Project Wycheproof tests crypto libraries against known attacks.
https://github.com/c2sp/wycheproof
Project Wycheproof is named after
Mount Wycheproof, the smallest
mountain in the world. The main motivation for the project is to have a goal
that is achievable. The smaller the mountain the more likely it is to be able to
climb it.
[!NOTE]
Hello RWC 2024 attendees and others! Wycheproof recently moved to community
maintenance thanks to the shared efforts of Google and C2SP.
We are still working to update the README and documentation,
but we welcome your feedback and look forward to your contributions!
Project Wycheproof tests crypto libraries against known attacks.
Unfortunately, in cryptography, subtle mistakes can have catastrophic
consequences, and we found that libraries fall into such implementation
pitfalls much too often and for much too long. Good implementation guidelines,
however, are hard to come by: understanding how to implement cryptography
securely requires digesting decades’ worth of academic literature. We recognize
that software engineers fix and prevent bugs with unit testing, and we found
that cryptographic loopholes can be resolved by the same means.
These observations have prompted us to develop Project Wycheproof, a collection
of unit tests that detect known weaknesses or check for expected behaviors of
some cryptographic algorithm. Project Wycheproof provides tests for most
cryptographic algorithms, including RSA, elliptic curve crypto and
authenticated encryption. Our cryptographers have systematically surveyed the
literature and implemented most known attacks. We have over 80 test cases which
have uncovered more than 40 bugs. For
example, we found that we could recover the private key of widely-used DSA and
ECDHC implementations.
While we are committed to develop as many attacks as possible, Project
Wycheproof is by no means complete. Passing the tests does not imply that the
library is secure, it just means that it is not vulnerable to the attacks that
Project Wycheproof tests for. Cryptographers are also constantly discovering
new attacks. Nevertheless, with Project Wycheproof developers and users now can
check their libraries against a large number of known attacks, without having
to spend years reading academic papers or become cryptographers themselves.
For more information on the goals and strategies of Project Wycheproof, please
check out our documentation.
Project Wycheproof has tests for the most popular crypto algorithms, including
The tests detect whether a library is vulnerable to many attacks, including
Our first set of tests are written in Java, because Java has a common
cryptographic interface. This allowed us to test multiple providers with a
single test suite. While this interface is somewhat low level, and should not
be used directly, we still apply a “defense in depth” argument and expect that
the implementations are as robust as possible. For example, we consider weak
default values to be a significant security flaw. We are converting as many
tests into sets of test vectors to simplify porting the tests to other
languages. We provide ready-to-use test runners for Java Cryptography
Architecture providers such as Bouncy Castle,
Spongy Castle, the
Amazon Corretto Crypto Provider
and the default
providers in OpenJDK.
Install Bazel.
Install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy Files. This enables tests with large key
sizes. Otherwise you’ll see a lot of “illegal key size” exceptions.
Clone the repository:
git clone https://github.com/google/wycheproof.git
bazel test BouncyCastleAllTests
bazel test BouncyCastleAllTests_1_52
bazel test BouncyCastleAllTests_*
WYCHEPROOF_BOUNCYCASTLE_JAR environment$ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/bouncycastle
$ bazel test BouncyCastleTestLocal
$ bazel test BouncyCastleAllTestsLocal
Note: Bazel does not currently invalidate the build on environment changes. If
you change the WYCHEPROOF_BOUNCYCASTLE_JAR environment variable, run bazel clean to force a rebuild:
$ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/bouncycastle
$ bazel test BouncyCastleTestLocal
$ WYCHEPROOF_BOUNCYCASTLE_JAR=/path/to/other/jar
$ bazel clean
$ bazel test BouncyCastleTestLocal
BouncyCastle with SpongyCastle in your commands, for example:bazel test SpongyCastleAllTests
BouncyCastle with Accp in your commands, for example:bazel test AccpAllTests
WYCHEPROOF_ACCP_JAR environment variable:$ WYCHEPROOF_ACCP_JAR=/path/to/accp
$ bazel test AccpTestLocal
$ bazel test AccpAllTestsLocal
Note: bazel does not currently invalidate the build on environment changes. If
you change the WYCHEPROOF_ACCP_JAR environment variable, run bazel clean to force a rebuild:
$ WYCHEPROOF_ACCP_JAR=/path/to/accp
$ bazel test AccpTestLocal
$ WYCHEPROOF_ACCP_JAR=/path/to/other/jar
$ bazel clean
$ bazel test AccpTestLocal
bazel test OpenJDKAllTests
Note that OpenJDKAllTests expects that OpenJDK is your default JDK, so it might
refuse to run or its results might be incorrect if you are using some other JDK.
If you downloaded your JDK from Oracle or https://java.com, you’re probably
using Oracle JDK, which should be compatible with OpenJDK, thus the tests should
run correctly.
Some tests take a very long time to finish. If you want to exclude them, use
BouncyCastleTest, SpongyCastleTest or OpenJDKTest – these targets exclude
all slow tests (which are annotated with @SlowTest).
Most test targets are failing, and each failure might be a security issue. To
learn more about what a failed test means, you might want to check out our
documentation or the comments on top of the corresponding test
function and test class.
Here are some of the notable vulnerabilities that are uncovered by
Project Wycheproof:
OpenJDK’s SHA1withDSA leaks private keys > 1024 bits
Bouncy Castle’s ECDHC leaks private keys
Project Wycheproof has been maintained by:
If you want to contribute, please read CONTRIBUTING and send
us pull requests. You can also report bugs or request new tests.
If you’d like to talk to our developers or get notified about major new
tests, you may want to subscribe to our
mailing list. To
join, simply send an empty mail to [email protected].