in Android Certificate Security Professor Patrick McDaniel Daniel - - PowerPoint PPT Presentation

in android certificate security
SMART_READER_LITE
LIVE PREVIEW

in Android Certificate Security Professor Patrick McDaniel Daniel - - PowerPoint PPT Presentation

Jun 28, 2023 163 likes •411 views

Investigating Weaknesses in Android Certificate Security Professor Patrick McDaniel Daniel Krych Fall 2015 Google Play Store Devins App Devins CERT. Devins App App Mallory CERT. CERT. Devin 2 Investigating Android

slide-1
SLIDE 1

Investigating Weaknesses in Android Certificate Security

Professor Patrick McDaniel Daniel Krych Fall 2015

slide-2
SLIDE 2

Page

Devin’s App dek5156@cse.psu.edu

2

Investigating Android Certificate Security

Devin Mallory

Google Play Store

Devin’s App CERT. Devin’s App CERT. CERT.

slide-3
SLIDE 3

Page

Introduction

  • We tested the Google Play Store for certificate

vulnerabilities

  • Sufficient randomness/entropy needed to generate

sufficiently secure key pairs

  • Android app developers are not cryptographers!
  • Lack of entropy  Calculable keys

 Takeover applications

dek5156@cse.psu.edu

3

Investigating Android Certificate Security

slide-4
SLIDE 4

Page

Our Motivation

  • Private keys using RSA/DSA have been recently

computed for a large number of TLS and SSH hosts

  • Quasilinear Greatest Common Divisor Finding

Algorithm

  • Each private key is generated with two very large,

random prime numbers

  • If two different keys share 1 prime number

 Keys can be calculated by finding the GCD

dek5156@cse.psu.edu

4

Investigating Android Certificate Security

slide-5
SLIDE 5

Page

RSA Encryption

  • RSA public keys have two components:
  • Exponent e - can be shared openly
  • Modulus N - can be shared openly
  • N = p*q where p and q are randomly chosen primes
  • z = φ(N) = (p-1)*(q-1) in the case of primes
  • 1 < k < z, where k is prime and a co-prime to z
  • ( k*j )mod z = 1
  • kU = public key = (k, N)
  • kR = private key = (j, N)

5

Encrypt: Pk = EmodN Decrypt: Ej = PmodN * P is the plain message E is encrypted message

slide-6
SLIDE 6

Page

dek5156@cse.psu.edu

6

Investigating Android Certificate Security

App 2

CER T.

App 1

CER T.

Public Modulus 1 Public Modulus 2

+

GCD

B

N1 / B = A N2 / B = C

B A

Public Modulus N1 × Secret

C B

Public Modulus N2 × Secret

slide-7
SLIDE 7

Page

Euclid’s GCD Factoring RSA Example

  • Consider the private key pairs:
  • p1 = 3, q1 = 11 

N1 = p1q1 = 33

  • p2 = 3, q2 = 17 

N2 = p2q2 = 51

  • Find GCD (N1, N2)  GCD (33, 51) = 3 *common prime
  • Now we can determine the other prime factor
  • N1 / 3 = 11 = q1
  • N2 / 3 = 17 = q2
  • Now sign and falsify desired certificate with respective key

pair!

  • This method could find the GCD of two 1024-bit RSA moduli in

15 μs, but this would take roughly 30 years with their data set 7

slide-8
SLIDE 8

Page

Quasilinear GCD Finding Algorithm[1]

8

  • GCD Quasilinear

Finding Algorithm based

  • ff of D.J. Bernstein[4]

and the Euclidian Algorithm

  • If one prime factor is

shared (p or q) between two moduli, public keys appear distinct, but private keys are computable by finding the GCD of the two moduli

slide-9
SLIDE 9

Page

RSA/DSA Encryption

  • Encryption requires sufficient

randomness

  • Lack of randomness = weak keys
  • Encryption would then be broken

dek5156@cse.psu.edu

9

Investigating Android Certificate Security

slide-10
SLIDE 10

Page

Our Dataset

  • 571,431 Android applications
  • 551,553 use RSA
  • 19,878 use DSA
  • Dataset compiled in 2013
  • 60% of the applications available on the market in

2013

dek5156@cse.psu.edu

10

Investigating Android Certificate Security

slide-11
SLIDE 11

Page

Methodology: RSA Certificates

  • Quasilinear-time GCD finding algorithm
  • Openssl used to extract moduli from certificates
  • Moduli sorted according to bit-size
  • 99.8% of certificates signed with keys using 1024-bit or

2048-bit encryption

dek5156@cse.psu.edu

11

Investigating Android Certificate Security

slide-12
SLIDE 12

Page

Methodology: DSA Certificates

  • DSA signature also consists of two large, random

prime numbers

  • Similar to RSA
  • A Quick Investigation:
  • If different DSA signatures share either an r or

s value, the shared values lead to a calculable private key.

dek5156@cse.psu.edu

12

Investigating Android Certificate Security

slide-13
SLIDE 13

Page

Python OpenSSL Parsing Scripts

13

  • Our scripts’ moduli pull
  • openssl pkcs7 –print_certs

certificate information

slide-14
SLIDE 14

Page

dek5156@cse.psu.edu

14

slide-15
SLIDE 15

Page

RSA Certificates

Bit-Size Moduli Count Unique Moduli

512-bit 4 75.00% 1024-bit 348484 33.90% 2048-bit 202042 34.28% 4096-bit 826 34.14% 8192-bit 52 34.62% 16384-bit 2 50.00% Other 142 38.73%

dek5156@cse.psu.edu

15

Investigating Android Certificate Security

slide-16
SLIDE 16

Page

Methodology: Certificate Reuse

  • Every certificate with a matching modulus was

identical

  • all APKs had different md5sums
  • Some apps had multiple versions in dataset
  • Top certificate found 4,515 times
  • Belonged to an app creating website – no coding

required

  • How much reuse?

dek5156@cse.psu.edu

16

Investigating Android Certificate Security

slide-17
SLIDE 17

Page

Methodology: Certificate Reuse

slide-18
SLIDE 18

Page

Results

RSA

  • No vulnerabilities found using the Quasilinear GCD

Alg.

  • The entropy pool contains enough randomness and

the keys are unbiased - no shared primes

  • 34% RSA certificate uniqueness

DSA

  • No keys were found to be weak - no shared primes
  • 30% DSA certificate uniqueness

dek5156@cse.psu.edu

18

Investigating Android Certificate Security

slide-19
SLIDE 19

Page

Results: Certificate Reuse

  • Trust relationship between applications sharing a certificate and

userid

  • Can access eachother’s data and run in same process
  • Roughly 1/3 of Certificates were unique!
  • App creating sites using a few certificates for thousands of

customers

  • Top 3 RSA certificates account for 11,438 different APKs
  • Using virustotal.com determined the malicious rating of these

applications through the use of multiple antiviruses.

  • 71% of these 11,438 APKs had been analyzed by them

dek5156@cse.psu.edu

19

Investigating Android Certificate Security

slide-20
SLIDE 20

Page

Results: Certificate Reuse

  • 451 APKs were marked as malicious by 2
  • r more antivirus softwares (~4%)
  • Most frequent modulus accounted for 1
  • Second most frequent modulus

accounted for the other 450 APKs

  • Highest malicious score seen was

11/52

  • Antivirus TrendMicro-HouseCall detected

several variants of the TROJ_GEN.F47V0

  • Antivirus VIPRE detected the

Trojan.AndroidOS.Generic.A and Adware.AndroidOS.RevMob.a

dek5156@cse.psu.edu

20

Investigating Android Certificate Security

slide-21
SLIDE 21

Page

Discussion

  • Heninger et al. found weaknesses from the generation of

keys on headless or embedded devices, which were unable to generate enough entropy

  • When did 2048-bit became more prevalent than 1024-bit

for encryption?

  • Sep-2012 - tipping point from 1024-bit to 2048-bit moduli

dek5156@cse.psu.edu

21

Investigating Android Certificate Security

slide-22
SLIDE 22

Page

Discussion

dek5156@cse.psu.edu

22

Investigating Android Certificate Security

slide-23
SLIDE 23

Page

Takeaway

  • Sufficient entropy exists when generating keys used for Android apps
  • Certificates commonly reused across applications – and sometimes

developers

  • RSA certificates – 34% uniqueness
  • DSA certificates – 30% uniqueness
  • The top 3 most seen certificates were present in 451

applications that were marked as malicious by virustotal.com

  • Trust relationships exist between these applications
  • If the userid can be mimicked - access eachother’s data

and run in same process

  • Half of the security is thus broken
  • The Android market is now primarily using 2048-bit encryption

dek5156@cse.psu.edu

23

Investigating Android Certificate Security