Investigating Weaknesses in Android Certificate Security Professor Patrick McDaniel Daniel Krych Fall 2015
Jul 07, 2020
Investigating Weaknesses
in Android Certificate
Security
Professor Patrick McDaniel
Daniel Krych
Fall 2015
Page
Devin’s
App
[email protected] Investigating Android Certificate
Security
Devin
Mallory
Google Play Store
Devin’s
App
CERT.
Devin’s
App
CERT.
CERT.
Page
Introduction
• We tested the Google Play Store for certificate
vulnerabilities
• Sufficient randomness/entropy needed to generate
sufficiently secure key pairs
• Android app developers are not cryptographers!
• Lack of entropy Calculable keys
Takeover applications
[email protected] Investigating Android Certificate
Security
Page
Our Motivation
• Private keys using RSA/DSA have been recently
computed for a large number of TLS and SSH hosts
• Quasilinear Greatest Common Divisor Finding
Algorithm
• Each private key is generated with two very large,
random prime numbers
• If two different keys share 1 prime number
Keys can be calculated by finding the GCD
Investigating Android Certificate
Security
Page
RSA Encryption
• RSA public keys have two components:
‣ Exponent e - can be shared openly
‣ Modulus N - can be shared openly
• N = p*q where p and q are randomly chosen primes
• z = φ(N) = (p-1)*(q-1) in the case of primes
• 1 < k < z, where k is prime and a co-prime to z
• ( k*j )mod z = 1
• kU = public key = (k, N)
• kR = private key = (j, N)
5
Encrypt: Pk = EmodN
Decrypt: Ej = PmodN
* P is the plain message
E is encrypted
message
Page
Investigating Android Certificate
Security
App 2CER
T.
App 1CER
T.
Public Modulus
1
Public Modulus
2
+
GCD
B
N1 / B = A N2 / B = C
BA
Public Modulus
N1
×
Secret
CB
Public Modulus
N2
×
Secret
Page
Euclid’s GCD Factoring RSA
Example• Consider the private key pairs:
‣ p1 = 3, q1 = 11 N1 = p1q1 = 33
‣ p2 = 3, q2 = 17 N2 = p2q2 = 51
‣ Find GCD (N1, N2) GCD (33, 51) = 3 *common prime
• Now we can determine the other prime factor
‣ N1 / 3 = 11 = q1
‣ N2 / 3 = 17 = q2
• Now sign and falsify desired certificate with respective key
pair!
• This method could find the GCD of two 1024-bit RSA moduli in
15 μs, but this would take roughly 30 years with their data set7
Page
Quasilinear GCD Finding
Algorithm[1]
8
• GCD Quasilinear
Finding Algorithm based
off of D.J. Bernstein[4]
and the Euclidian
Algorithm
• If one prime factor is
shared (p or q) between
two moduli, public keys
appear distinct, but
private keys are
computable by finding
the GCD of the two
moduli
Page
RSA/DSA Encryption
• Encryption requires sufficient
randomness
• Lack of randomness = weak keys
• Encryption would then be broken
Investigating Android Certificate
Security
Page
Our Dataset
• 571,431 Android applications
‣ 551,553 use RSA
‣ 19,878 use DSA
• Dataset compiled in 2013
• 60% of the applications available on the market in
2013
Investigating Android Certificate
Security
Page
Methodology: RSA
Certificates
• Quasilinear-time GCD finding algorithm
• Openssl used to extract moduli from certificates
• Moduli sorted according to bit-size
• 99.8% of certificates signed with keys using 1024-bit or
2048-bit encryption
Investigating Android Certificate
Security
Page
Methodology: DSA
Certificates
• DSA signature also consists of two large, random
prime numbers
‣ Similar to RSA
• A Quick Investigation:
‣ If different DSA signatures share either an r or
s value, the shared values lead to a calculable
private key.
Investigating Android Certificate
Security
Page
Python OpenSSL Parsing
Scripts
13
• Our scripts’ moduli pull
• openssl pkcs7 –print_certs
certificate information
Page
Page
RSA Certificates
Bit-Size Moduli Count Unique Moduli
512-bit 4 75.00%
1024-bit 348484 33.90%
2048-bit 202042 34.28%
4096-bit 826 34.14%
8192-bit 52 34.62%
16384-bit 2 50.00%
Other 142 38.73%
Investigating Android Certificate
Security
Page
Methodology: Certificate
Reuse
• Every certificate with a matching modulus was
identical
‣ all APKs had different md5sums
‣ Some apps had multiple versions in dataset
• Top certificate found 4,515 times
‣ Belonged to an app creating website – no coding
required
• How much [email protected]
16
Investigating Android Certificate
Security
Page
Methodology: Certificate
Reuse
Page
Results
RSA
• No vulnerabilities found using the Quasilinear GCD
Alg.
• The entropy pool contains enough randomness and
the keys are unbiased - no shared primes
• 34% RSA certificate uniqueness
DSA
• No keys were found to be weak - no shared primes
• 30% DSA certificate [email protected]
18
Investigating Android Certificate
Security
Page
Results: Certificate Reuse
• Trust relationship between applications sharing a certificate and
userid
‣ Can access eachother’s data and run in same process
• Roughly 1/3 of Certificates were unique!
‣ App creating sites using a few certificates for thousands of
customers
• Top 3 RSA certificates account for 11,438 different APKs
• Using virustotal.com determined the malicious rating of these
applications through the use of multiple antiviruses.
‣ 71% of these 11,438 APKs had been analyzed by them
Investigating Android Certificate
Security
Page
Results: Certificate Reuse
• 451 APKs were marked as malicious by 2
or more antivirus softwares (~4%)
‣ Most frequent modulus accounted for 1
‣ Second most frequent modulus
accounted for the other 450 APKs
• Highest malicious score seen was
11/52
• Antivirus TrendMicro-HouseCall detected
several variants of the TROJ_GEN.F47V0
• Antivirus VIPRE detected the
Trojan.AndroidOS.Generic.A and
Adware.AndroidOS.RevMob.a
Investigating Android Certificate
Security
Page
Discussion
• Heninger et al. found weaknesses from the generation of
keys on headless or embedded devices, which were
unable to generate enough entropy
• When did 2048-bit became more prevalent than 1024-bit
for encryption?
• Sep-2012 - tipping point from 1024-bit to 2048-bit moduli
Investigating Android Certificate
Security
Page
Takeaway
• Sufficient entropy exists when generating keys used for Android apps
• Certificates commonly reused across applications – and sometimes
developers
‣ RSA certificates – 34% uniqueness
‣ DSA certificates – 30% uniqueness
‣ The top 3 most seen certificates were present in 451
applications that were marked as malicious by
virustotal.com
‣ Trust relationships exist between these applications
‣ If the userid can be mimicked - access eachother’s data
and run in same process
• Half of the security is thus broken
• The Android market is now primarily using 2048-bit [email protected]
23
Investigating Android Certificate
Security