Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Google Open Sources ‘Paranoid’ Crypto Testing Library

Google has officially announced the open sourcing of ‘Paranoid’, a project for identifying well-known weaknesses in cryptographic artifacts.

Google has officially announced the open sourcing of ‘Paranoid’, a project for identifying well-known weaknesses in cryptographic artifacts.

The library includes support for testing multiple crypto artifacts, such as digital signatures, general pseudorandom numbers, and public keys, to identify issues caused by programming errors, or the use of weak proprietary random number generators.

Paranoid, Google says, can check any artifact, even those generated by systems with unknown implementations – which the company calls ‘black boxes’ – where the source code cannot be inspected.

“An artifact may be generated by a black-box if, for example, it was not generated by one of our own tools (such as Tink), or by a library that we can inspect and test using Wycheproof. Unfortunately, sometimes we end up relying on black-box generated artifacts,” the internet giant notes.

Paranoid contains implementations and optimizations extracted from existing crypto-related literature, which “showed that the generation of these artifacts was flawed in some cases,” Google explains.

Two famous implementation-specific vulnerabilities in random number generators are DUHK (Don’t Use Hardcoded Keys) and ROCA (Return of Coppersmith’s Attack), two SSL/TLS flaws that have been known for half a decade.

A more recent bug is CVE-2022-26320, a crypto-related issue impacting several Canon and Fujifilm printer series, which generate self-signed TLS certificates with vulnerable RSA keys. The issue is related to the use of the Basic Crypto Module of the Safezone library by Rambus.

Google has already used Paranoid to check the crypto artifacts from Certificate Transparency (CT) – which contains over 7 billion issued website certificates – and discovered thousands of entries impacted by critical- and high-severity RSA public key vulnerabilities. Most of these certificates were already expired or revoked, and the rest were reported for revocation.

The Paranoid project contains checks for ECDSA signatures and for RSA and EC public keys, and is actively maintained by the Google Security Team, although it is not considered an officially supported Google product, the internet giant notes.

Google has open sourced the library not only to allow others to use it, but also to increase transparency and to receive contributions from external sources, in the form of new checks and improvements to existing ones.

“Note, the project is intended to be light in its use of computational resources. The checks must be fast enough to run against large numbers of artifacts and must make sense in real world production context,” the company notes.

Related: Aqua Security Ships Open Source Tool for Auditing Software Supply Chain

Related: Meta Releases Open Source Browser Extension for Checking Code Authenticity

Related: GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...