Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Open Sources ‘Paranoid’ Crypto Testing Library

Google has officially announced the open sourcing of ‘Paranoid’, a project for identifying well-known weaknesses in cryptographic artifacts.

Google has officially announced the open sourcing of ‘Paranoid’, a project for identifying well-known weaknesses in cryptographic artifacts.

The library includes support for testing multiple crypto artifacts, such as digital signatures, general pseudorandom numbers, and public keys, to identify issues caused by programming errors, or the use of weak proprietary random number generators.

Paranoid, Google says, can check any artifact, even those generated by systems with unknown implementations – which the company calls ‘black boxes’ – where the source code cannot be inspected.

“An artifact may be generated by a black-box if, for example, it was not generated by one of our own tools (such as Tink), or by a library that we can inspect and test using Wycheproof. Unfortunately, sometimes we end up relying on black-box generated artifacts,” the internet giant notes.

Paranoid contains implementations and optimizations extracted from existing crypto-related literature, which “showed that the generation of these artifacts was flawed in some cases,” Google explains.

Two famous implementation-specific vulnerabilities in random number generators are DUHK (Don’t Use Hardcoded Keys) and ROCA (Return of Coppersmith’s Attack), two SSL/TLS flaws that have been known for half a decade.

A more recent bug is CVE-2022-26320, a crypto-related issue impacting several Canon and Fujifilm printer series, which generate self-signed TLS certificates with vulnerable RSA keys. The issue is related to the use of the Basic Crypto Module of the Safezone library by Rambus.

Google has already used Paranoid to check the crypto artifacts from Certificate Transparency (CT) – which contains over 7 billion issued website certificates – and discovered thousands of entries impacted by critical- and high-severity RSA public key vulnerabilities. Most of these certificates were already expired or revoked, and the rest were reported for revocation.

Advertisement. Scroll to continue reading.

The Paranoid project contains checks for ECDSA signatures and for RSA and EC public keys, and is actively maintained by the Google Security Team, although it is not considered an officially supported Google product, the internet giant notes.

Google has open sourced the library not only to allow others to use it, but also to increase transparency and to receive contributions from external sources, in the form of new checks and improvements to existing ones.

“Note, the project is intended to be light in its use of computational resources. The checks must be fast enough to run against large numbers of artifacts and must make sense in real world production context,” the company notes.

Related: Aqua Security Ships Open Source Tool for Auditing Software Supply Chain

Related: Meta Releases Open Source Browser Extension for Checking Code Authenticity

Related: GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.