Google has officially announced the open sourcing of ‘Paranoid’, a project for identifying well-known weaknesses in cryptographic artifacts.
The library includes support for testing multiple crypto artifacts, such as digital signatures, general pseudorandom numbers, and public keys, to identify issues caused by programming errors, or the use of weak proprietary random number generators.
Paranoid, Google says, can check any artifact, even those generated by systems with unknown implementations – which the company calls ‘black boxes’ – where the source code cannot be inspected.
“An artifact may be generated by a black-box if, for example, it was not generated by one of our own tools (such as Tink), or by a library that we can inspect and test using Wycheproof. Unfortunately, sometimes we end up relying on black-box generated artifacts,” the internet giant notes.
Paranoid contains implementations and optimizations extracted from existing crypto-related literature, which “showed that the generation of these artifacts was flawed in some cases,” Google explains.
Two famous implementation-specific vulnerabilities in random number generators are DUHK (Don’t Use Hardcoded Keys) and ROCA (Return of Coppersmith’s Attack), two SSL/TLS flaws that have been known for half a decade.
A more recent bug is CVE-2022-26320, a crypto-related issue impacting several Canon and Fujifilm printer series, which generate self-signed TLS certificates with vulnerable RSA keys. The issue is related to the use of the Basic Crypto Module of the Safezone library by Rambus.
Google has already used Paranoid to check the crypto artifacts from Certificate Transparency (CT) – which contains over 7 billion issued website certificates – and discovered thousands of entries impacted by critical- and high-severity RSA public key vulnerabilities. Most of these certificates were already expired or revoked, and the rest were reported for revocation.
The Paranoid project contains checks for ECDSA signatures and for RSA and EC public keys, and is actively maintained by the Google Security Team, although it is not considered an officially supported Google product, the internet giant notes.
Google has open sourced the library not only to allow others to use it, but also to increase transparency and to receive contributions from external sources, in the form of new checks and improvements to existing ones.
“Note, the project is intended to be light in its use of computational resources. The checks must be fast enough to run against large numbers of artifacts and must make sense in real world production context,” the company notes.
Related: Aqua Security Ships Open Source Tool for Auditing Software Supply Chain
Related: Meta Releases Open Source Browser Extension for Checking Code Authenticity
Related: GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies