Public Report – VPN by Google One Security Assessment

During the summer of 2022, Google engaged NCC Group to conduct a security assessment of VPN by Google One. VPN by Google One is a service that increases connection security and privacy to end users. Google provides several clients covering the most widely used operating systems; these VPN clients provide both encrypted transit and IP … Continue reading Public Report – VPN by Google One Security Assessment

Public Report – Confidential Space Security Review

During the summer of 2022, Google engaged NCC Group to conduct a security assessment of the Confidential Space product. The system provides a confidential computing environment that allows cloud customers to run workloads in the cloud that can be attested to run a specific payload with high assurances that the workload was not and cannot … Continue reading Public Report – Confidential Space Security Review

Public Report – IOV Labs powHSM Security Assessment

In June 2022, IOV Labs engaged NCC Group to perform a review of powHSM. Per the project documentation: "Its main role is to safekeep and prevent the unauthorized usage of each of the powPeg's members' private keys. powHSM is implemented as a pair of applications for the Ledger Nano S, namely a UI and a Signer, … Continue reading Public Report – IOV Labs powHSM Security Assessment

Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review

During the summer of 2022, Penumbra Labs, Inc. engaged NCC Group to conduct a cryptographic security assessment of two items: (i) the specification and two implementations of the decaf377 group, and (ii) a methodology and implementation of parameter generation for the Poseidon hash function. Decaf377 is a prime-order group obtained by applying the Decaf construction … Continue reading Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review

Public Report – Threshold ECDSA Cryptography Review

In March 2022, DFINITY engaged NCC Group to conduct a security and cryptography review of a threshold ECDSA implementation, which follows a novel approach described in the reference paper entitled "Design and analysis of a distributed ECDSA signing service" and available on the IACR ePrint archive at https://eprint.iacr.org/2022/506. The threshold ECDSA protocol will be deployed into … Continue reading Public Report – Threshold ECDSA Cryptography Review

Public Report – Lantern and Replica Security Assessment

Editor's Note: This security assessment was conducted by a team of our consultants, one of whom, Victor Hora, tragically and unexpectedly passed away a few weeks ago. As we publish this report, we miss our dear colleague immensely and celebrate Victor's life and his wonderful influence on the world. He was a talented security consultant, … Continue reading Public Report – Lantern and Replica Security Assessment

Public Report – go-cose Security Assessment

In April and May 2022, NCC Group Cryptography Services engaged in a security and cryptography assessment reviewing Microsoft's contributions to the go-cose library, a Go library implementing signing and verification for CBOR Object Signing and Encryption (COSE), as specified in RFC 8152. This library focuses on a minimal feature set to enable the signing and verification of … Continue reading Public Report – go-cose Security Assessment

Public Report – Google Enterprise API Security Assessment

During the autumn of 2021, Google engaged NCC Group to perform a review of the Android 12 Enterprise API to evaluate its compliance with the Security Technical Implementation Guides (STIG) matrix provided by Google. This assessment was also performed with reference to the Common Criteria Protection Profile for Mobile Device Fundamentals (PPMDF), from which the … Continue reading Public Report – Google Enterprise API Security Assessment

Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review

During October 2021, O(1) Labs engaged NCC Group's Cryptography Services team to conduct a cryptography and implementation review of selected components within the main source code repository for the Mina project. Mina implements a cryptocurrency with a lightweight and constant-sized blockchain, where the code is primarily written in OCaml. The selected components involved the client … Continue reading Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review

Public Report – WhatsApp opaque-ke Cryptographic Implementation Review

In June 2021, WhatsApp engaged NCC Group to conduct a security assessment of the 'opaque-ke' library, an open source Rust implementation of the OPAQUE password authenticated key exchange protocol. The protocol is designed to allow password-based authentication in such a way that a server does not actually learn the plaintext value of the client's password, … Continue reading Public Report – WhatsApp opaque-ke Cryptographic Implementation Review