Investigating Weaknesses

in Android Certificate

Security

Professor Patrick McDaniel

Daniel Krych

Fall 2015

Page

Devin’s

App

dek5156@cse.psu.edu2 Investigating Android Certificate

Security

Devin

Mallory

Google Play Store

Devin’s

App

CERT.

Devin’s

App

CERT.

CERT.

Page

Introduction

• We tested the Google Play Store for certificate

vulnerabilities

• Sufficient randomness/entropy needed to generate

sufficiently secure key pairs

• Android app developers are not cryptographers!

• Lack of entropy Calculable keys

Takeover applications

dek5156@cse.psu.edu3 Investigating Android Certificate

Security

Page

Our Motivation

• Private keys using RSA/DSA have been recently

computed for a large number of TLS and SSH hosts

• Quasilinear Greatest Common Divisor Finding

Algorithm

• Each private key is generated with two very large,

random prime numbers

• If two different keys share 1 prime number

Keys can be calculated by finding the GCD

dek5156@cse.psu.edu4

Investigating Android Certificate

Security

Page

RSA Encryption

• RSA public keys have two components:

‣ Exponent e - can be shared openly

‣ Modulus N - can be shared openly

• N = p*q where p and q are randomly chosen primes

• z = φ(N) = (p-1)*(q-1) in the case of primes

• 1 < k < z, where k is prime and a co-prime to z

• ( k*j )mod z = 1

• kU = public key = (k, N)

• kR = private key = (j, N)

5

Encrypt: Pk = EmodN

Decrypt: Ej = PmodN

* P is the plain message

E is encrypted

message

Page

dek5156@cse.psu.edu6

Investigating Android Certificate

Security

App 2CER

T.

App 1CER

T.

Public Modulus

1

Public Modulus

2

+

GCD

B

N1 / B = A N2 / B = C

BA

Public Modulus

N1

×

Secret

CB

Public Modulus

N2

×

Secret

Page

Euclid’s GCD Factoring RSA

Example• Consider the private key pairs:

‣ p1 = 3, q1 = 11 N1 = p1q1 = 33

‣ p2 = 3, q2 = 17 N2 = p2q2 = 51

‣ Find GCD (N1, N2) GCD (33, 51) = 3 *common prime

• Now we can determine the other prime factor

‣ N1 / 3 = 11 = q1

‣ N2 / 3 = 17 = q2

• Now sign and falsify desired certificate with respective key

pair!

• This method could find the GCD of two 1024-bit RSA moduli in

15 μs, but this would take roughly 30 years with their data set7

Page

Quasilinear GCD Finding

Algorithm[1]

8

• GCD Quasilinear

Finding Algorithm based

off of D.J. Bernstein[4]

and the Euclidian

Algorithm

• If one prime factor is

shared (p or q) between

two moduli, public keys

appear distinct, but

private keys are

computable by finding

the GCD of the two

moduli

Page

RSA/DSA Encryption

• Encryption requires sufficient

randomness

• Lack of randomness = weak keys

• Encryption would then be broken

dek5156@cse.psu.edu9

Investigating Android Certificate

Security

Page

Our Dataset

• 571,431 Android applications

‣ 551,553 use RSA

‣ 19,878 use DSA

• Dataset compiled in 2013

• 60% of the applications available on the market in

2013

dek5156@cse.psu.edu10

Investigating Android Certificate

Security

Page

Methodology: RSA

Certificates

• Quasilinear-time GCD finding algorithm

• Openssl used to extract moduli from certificates

• Moduli sorted according to bit-size

• 99.8% of certificates signed with keys using 1024-bit or

2048-bit encryption

dek5156@cse.psu.edu11

Investigating Android Certificate

Security

Page

Methodology: DSA

Certificates

• DSA signature also consists of two large, random

prime numbers

‣ Similar to RSA

• A Quick Investigation:

‣ If different DSA signatures share either an r or

s value, the shared values lead to a calculable

private key.

dek5156@cse.psu.edu12

Investigating Android Certificate

Security

Page

Python OpenSSL Parsing

Scripts

13

• Our scripts’ moduli pull

• openssl pkcs7 –print_certs

certificate information

Page

dek5156@cse.psu.edu14

Page

RSA Certificates

Bit-Size Moduli Count Unique Moduli

512-bit 4 75.00%

1024-bit 348484 33.90%

2048-bit 202042 34.28%

4096-bit 826 34.14%

8192-bit 52 34.62%

16384-bit 2 50.00%

Other 142 38.73%

dek5156@cse.psu.edu15

Investigating Android Certificate

Security

Page

Methodology: Certificate

Reuse

• Every certificate with a matching modulus was

identical

‣ all APKs had different md5sums

‣ Some apps had multiple versions in dataset

• Top certificate found 4,515 times

‣ Belonged to an app creating website – no coding

required

• How much reuse?dek5156@cse.psu.edu

16

Investigating Android Certificate

Security

Page

Methodology: Certificate

Reuse

Page

Results

RSA

• No vulnerabilities found using the Quasilinear GCD

Alg.

• The entropy pool contains enough randomness and

the keys are unbiased - no shared primes

• 34% RSA certificate uniqueness

DSA

• No keys were found to be weak - no shared primes

• 30% DSA certificate uniquenessdek5156@cse.psu.edu

18

Investigating Android Certificate

Security

Page

Results: Certificate Reuse

• Trust relationship between applications sharing a certificate and

userid

‣ Can access eachother’s data and run in same process

• Roughly 1/3 of Certificates were unique!

‣ App creating sites using a few certificates for thousands of

customers

• Top 3 RSA certificates account for 11,438 different APKs

• Using virustotal.com determined the malicious rating of these

applications through the use of multiple antiviruses.

‣ 71% of these 11,438 APKs had been analyzed by them

dek5156@cse.psu.edu19

Investigating Android Certificate

Security

Page

Results: Certificate Reuse

• 451 APKs were marked as malicious by 2

or more antivirus softwares (~4%)

‣ Most frequent modulus accounted for 1

‣ Second most frequent modulus

accounted for the other 450 APKs

• Highest malicious score seen was

11/52

• Antivirus TrendMicro-HouseCall detected

several variants of the TROJ_GEN.F47V0

• Antivirus VIPRE detected the

Trojan.AndroidOS.Generic.A and

Adware.AndroidOS.RevMob.a

dek5156@cse.psu.edu20

Investigating Android Certificate

Security

Page

Discussion

• Heninger et al. found weaknesses from the generation of

keys on headless or embedded devices, which were

unable to generate enough entropy

• When did 2048-bit became more prevalent than 1024-bit

for encryption?

• Sep-2012 - tipping point from 1024-bit to 2048-bit moduli

dek5156@cse.psu.edu21

Investigating Android Certificate

Security

Page

Discussion

dek5156@cse.psu.edu22

Investigating Android Certificate

Security

Page

Takeaway

• Sufficient entropy exists when generating keys used for Android apps

• Certificates commonly reused across applications – and sometimes

developers

‣ RSA certificates – 34% uniqueness

‣ DSA certificates – 30% uniqueness

‣ The top 3 most seen certificates were present in 451

applications that were marked as malicious by

virustotal.com

‣ Trust relationships exist between these applications

‣ If the userid can be mimicked - access eachother’s data

and run in same process

• Half of the security is thus broken

• The Android market is now primarily using 2048-bit encryptiondek5156@cse.psu.edu

23

Investigating Android Certificate

Security