Google recently announced the open sourcing availability of ‘Paranoid’, a Google project that identifies common weaknesses in cryptographic artifacts.
The Paranoid library houses support for testing multiple crypto artifacts. This includes digital signatures, general pseudorandom numbers, and public keys that can identify programming error issues or the use of weak proprietary random number generators.
According to Google, Paranoid can check any artifact. Even the ones generated by systems with unknown implementation doesn’t go unidentified by Paranoid. This type of artifacts are called “black boxes”. The source code cannot be inspected in black boxes.
Google also mentioned that an artifact may be generated by a black-box if, in a scenario, it was not generated by one of Google’s own tools like Tink. This would also happen if it was generated by a library that Google can inspect and test with the use of Wycheproof. The tech giant also asserted that unfortunately they end up relying on black-box generated artifacts.
Google expressed that Paranoid features implementations and optimizations that was extracted from existing crypto-related literature, implying that the generation of these artifacts was flawed in some cases.
DUHK (Don’t Use Hardcoded Keys) and ROCA (Return of Coppersmith’s Attack) are two famous implementation-specific vulnerabilities in random number generators. These two SSL/TLS flaws have been known for a decade.
Google has already made use of Paranoid to check the crypto artifacts from Certificate Transparency (CT). CT contains over 7 billion issued website certificates. Additionally it also discovered thousands of entries that were impacted by critical and high-severity RSA public key vulnerabilities.
