Set of tools for exhaustive implementation testing of existing RSA and ECC implementations and verify that the required security-relevant checks like known invalid inputs tested (EC point not on curve, invalid curve parameters…) are performed. Automatic analysis of library output artifacts (generated keys, side-channel leakage…) is collected and any deviances (even if not directly exploitable) from the common behavior are searched for detected. A black-box analysis is performed, allowing for analysis also on the closed, proprietary devices. The typical use-case scenarios are:
- Automatic testing during development (e.g., Continuous Integration),
- Initial thorough analysis of a specific card or library.
- Generation of behavioral forensic profiles for later comparison of the libraries including the closed, proprietary ones.
For more detailed insights, please see the following:
[1] P. Svenda, M. Nemec, P. Sekan, R. Kvasnovsky, D. Formanek, D. Komarek and V. Matyas, The Million-Key Question – Investigating the Origins of RSA Public Keys, USENIX Security 2016, https://crocs.fi.muni.cz/papers/usenix2016. [2] J. Jancar, P. Svenda, Tests support and behavior of elliptic curve cryptography implementations on JavaCards, https://github.com/crocs-muni/ECTester