in android certificate security
play

in Android Certificate Security Professor Patrick McDaniel Daniel - PowerPoint PPT Presentation

Investigating Weaknesses in Android Certificate Security Professor Patrick McDaniel Daniel Krych Fall 2015 Google Play Store Devins App Devins CERT. Devins App App Mallory CERT. CERT. Devin 2 Investigating Android


  1. Investigating Weaknesses in Android Certificate Security Professor Patrick McDaniel Daniel Krych Fall 2015

  2. Google Play Store Devin’s App Devin’s CERT. Devin’s App App Mallory CERT. CERT. Devin 2 Investigating Android Certificate dek5156@cse.psu.edu Security Page

  3. Introduction • We tested the Google Play Store for certificate vulnerabilities • Sufficient randomness/entropy needed to generate sufficiently secure key pairs • Android app developers are not cryptographers! • Lack of entropy  Calculable keys  Takeover applications 3 Investigating Android Certificate dek5156@cse.psu.edu Security Page

  4. Our Motivation • Private keys using RSA/DSA have been recently computed for a large number of TLS and SSH hosts • Quasilinear Greatest Common Divisor Finding Algorithm • Each private key is generated with two very large, random prime numbers • If two different keys share 1 prime number  Keys can be calculated by finding the GCD Investigating Android Certificate dek5156@cse.psu.edu Security 4 Page

  5. RSA Encryption • RSA public keys have two components: ‣ Exponent e - can be shared openly ‣ Modulus N - can be shared openly • N = p * q where p and q are randomly chosen primes • z = φ ( N ) = ( p -1)*( q -1) in the case of primes • 1 < k < z , where k is prime and a co-prime to z • ( k * j )mod z = 1 Encrypt : P k = Emod N Decrypt : E j = Pmod N • k U = public key = ( k , N ) * P is the plain message • k R = private key = ( j , N ) E is encrypted message 5 Page

  6. Public Modulus Public Modulus N1 N2 Public Modulus A B B C × × 1 + Public Modulus 2 GCD Secret Secret App 1 App 2 CER CER B T . T . N2 / B = C N1 / B = A Investigating Android Certificate dek5156@cse.psu.edu Security 6 Page

  7. Euclid’s GCD Factoring RSA Example • Consider the private key pairs: ‣ p 1 = 3, q 1 = 11  N 1 = p 1  q 1 = 33 ‣ p 2 = 3, q 2 = 17  N 2 = p 2  q 2 = 51 ‣ Find GCD (N 1, N 2 )  GCD (33, 51) = 3 *common prime • Now we can determine the other prime factor ‣ N 1 / 3 = 11 = q 1 ‣ N 2 / 3 = 17 = q 2 • Now sign and falsify desired certificate with respective key pair! • This method could find the GCD of two 1024-bit RSA moduli in 15 μ s, but this would take roughly 30 years with their data set 7 Page

  8. Quasilinear GCD Finding Algorithm[1] • GCD Quasilinear Finding Algorithm based off of D.J. Bernstein[4] and the Euclidian Algorithm • If one prime factor is shared ( p or q ) between two moduli, public keys appear distinct, but private keys are computable by finding the GCD of the two moduli 8 Page

  9. RSA/DSA Encryption • Encryption requires sufficient randomness • Lack of randomness = weak keys • Encryption would then be broken Investigating Android Certificate dek5156@cse.psu.edu Security 9 Page

  10. Our Dataset • 571,431 Android applications ‣ 551,553 use RSA ‣ 19,878 use DSA • Dataset compiled in 2013 • 60% of the applications available on the market in 2013 Investigating Android Certificate dek5156@cse.psu.edu Security 10 Page

  11. Methodology: RSA Certificates • Quasilinear-time GCD finding algorithm • Openssl used to extract moduli from certificates • Moduli sorted according to bit-size • 99.8% of certificates signed with keys using 1024-bit or 2048-bit encryption Investigating Android Certificate dek5156@cse.psu.edu Security 11 Page

  12. Methodology: DSA Certificates • DSA signature also consists of two large, random prime numbers ‣ Similar to RSA • A Quick Investigation: ‣ If different DSA signatures share either an r or s value, the shared values lead to a calculable private key. Investigating Android Certificate dek5156@cse.psu.edu Security 12 Page

  13. Python OpenSSL Parsing Scripts • Our scripts’ moduli pull • openssl pkcs7 – print_certs certificate information 13 Page

  14. dek5156@cse.psu.edu 14 Page

  15. RSA Certificates Bit-Size Moduli Count Unique Moduli 512-bit 4 75.00% 1024-bit 348484 33.90% 2048-bit 202042 34.28% 4096-bit 826 34.14% 8192-bit 52 34.62% 16384-bit 2 50.00% Other 142 38.73% Investigating Android Certificate dek5156@cse.psu.edu Security 15 Page

  16. Methodology: Certificate Reuse • Every certificate with a matching modulus was identical ‣ all APKs had different md5sums ‣ Some apps had multiple versions in dataset • Top certificate found 4,515 times ‣ Belonged to an app creating website – no coding required Investigating Android Certificate dek5156@cse.psu.edu Security • How much reuse? 16 Page

  17. Methodology: Certificate Reuse Page

  18. Results RSA • No vulnerabilities found using the Quasilinear GCD Alg. • The entropy pool contains enough randomness and the keys are unbiased - no shared primes • 34% RSA certificate uniqueness DSA • No keys were found to be weak - no shared primes • 30% DSA certificate uniqueness Investigating Android Certificate dek5156@cse.psu.edu Security 18 Page

  19. Results: Certificate Reuse • Trust relationship between applications sharing a certificate and userid ‣ Can access eachother’s data and run in same process • Roughly 1/3 of Certificates were unique! ‣ App creating sites using a few certificates for thousands of customers • Top 3 RSA certificates account for 11,438 different APKs • Using virustotal.com determined the malicious rating of these applications through the use of multiple antiviruses. ‣ 71% of these 11,438 APKs had been analyzed by them Investigating Android Certificate dek5156@cse.psu.edu Security 19 Page

  20. Results: Certificate Reuse • 451 APKs were marked as malicious by 2 or more antivirus softwares (~4%) ‣ Most frequent modulus accounted for 1 ‣ Second most frequent modulus accounted for the other 450 APKs • Highest malicious score seen was 11/52 • Antivirus TrendMicro-HouseCall detected several variants of the TROJ_GEN.F47V0 Antivirus VIPRE detected the • Trojan.AndroidOS.Generic.A and Adware.AndroidOS.RevMob.a Investigating Android Certificate dek5156@cse.psu.edu Security 20 Page

  21. Discussion • Heninger et al. found weaknesses from the generation of keys on headless or embedded devices, which were unable to generate enough entropy • When did 2048-bit became more prevalent than 1024-bit for encryption? • Sep-2012 - tipping point from 1024-bit to 2048-bit moduli Investigating Android Certificate dek5156@cse.psu.edu Security 21 Page

  22. Discussion Investigating Android Certificate dek5156@cse.psu.edu Security 22 Page

  23. Takeaway • Sufficient entropy exists when generating keys used for Android apps Certificates commonly reused across applications – and sometimes • developers ‣ RSA certificates – 34% uniqueness ‣ DSA certificates – 30% uniqueness ‣ The top 3 most seen certificates were present in 451 applications that were marked as malicious by virustotal.com ‣ Trust relationships exist between these applications ‣ If the userid can be mimicked - access eachother’s data and run in same process • Half of the security is thus broken Investigating Android Certificate dek5156@cse.psu.edu Security • The Android market is now primarily using 2048-bit encryption 23 Page

Recommend


More recommend