Test suites for cryptography
Test suites for cryptography
Posted Jan 20, 2011 12:27 UTC (Thu) by epa (subscriber, #39769)In reply to: Tarsnap advisory provides a few lessons by mjthayer
Parent article: Tarsnap advisory provides a few lessons
You're right, a simple before-and-after test would have caught it.
A parallel approach would be to write a dummy cryptography library which essentially spews out the inputs unchanged - so the encrypt() function, rather than returning encrypted data, gives a string saying 'key = xxx, plaintext = yyy, parameters = zzz'. The dummy random number generator will just return 1, 2, 3 etc. You can then inspect the output by hand, or by an automated tool, to check for logic errors such as the same key being used twice when it should not be. This test would only be as good as the person writing the automated checker, but it might provide another chance to catch certain bugs.