Investigating Weaknesses in Android Certificate...
Transcript of Investigating Weaknesses in Android Certificate...
Investigating Weaknesses
in Android Certificate
Security
Professor Patrick McDaniel
Daniel Krych
Fall 2015
Page
Devin’s
App
[email protected] Investigating Android Certificate
Security
Devin
Mallory
Google Play Store
Devin’s
App
CERT.
Devin’s
App
CERT.
CERT.
Page
Introduction
• We tested the Google Play Store for certificate
vulnerabilities
• Sufficient randomness/entropy needed to generate
sufficiently secure key pairs
• Android app developers are not cryptographers!
• Lack of entropy Calculable keys
Takeover applications
[email protected] Investigating Android Certificate
Security
Page
Our Motivation
• Private keys using RSA/DSA have been recently
computed for a large number of TLS and SSH hosts
• Quasilinear Greatest Common Divisor Finding
Algorithm
• Each private key is generated with two very large,
random prime numbers
• If two different keys share 1 prime number
Keys can be calculated by finding the GCD
Investigating Android Certificate
Security
Page
RSA Encryption
• RSA public keys have two components:
‣ Exponent e - can be shared openly
‣ Modulus N - can be shared openly
• N = p*q where p and q are randomly chosen primes
• z = φ(N) = (p-1)*(q-1) in the case of primes
• 1 < k < z, where k is prime and a co-prime to z
• ( k*j )mod z = 1
• kU = public key = (k, N)
• kR = private key = (j, N)
5
Encrypt: Pk = EmodN
Decrypt: Ej = PmodN
* P is the plain message
E is encrypted
message
Page
Investigating Android Certificate
Security
App 2CER
T.
App 1CER
T.
Public Modulus
1
Public Modulus
2
+
GCD
B
N1 / B = A N2 / B = C
BA
Public Modulus
N1
×
Secret
CB
Public Modulus
N2
×
Secret
Page
Euclid’s GCD Factoring RSA
Example• Consider the private key pairs:
‣ p1 = 3, q1 = 11 N1 = p1q1 = 33
‣ p2 = 3, q2 = 17 N2 = p2q2 = 51
‣ Find GCD (N1, N2) GCD (33, 51) = 3 *common prime
• Now we can determine the other prime factor
‣ N1 / 3 = 11 = q1
‣ N2 / 3 = 17 = q2
• Now sign and falsify desired certificate with respective key
pair!
• This method could find the GCD of two 1024-bit RSA moduli in
15 μs, but this would take roughly 30 years with their data set7
Page
Quasilinear GCD Finding
Algorithm[1]
8
• GCD Quasilinear
Finding Algorithm based
off of D.J. Bernstein[4]
and the Euclidian
Algorithm
• If one prime factor is
shared (p or q) between
two moduli, public keys
appear distinct, but
private keys are
computable by finding
the GCD of the two
moduli
Page
RSA/DSA Encryption
• Encryption requires sufficient
randomness
• Lack of randomness = weak keys
• Encryption would then be broken
Investigating Android Certificate
Security
Page
Our Dataset
• 571,431 Android applications
‣ 551,553 use RSA
‣ 19,878 use DSA
• Dataset compiled in 2013
• 60% of the applications available on the market in
2013
Investigating Android Certificate
Security
Page
Methodology: RSA
Certificates
• Quasilinear-time GCD finding algorithm
• Openssl used to extract moduli from certificates
• Moduli sorted according to bit-size
• 99.8% of certificates signed with keys using 1024-bit or
2048-bit encryption
Investigating Android Certificate
Security
Page
Methodology: DSA
Certificates
• DSA signature also consists of two large, random
prime numbers
‣ Similar to RSA
• A Quick Investigation:
‣ If different DSA signatures share either an r or
s value, the shared values lead to a calculable
private key.
Investigating Android Certificate
Security
Page
Python OpenSSL Parsing
Scripts
13
• Our scripts’ moduli pull
• openssl pkcs7 –print_certs
certificate information
Page
Page
RSA Certificates
Bit-Size Moduli Count Unique Moduli
512-bit 4 75.00%
1024-bit 348484 33.90%
2048-bit 202042 34.28%
4096-bit 826 34.14%
8192-bit 52 34.62%
16384-bit 2 50.00%
Other 142 38.73%
Investigating Android Certificate
Security
Page
Methodology: Certificate
Reuse
• Every certificate with a matching modulus was
identical
‣ all APKs had different md5sums
‣ Some apps had multiple versions in dataset
• Top certificate found 4,515 times
‣ Belonged to an app creating website – no coding
required
• How much [email protected]
16
Investigating Android Certificate
Security
Page
Methodology: Certificate
Reuse
Page
Results
RSA
• No vulnerabilities found using the Quasilinear GCD
Alg.
• The entropy pool contains enough randomness and
the keys are unbiased - no shared primes
• 34% RSA certificate uniqueness
DSA
• No keys were found to be weak - no shared primes
• 30% DSA certificate [email protected]
18
Investigating Android Certificate
Security
Page
Results: Certificate Reuse
• Trust relationship between applications sharing a certificate and
userid
‣ Can access eachother’s data and run in same process
• Roughly 1/3 of Certificates were unique!
‣ App creating sites using a few certificates for thousands of
customers
• Top 3 RSA certificates account for 11,438 different APKs
• Using virustotal.com determined the malicious rating of these
applications through the use of multiple antiviruses.
‣ 71% of these 11,438 APKs had been analyzed by them
Investigating Android Certificate
Security
Page
Results: Certificate Reuse
• 451 APKs were marked as malicious by 2
or more antivirus softwares (~4%)
‣ Most frequent modulus accounted for 1
‣ Second most frequent modulus
accounted for the other 450 APKs
• Highest malicious score seen was
11/52
• Antivirus TrendMicro-HouseCall detected
several variants of the TROJ_GEN.F47V0
• Antivirus VIPRE detected the
Trojan.AndroidOS.Generic.A and
Adware.AndroidOS.RevMob.a
Investigating Android Certificate
Security
Page
Discussion
• Heninger et al. found weaknesses from the generation of
keys on headless or embedded devices, which were
unable to generate enough entropy
• When did 2048-bit became more prevalent than 1024-bit
for encryption?
• Sep-2012 - tipping point from 1024-bit to 2048-bit moduli
Investigating Android Certificate
Security
Page
Takeaway
• Sufficient entropy exists when generating keys used for Android apps
• Certificates commonly reused across applications – and sometimes
developers
‣ RSA certificates – 34% uniqueness
‣ DSA certificates – 30% uniqueness
‣ The top 3 most seen certificates were present in 451
applications that were marked as malicious by
virustotal.com
‣ Trust relationships exist between these applications
‣ If the userid can be mimicked - access eachother’s data
and run in same process
• Half of the security is thus broken
• The Android market is now primarily using 2048-bit [email protected]
23
Investigating Android Certificate
Security