Google Paranoid

Google has announced the open sourcing of Paranoid, a project for identifying well-known weaknesses in cryptographic artifacts.

The library includes support for testing multiple crypto artifacts, such as digital signatures, general pseudorandom numbers, and public keys, to identify issues caused by programming errors, or the use of weak proprietary random number generators.

Paranoid, can check any artifact, generated by systems with unknown implementations which is known as ‘black boxes’ where the source code cannot be inspected.

Two famous implementation-specific vulnerabilities in random number generators are DUHK (Don’t Use Hardcoded Keys) and ROCA (Return of Coppersmith’s Attack), two SSL/TLS flaws that have been known for half a decade.

For an instance, a bug tracked as CVE-2022-26320, a crypto-related issue impacting several Canon and Fujifilm printer series, which generate self-signed TLS certificates with vulnerable RSA keys. The issue is related to the use of the Basic Crypto Module of the Safezone library by Rambus.

Google has already used Paranoid to check the crypto artifacts from Certificate Transparency that contains over 7 billion issued website certificates – and discovered thousands of entries impacted by critical- and high-severity RSA public key vulnerabilities. Most of these certificates were already expired or revoked, and the rest were reported for revocation.

The Paranoid project contains checks for ECDSA signatures and for RSA and EC public keys, and is actively maintained by the Google Security Team.

This open sourced library can be used by others and also to increase transparency and to receive contributions from external sources, in the form of new checks and improvements to existing ones.