OpenSSL is the most widely used library for SSL/TLS on the Android platform. The security of OpenSSL depends greatly on the unpredictability of its Pseudo Random Number Generator (PRNG). In this paper, we reveal the vulnerability of the OpenSSL PRNG on the Android. We first analyze the architecture of the OpenSSL specific to Android, and the overall operation process of the PRNG from initialization until the session key is generated. Owing to the nature of Android, the Dalvik Virtual Machine in Zygote initializes the states of OpenSSL PRNG early upon booting, and SSL applications copy the PRNG states of Zygote when they start. Therefore, the applications that use OpenSSL generate random data from the same initial states, which is potential problem that may seriously affect the security of Android applications. Next, we investigate the possibility of recovering the initial states of the OpenSSL PRNG. To do so, we should predict the nine external entropy sources of the PRNG. However, we show that these sources can be obtained in practice if the device is fixed. For example, the complexity of the attack was O(2^{32+t}) in our smartphone, where t is the bit complexity for estimating the system boot time. In our experiments, we were able to restore the PRNG states in 74 out of 100 cases. Assuming that we knew the boot time, i.e., t=0, the average time required to restore was 35 min on a PC with four cores (eight threads). Finally, we show that it is possible to recover the PreMasterSecret of the first SSL session with O(2^{58}) computations using the restored PRNG states, if the application is implemented by utilizing org.webkit package and a key exchange scheme is RSA. It shows that the vulnerability of OpenSSL PRNG can be a real threat to the security of Android.
[1]
Hovav Shacham,et al.
When private keys are public: results from the 2008 Debian OpenSSL vulnerability
,
2009,
IMC '09.
[2]
Bernd Freisleben,et al.
Why eve and mallory love android: an analysis of android SSL (in)security
,
2012,
CCS.
[3]
Cédric Lauradoux,et al.
Entropy transfers in the Linux Random Number Generator
,
2012
.
[4]
Vlastimil Klíma,et al.
Attacking RSA-Based Sessions in SSL/TLS
,
2003,
CHES.
[5]
David Brumley,et al.
Remote timing attacks are practical
,
2003,
Comput. Networks.
[6]
Kenneth G. Paterson,et al.
Plaintext-Recovery Attacks Against Datagram TLS
,
2012,
NDSS.
[7]
Vitaly Shmatikov,et al.
The most dangerous code in the world: validating SSL certificates in non-browser software
,
2012,
CCS.
[8]
Renegotiating TLS
,
2009
.
[9]
Hao Zhou,et al.
Transport Layer Security (TLS) Session Resumption without Server-Side State
,
2008,
RFC.
[10]
Eric Wustrow,et al.
Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices
,
2012,
USENIX Security Symposium.
[11]
Serge Vaudenay,et al.
Password Interception in a SSL/TLS Channel
,
2003,
CRYPTO.
[12]
Thomas Ristenpart,et al.
When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography
,
2010,
NDSS.
[13]
Jörg Schwenk,et al.
Lessons Learned From Previous SSL/TLS Attacks - A Brief Chronology Of Attacks And Weaknesses
,
2013,
IACR Cryptol. ePrint Arch..
[14]
Patrick Lacharme,et al.
The Linux Pseudorandom Number Generator Revisited
,
2012,
IACR Cryptol. ePrint Arch..