During the summer of 2022, Google engaged NCC Group to conduct a security assessment of VPN by Google One. VPN by Google One is a service that increases connection security and privacy to end users. Google provides several clients covering the most widely used operating systems; these VPN clients provide both encrypted transit and IP … Continue reading Public Report – VPN by Google One Security Assessment
Category: Public Report
Public Report – Confidential Space Security Review
During the summer of 2022, Google engaged NCC Group to conduct a security assessment of the Confidential Space product. The system provides a confidential computing environment that allows cloud customers to run workloads in the cloud that can be attested to run a specific payload with high assurances that the workload was not and cannot … Continue reading Public Report – Confidential Space Security Review
Public Report – IOV Labs powHSM Security Assessment
In June 2022, IOV Labs engaged NCC Group to perform a review of powHSM. Per the project documentation: "Its main role is to safekeep and prevent the unauthorized usage of each of the powPeg's members' private keys. powHSM is implemented as a pair of applications for the Ledger Nano S, namely a UI and a Signer, … Continue reading Public Report – IOV Labs powHSM Security Assessment
Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
During the summer of 2022, Penumbra Labs, Inc. engaged NCC Group to conduct a cryptographic security assessment of two items: (i) the specification and two implementations of the decaf377 group, and (ii) a methodology and implementation of parameter generation for the Poseidon hash function. Decaf377 is a prime-order group obtained by applying the Decaf construction … Continue reading Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
Public Report – Threshold ECDSA Cryptography Review
In March 2022, DFINITY engaged NCC Group to conduct a security and cryptography review of a threshold ECDSA implementation, which follows a novel approach described in the reference paper entitled "Design and analysis of a distributed ECDSA signing service" and available on the IACR ePrint archive at https://eprint.iacr.org/2022/506. The threshold ECDSA protocol will be deployed into … Continue reading Public Report – Threshold ECDSA Cryptography Review
Public Report – Lantern and Replica Security Assessment
Editor's Note: This security assessment was conducted by a team of our consultants, one of whom, Victor Hora, tragically and unexpectedly passed away a few weeks ago. As we publish this report, we miss our dear colleague immensely and celebrate Victor's life and his wonderful influence on the world. He was a talented security consultant, … Continue reading Public Report – Lantern and Replica Security Assessment
Public Report – go-cose Security Assessment
In April and May 2022, NCC Group Cryptography Services engaged in a security and cryptography assessment reviewing Microsoft's contributions to the go-cose library, a Go library implementing signing and verification for CBOR Object Signing and Encryption (COSE), as specified in RFC 8152. This library focuses on a minimal feature set to enable the signing and verification of … Continue reading Public Report – go-cose Security Assessment
Public Report – Google Enterprise API Security Assessment
During the autumn of 2021, Google engaged NCC Group to perform a review of the Android 12 Enterprise API to evaluate its compliance with the Security Technical Implementation Guides (STIG) matrix provided by Google. This assessment was also performed with reference to the Common Criteria Protection Profile for Mobile Device Fundamentals (PPMDF), from which the … Continue reading Public Report – Google Enterprise API Security Assessment
Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
During October 2021, O(1) Labs engaged NCC Group's Cryptography Services team to conduct a cryptography and implementation review of selected components within the main source code repository for the Mina project. Mina implements a cryptocurrency with a lightweight and constant-sized blockchain, where the code is primarily written in OCaml. The selected components involved the client … Continue reading Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
In June 2021, WhatsApp engaged NCC Group to conduct a security assessment of the 'opaque-ke' library, an open source Rust implementation of the OPAQUE password authenticated key exchange protocol. The protocol is designed to allow password-based authentication in such a way that a server does not actually learn the plaintext value of the client's password, … Continue reading Public Report – WhatsApp opaque-ke Cryptographic Implementation Review