It would be nice if they found a bug in Wikileaks' insurance files encryption algo...
1. Re:Bug in Wikileaks' Insurance Files Encryption? by Anonymous Coward · 2016-12-19 12:01 · Score: 0
  
  The one the Guardian leaked the password to years ago?
2. Re:Bug in Wikileaks' Insurance Files Encryption? by maybe111 · 2016-12-19 12:16 · Score: 1
  
  no, the one released today: https://twitter.com/wikileaks/...
heh by Anonymous Coward · 2016-12-19 12:16 · Score: 0

the first rule of crypto is don't write your own crypto.
20 years programming security, I don't do crypto by raymorris · 2016-12-19 13:35 · Score: 3, Interesting

I've been programming security-related systems for 20 years. There's no chance I'd ever roll my own crypto. Tools to crack crypto? Yeah I do those. Write an IPSec / IKE implementation from scratch? I did that last week. You bet your ass it uses standard crypto libraries; I'm not writing those.
They could start by fixing WPA/WPA2 by mmell · 2016-12-19 15:15 · Score: 1

I don't feel like deploying a RADIUS server at home - it'd be nice if some router came with effective wifi encryption out of the box. Given a reasonable and secure solution, I'm sure M$ and 'NIX types would be happy to write the appropriate drivers to support it.
1. Re:They could start by fixing WPA/WPA2 by Anonymous Coward · 2016-12-19 23:05 · Score: 0
  
  It hardly matters any more, now that most (and all actually private) traffic goes over https.
2. Re:They could start by fixing WPA/WPA2 by Anonymous Coward · 2016-12-20 13:29 · Score: 0
  
  Oh, it matters.
  How about the classic attack called ARPSpoof, used to mount an SSL Strip.
  And BTW, what is supposed to be the problem with WPA2? AFAIK, the way to crack it is using brute force on the password when used in pre-share-key mode.
3. Re:They could start by fixing WPA/WPA2 by MikeBabcock · 2016-12-23 07:21 · Score: 1
  
  SSL/TLS is not a good security solution in many ways -- it only has a certificate for one side of the connection, its key sizes are frequently restrictive and most importantly, it does nothing to prevent impersonation or bandwidth theft.
  
  --
  - Michael T. Babcock (Yes, I blog)
Eat your own Dog food by Anonymous Coward · 2016-12-20 00:48 · Score: 0

The site hosting the article has an expired ssl certificate! Oh the irony =)
E-Mail and Browser addon by jraff2 · 2016-12-20 03:50 · Score: 1

It might help if Google had an add-on to E-Mail and Google that specifically checked ALL software that entered the system for Crypto Bugs!
Re:20 years programming security, I don't do crypt by swillden · 2016-12-21 02:16 · Score: 1

I've been programming security-related systems for 20 years. There's no chance I'd ever roll my own crypto. Tools to crack crypto? Yeah I do those. Write an IPSec / IKE implementation from scratch? I did that last week. You bet your ass it uses standard crypto libraries; I'm not writing those.
These tools are still useful, to detect bugs in the libraries. Daniel and Thai have found a lot of those, and getting the fixes upstreamed is surprisingly hard.

--
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.