In Crypto, Always Run That Validation Test

In Crypto, Always Run That Validation Test

In fact, do this for all your programs

One thing that is important in teaching cryptography is the point that you always run your validation test, before you get to any sort of evaluation. One slip-up in the conversion of bytes into characters could be costly in terms in the security of the system. So I always turn to the original research paper or the RFC to get a test vector, and check my program against that.

The testing is especially important as we often convert between bytes, strings and hexademical values, and thing might seem to work, but there’s a flaw in these conversions. For example, a hexademical value could be seen as a user string, and appear valid. The conversion between Python 2.7 and 3.8 can also be a tricky process, and where we need to watch our string conversions.

So let’s take an example of HKDF (HMAC Key Derivation Function), and where we take a password, some salt, and a hashing method, and generate an encryption key of a certain length. The great thing is that we can swap in whatever hashing method we need, and it will do the key derivation for us. Typically hashing methods are SHA-1, SHA-256 and SHA-512.

If we take an example:

You see the test is in hexademical values, and with the 0b character (which is 10 decimal — the newline character). So it’s not that easy to enter this as text, so we can just convert to a string and test:

In this case, we convert from a hex string format to a string:

The unhexlify() converts the hex string to a byte array, so we need the decode() method to convert it to a string. Next we can test our code:

And — magically — it should all work:

You would then make sure all the other test cases work, and you can then move onto some proper evaluation.

If you are interested, here’s the code in action with an input string:

So make sure you create test vectors for your programs, and for every version, you run them through, and validate … before you release it!