Google has officially announced the open sourcing of ‘Paranoid’, a project for identifying well-known weaknesses in cryptographic artifacts.
The library includes support for testing multiple crypto artifacts, such as digital signatures, general pseudorandom numbers, and public keys, to identify issues caused by programming errors, or the use of weak proprietary random number generators.
Paranoid, Google says, can check any artifact, even those generated by systems with unknown implementations – which the company calls ‘black boxes’ – where the source code cannot be inspected.
“An artifact may be generated by a black-box if, for example, it was not generated by one of our own tools (such as Tink), or by a library that we can inspect and test using Wycheproof. Unfortunately, sometimes we end up relying on black-box generated artifacts,” the internet giant notes.
Paranoid contains implementations and optimizations extracted from existing crypto-related literature, which “showed that the generation of these artifacts was flawed in some cases,” Google explains.
Two famous implementation-specific vulnerabilities in random number generators are DUHK (Don’t Use Hardcoded Keys) and ROCA (Return of Coppersmith’s Attack), two SSL/TLS flaws that have been known for half a decade.
A more recent bug is CVE-2022-26320, a crypto-related issue impacting several Canon and Fujifilm printer series, which generate self-signed TLS certificates with vulnerable RSA keys. The issue is related to the use of the Basic Crypto Module of the Safezone library by Rambus.
Google has already used Paranoid to check the crypto artifacts from Certificate Transparency (CT) – which contains over 7 billion issued website certificates – and discovered thousands of entries impacted by critical- and high-severity RSA public key vulnerabilities. Most of these certificates were already expired or revoked, and the rest were reported for revocation.
The Paranoid project contains checks for ECDSA signatures and for RSA and EC public keys, and is actively maintained by the Google Security Team, although it is not considered an officially supported Google product, the internet giant notes.
Google has open sourced the library not only to allow others to use it, but also to increase transparency and to receive contributions from external sources, in the form of new checks and improvements to existing ones.
“Note, the project is intended to be light in its use of computational resources. The checks must be fast enough to run against large numbers of artifacts and must make sense in real world production context,” the company notes.
Related: Aqua Security Ships Open Source Tool for Auditing Software Supply Chain
Related: Meta Releases Open Source Browser Extension for Checking Code Authenticity
Related: GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
