Investigating Weaknesses in Android Certificate Security Professor Patrick McDaniel Daniel Krych Fall 2015
Google Play Store Devin’s App Devin’s CERT. Devin’s App App Mallory CERT. CERT. Devin 2 Investigating Android Certificate dek5156@cse.psu.edu Security Page
Introduction • We tested the Google Play Store for certificate vulnerabilities • Sufficient randomness/entropy needed to generate sufficiently secure key pairs • Android app developers are not cryptographers! • Lack of entropy Calculable keys Takeover applications 3 Investigating Android Certificate dek5156@cse.psu.edu Security Page
Our Motivation • Private keys using RSA/DSA have been recently computed for a large number of TLS and SSH hosts • Quasilinear Greatest Common Divisor Finding Algorithm • Each private key is generated with two very large, random prime numbers • If two different keys share 1 prime number Keys can be calculated by finding the GCD Investigating Android Certificate dek5156@cse.psu.edu Security 4 Page
RSA Encryption • RSA public keys have two components: ‣ Exponent e - can be shared openly ‣ Modulus N - can be shared openly • N = p * q where p and q are randomly chosen primes • z = φ ( N ) = ( p -1)*( q -1) in the case of primes • 1 < k < z , where k is prime and a co-prime to z • ( k * j )mod z = 1 Encrypt : P k = Emod N Decrypt : E j = Pmod N • k U = public key = ( k , N ) * P is the plain message • k R = private key = ( j , N ) E is encrypted message 5 Page
Public Modulus Public Modulus N1 N2 Public Modulus A B B C × × 1 + Public Modulus 2 GCD Secret Secret App 1 App 2 CER CER B T . T . N2 / B = C N1 / B = A Investigating Android Certificate dek5156@cse.psu.edu Security 6 Page
Euclid’s GCD Factoring RSA Example • Consider the private key pairs: ‣ p 1 = 3, q 1 = 11 N 1 = p 1 q 1 = 33 ‣ p 2 = 3, q 2 = 17 N 2 = p 2 q 2 = 51 ‣ Find GCD (N 1, N 2 ) GCD (33, 51) = 3 *common prime • Now we can determine the other prime factor ‣ N 1 / 3 = 11 = q 1 ‣ N 2 / 3 = 17 = q 2 • Now sign and falsify desired certificate with respective key pair! • This method could find the GCD of two 1024-bit RSA moduli in 15 μ s, but this would take roughly 30 years with their data set 7 Page
Quasilinear GCD Finding Algorithm[1] • GCD Quasilinear Finding Algorithm based off of D.J. Bernstein[4] and the Euclidian Algorithm • If one prime factor is shared ( p or q ) between two moduli, public keys appear distinct, but private keys are computable by finding the GCD of the two moduli 8 Page
RSA/DSA Encryption • Encryption requires sufficient randomness • Lack of randomness = weak keys • Encryption would then be broken Investigating Android Certificate dek5156@cse.psu.edu Security 9 Page
Our Dataset • 571,431 Android applications ‣ 551,553 use RSA ‣ 19,878 use DSA • Dataset compiled in 2013 • 60% of the applications available on the market in 2013 Investigating Android Certificate dek5156@cse.psu.edu Security 10 Page
Methodology: RSA Certificates • Quasilinear-time GCD finding algorithm • Openssl used to extract moduli from certificates • Moduli sorted according to bit-size • 99.8% of certificates signed with keys using 1024-bit or 2048-bit encryption Investigating Android Certificate dek5156@cse.psu.edu Security 11 Page
Methodology: DSA Certificates • DSA signature also consists of two large, random prime numbers ‣ Similar to RSA • A Quick Investigation: ‣ If different DSA signatures share either an r or s value, the shared values lead to a calculable private key. Investigating Android Certificate dek5156@cse.psu.edu Security 12 Page
Python OpenSSL Parsing Scripts • Our scripts’ moduli pull • openssl pkcs7 – print_certs certificate information 13 Page
dek5156@cse.psu.edu 14 Page
RSA Certificates Bit-Size Moduli Count Unique Moduli 512-bit 4 75.00% 1024-bit 348484 33.90% 2048-bit 202042 34.28% 4096-bit 826 34.14% 8192-bit 52 34.62% 16384-bit 2 50.00% Other 142 38.73% Investigating Android Certificate dek5156@cse.psu.edu Security 15 Page
Methodology: Certificate Reuse • Every certificate with a matching modulus was identical ‣ all APKs had different md5sums ‣ Some apps had multiple versions in dataset • Top certificate found 4,515 times ‣ Belonged to an app creating website – no coding required Investigating Android Certificate dek5156@cse.psu.edu Security • How much reuse? 16 Page
Methodology: Certificate Reuse Page
Results RSA • No vulnerabilities found using the Quasilinear GCD Alg. • The entropy pool contains enough randomness and the keys are unbiased - no shared primes • 34% RSA certificate uniqueness DSA • No keys were found to be weak - no shared primes • 30% DSA certificate uniqueness Investigating Android Certificate dek5156@cse.psu.edu Security 18 Page
Results: Certificate Reuse • Trust relationship between applications sharing a certificate and userid ‣ Can access eachother’s data and run in same process • Roughly 1/3 of Certificates were unique! ‣ App creating sites using a few certificates for thousands of customers • Top 3 RSA certificates account for 11,438 different APKs • Using virustotal.com determined the malicious rating of these applications through the use of multiple antiviruses. ‣ 71% of these 11,438 APKs had been analyzed by them Investigating Android Certificate dek5156@cse.psu.edu Security 19 Page
Results: Certificate Reuse • 451 APKs were marked as malicious by 2 or more antivirus softwares (~4%) ‣ Most frequent modulus accounted for 1 ‣ Second most frequent modulus accounted for the other 450 APKs • Highest malicious score seen was 11/52 • Antivirus TrendMicro-HouseCall detected several variants of the TROJ_GEN.F47V0 Antivirus VIPRE detected the • Trojan.AndroidOS.Generic.A and Adware.AndroidOS.RevMob.a Investigating Android Certificate dek5156@cse.psu.edu Security 20 Page
Discussion • Heninger et al. found weaknesses from the generation of keys on headless or embedded devices, which were unable to generate enough entropy • When did 2048-bit became more prevalent than 1024-bit for encryption? • Sep-2012 - tipping point from 1024-bit to 2048-bit moduli Investigating Android Certificate dek5156@cse.psu.edu Security 21 Page
Discussion Investigating Android Certificate dek5156@cse.psu.edu Security 22 Page
Takeaway • Sufficient entropy exists when generating keys used for Android apps Certificates commonly reused across applications – and sometimes • developers ‣ RSA certificates – 34% uniqueness ‣ DSA certificates – 30% uniqueness ‣ The top 3 most seen certificates were present in 451 applications that were marked as malicious by virustotal.com ‣ Trust relationships exist between these applications ‣ If the userid can be mimicked - access eachother’s data and run in same process • Half of the security is thus broken Investigating Android Certificate dek5156@cse.psu.edu Security • The Android market is now primarily using 2048-bit encryption 23 Page
Recommend
More recommend