‘Paranoid’, Google’s Crypto Testing Library now available for open sourcing

Google recently announced the open sourcing availability of ‘Paranoid’, a Google project that identifies common weaknesses in cryptographic artifacts. 

The Paranoid library houses support for testing multiple crypto artifacts. This includes digital signatures, general pseudorandom numbers, and public keys that can identify programming error issues or the use of weak proprietary random number generators. 

According to Google, Paranoid can check any artifact. Even the ones generated by systems with unknown implementation doesn’t go unidentified by Paranoid. This type of artifacts are called “black boxes”. The source code cannot be inspected in black boxes. 

Google also mentioned that an artifact may be generated by a black-box if, in a scenario, it was not generated by one of Google’s own tools like Tink. This would also happen if it was generated by a library that Google can inspect and test with the use of Wycheproof. The tech giant also asserted that unfortunately they end up relying on black-box generated artifacts. 

Google expressed that Paranoid features implementations and optimizations that was extracted from existing crypto-related literature, implying that the generation of these artifacts was flawed in some cases. 

DUHK (Don’t Use Hardcoded Keys) and ROCA (Return of Coppersmith’s Attack) are two famous implementation-specific vulnerabilities in random number generators. These two SSL/TLS flaws have been known for a decade. 

Google has already made use of Paranoid to check the crypto artifacts from Certificate Transparency (CT). CT contains over 7 billion issued website certificates. Additionally it also discovered thousands of entries that were impacted by critical and high-severity RSA public key vulnerabilities. 

 




Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More

Advertisement

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More