research-article

Predictability of Android OpenSSL's pseudo random number generator

Authors:

Dong Hoon LeeAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 659 - 668

https://doi.org/10.1145/2508859.2516706

Published: 04 November 2013 Publication History

Abstract

OpenSSL is the most widely used library for SSL/TLS on the Android platform. The security of OpenSSL depends greatly on the unpredictability of its Pseudo Random Number Generator (PRNG). In this paper, we reveal the vulnerability of the OpenSSL PRNG on the Android. We first analyze the architecture of the OpenSSL specific to Android, and the overall operation process of the PRNG from initialization until the session key is generated. Owing to the nature of Android, the Dalvik Virtual Machine in Zygote initializes the states of OpenSSL PRNG early upon booting, and SSL applications copy the PRNG states of Zygote when they start. Therefore, the applications that use OpenSSL generate random data from the same initial states, which is potential problem that may seriously affect the security of Android applications. Next, we investigate the possibility of recovering the initial states of the OpenSSL PRNG. To do so, we should predict the nine external entropy sources of the PRNG. However, we show that these sources can be obtained in practice if the device is fixed. For example, the complexity of the attack was O(2^{32+t}) in our smartphone, where t is the bit complexity for estimating the system boot time. In our experiments, we were able to restore the PRNG states in 74 out of 100 cases. Assuming that we knew the boot time, i.e., t=0, the average time required to restore was 35 min on a PC with four cores (eight threads). Finally, we show that it is possible to recover the PreMasterSecret of the first SSL session with O(2^{58}) computations using the restored PRNG states, if the application is implemented by utilizing org.webkit package and a key exchange scheme is RSA. It shows that the vulnerability of OpenSSL PRNG can be a real threat to the security of Android.

References

[1]

Address space layout randomization. http://en.wikipedia.org/wiki/Address_space_layout_randomization.

[2]

Android debug bridge. http://developer.android.com/tools/.

[3]

Android Security Overview. http://source.android.com/devices/tech/security/.

[4]

Break DES in less than a single day. http://www.sciengines.com/company/news-a-events/74-des-in-1-day.html.

[5]

IDC - Press Release. http://www.idc.com/getdoc.jsp?containerId=prUS24257413.

[6]

OpenSSL. http://www.openssl.org/.

[7]

RFC 4507: Transport Layer Security (TLS) Session Resumption without Server-Side State.

[8]

The Debian Project.Openssl-Predictable Random Number Generator,DSA-1571--1. Available from http://www.debian.org/security/2008/dsa-1571.

[9]

Trace32. http://www.lauterbach.com/.

[10]

N. J. Alfardan and K. G. Paterson, Plaintext-Recovery Attacks Against Datagram TLS.In Network and Distrubited System Security Symposium (NDSS 2012), 2012.

[11]

T. Biege. Analysis of a Strong Pseudo Random Number Generator by anatomizing Linux' Random Number Device.Tech. rep., PhoneFactor, Inc., Nov. 2006.

[12]

D. Brumley and D. Boneh.Remote Timing Attacks Are Practical.In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12 (Berkeley, CA, USA, 2003), USENIX Association, 2003.

Digital Library

[13]

B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux.Password Interception in a SSL/TLS Channel.In Proceedings of Advances in Cryptology - CRYPTO 2003, Springer-Verlag, pp. 583--599, 2003.

[14]

T. Duong and J. Rizzo. Here Come the Xor Ninjas.Tech. rep., May 2011.

[15]

S. Fahl, M. Harbach, T. Muders, L. Baumg\"artner, B. Freisleben, and M. Smith.Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security.In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 50--61, 2012.

Digital Library

[16]

M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov.The Most Dangerous Code in the World: Validating SSL Certificates in Non-browser Software.In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 38--49, 2012.

Digital Library

[17]

N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman.Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices.In Proceedings of the 21st USENIX Security Symposium, pp. 205--220, 2012.

Digital Library

[18]

V. Klima, O. Pokorny, and T. Rosa.Attacking RSA-Based Sessions in SSL/TLS.In Proceedings of Cryptographic Hardware and Embedded Systems (CHES) 2003, Springer, pp. 426--440, 2003.

[19]

P. Lacharme.The Linux Pseudorandom Number Generator Revisited.IACR ePrint Arcive 2012/251. Available from http://eprint.iacr.org/2012/251.

[20]

M. Marlinspike. More Tricks for Defeating SSL in Practice.In Black Hat USA, 2009.

[21]

C. Meyer and J. Schwenk.Lessons Learned from Previous SSL/TLS Attacks: A Brief Chronology of Attacks and Weakness. IACR ePrint Arcive 2013/049. Available from http://eprint.iacr.org/2013/049.

[22]

M. Ray and S. Dispensa.Renegotiating TLS.Technical Report, PhoneFactor, Inc., Nov. 2009.

[23]

T. Ristenpart and S. Yilek.When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography.In Proceedings of the Network and Distributed System Security Symposium (NDSS) 2010. Internet Society, 2010.

[24]

T. Vuillemin, F. Goichon, C. Lauradoux, and G. Salagnac.Entropy Transfers in the Linux Random Number Generator.Research Report 8060, INRIA, Sept. 2012.

[25]

S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage.When Private Keys Are Public: Results From the 2008 Debian OpenSSL Vulnerability.In Proceedings of IMC 2009, pp. 15--27, 2009.

Digital Library

Cited By

Zhang DWu SLi YPan Q(2023)An Evaluation On The Entropy Supplying Capability Of Smartphone SensorsThe Computer Journal10.1093/comjnl/bxad08167:4(1550-1563)Online publication date: 20-Sep-2023
https://doi.org/10.1093/comjnl/bxad081
Li CChen XSun RXue MWen SAhmed MCamtepe SXiang YRoychoudhury ACadar CKim M(2022)Cross-language Android permission specificationProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549142(772-783)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549142
Ma SLi JKim HBertino ENepal SOstry DSun C(2021)Fine with "1234"?Proceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00148(1671-1682)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00148
Show More Cited By

Index Terms

Predictability of Android OpenSSL's pseudo random number generator
1. Security and privacy
  1. Network security

Recommendations

Security analysis of pseudo-random number generators with input: /dev/random is not robust
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model ...
Cryptanalysis of the windows random number generator
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, ...
SFMT pseudo random number generator for Erlang
Erlang '11: Proceedings of the 10th ACM SIGPLAN workshop on Erlang

The stock implementation of Erlang/OTP pseudo random number generator (PRNG), random module, is based on an algorithm developed in 1980s called AS183, and has known statistic deficiencies for large-scale applications. Using modern PRNG algorithms with ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
1,067
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)5

Reflects downloads up to 23 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang DWu SLi YPan Q(2023)An Evaluation On The Entropy Supplying Capability Of Smartphone SensorsThe Computer Journal10.1093/comjnl/bxad08167:4(1550-1563)Online publication date: 20-Sep-2023
https://doi.org/10.1093/comjnl/bxad081
Li CChen XSun RXue MWen SAhmed MCamtepe SXiang YRoychoudhury ACadar CKim M(2022)Cross-language Android permission specificationProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549142(772-783)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549142
Ma SLi JKim HBertino ENepal SOstry DSun C(2021)Fine with "1234"?Proceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00148(1671-1682)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00148
Lv NChen TMa Y(2020)Analysis on Entropy Sources based on Smartphone SensorsProceedings of the 2020 10th International Conference on Communication and Network Security10.1145/3442520.3442528(21-31)Online publication date: 27-Nov-2020
https://dl.acm.org/doi/10.1145/3442520.3442528
Kwon DSeo JCho YLee BPaek Y(2020)PrOS: Light-Weight Privatized Se cure OSes in ARM TrustZoneIEEE Transactions on Mobile Computing10.1109/TMC.2019.291086119:6(1434-1447)Online publication date: 1-Jun-2020
https://doi.org/10.1109/TMC.2019.2910861
Yoshida KImai HSerizawa NMori TKanaoka A(2019)Understanding the Origins of Weak Cryptographic Algorithms Used for Signing Android AppsJournal of Information Processing10.2197/ipsjjip.27.59327(593-602)Online publication date: 2019
https://doi.org/10.2197/ipsjjip.27.593
Wang J(2019)The Prediction of Serial Number in OpenSSL’s X.509 CertificateSecurity and Communication Networks10.1155/2019/60138462019Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1155/2019/6013846
Kreutz DYu JRamos FEsteves-Verissimo P(2019)ANCHORACM Transactions on Privacy and Security10.1145/330130522:2(1-36)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.1145/3301305
Bastos DKowada LMachado R(2019)Measuring randomness in IoT products2019 II Workshop on Metrology for Industry 4.0 and IoT (MetroInd4.0&IoT)10.1109/METROI4.2019.8792883(466-470)Online publication date: Jun-2019
https://doi.org/10.1109/METROI4.2019.8792883
Sahin OAliyeva AMathavan HCoskun AEgele MZimmermann TLawall JMarinov D(2019)RandRProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00022(128-138)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00022
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten