GOOGLE Security Team published Open library paranoid designed to identify unreliable cryptographic artifacts, such as open keys and digital signatures created in vulnerable hardware (HSM) and software systems. The code is written in Python and is distributed under the license Apache 2.0.
The project may be useful for an indirect assessment of the use of algorithms and libraries, in which there are well -known gaps and vulnerabilities that affect the reliability of the formed keys and digital signatures, if the tested artifacts are generated inaccessible to checking hardware or closed components, which are a black box. The library is also can analyze sets of pseudo -liable numbers for the reliability of their generator, and in a large collection of artifacts To identify previously unknown problems that arise due to errors in the programming or use of unreliable generators of pseudo-random numbers.
When checking by the proposed library of the contents of the public log CT (Certificate Transparency), which includes information about more than 7 billion certificates, no problem -based open keys based on elliptical curves ( EC ) and digital signatures based on the algorithm ecdsa , but problematic open keys based on the RSA algorithm were found. In particular, 3586 unreliable keys generated by code with incorporate vulnerability CVE-2008-0166 in the OpenSSL package for Debian, 2533 keys associated with the vulnerability of the CVE-2017-15361 in the Infineon library, and 1860 keys to the greatest possible General divider (GCD). Information about the problematic certificates remaining in the everyday life is sent to certifying centers to recall them.
