Crypto code: the 9 circles of testing presented at troopers 2016

by Jean-Philippe Aumasson,

Summary : Major crypto vulnerabilities would have been detected if we had better testing methodologies and tools. Heartbleed, Gotofail, or FREAK are some the most dramatic examples, but there are many others and many that we haven't discovered yet. To help fix this, and to show how hard it is to test crypto code, this talk will go through the simplest to the most sophisticated methods, from basic test vectors to fuzzing and verification. I'll show code examples, and the limitations of each class of test.