Practical effect of the predictability of android openSSL PRNG

Soo Hyeon Kim, Daewan Han, Dong Hoon Lee

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

The built-in Pseudo Random Number Generator (PRNG) of OpenSSL on Android platform is important for producing the encryption keys and nonce needed for SSL/TLS communication. In addition, it is also widely used in generating random numbers for many applications irrelevant to SSL. We demonstrated that the initial OpenSSL PRNG state of Android apps can be restored practically, and claimed that a PreMasterSecret (PMS) can be recovered in certain apps using the RSA key agreement scheme at CCS 2013. In this paper, we investigate more deeply the practical effect of the predictability of OpenSSL PRNG. First, we precisely analyze, and reduce the complexity of a PMS recovery attack on SSL with the RSA key exchange by analyzing the ASLR mechanism of Android. As a result, we show that the PMS can be recovered in O(2<sup>46</sup>) computations with a probability of 25%. Next, we show that the attack is also applicable to the PMS of the ECDH key exchange by analyzing the heap memory pattern. We confirmed experimentally that the PMS can be recovered in real-time with a probability of 20%. Finally, we show the relation between the predictability of OpenSSL PRNG and the vulnerability of Android SecureRandom Java class.

Original languageEnglish
Pages (from-to)1806-1813
Number of pages8
JournalIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
VolumeE98A
Issue number8
DOIs
Publication statusPublished - 2015 Aug 1

Fingerprint

Pseudorandom number Generator
Predictability
Application programs
Key Exchange
Cryptography
Attack
Data storage equipment
Recovery
Key Agreement
Heap
Communication
Random number
Vulnerability
Encryption
Java
Real-time
Android (operating system)

Keywords

  • Android
  • OpenSSL
  • PRNG
  • SecureRandom
  • SSL/TLS

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Computer Graphics and Computer-Aided Design
  • Applied Mathematics
  • Signal Processing

Cite this

Practical effect of the predictability of android openSSL PRNG. / Kim, Soo Hyeon; Han, Daewan; Lee, Dong Hoon.

In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E98A, No. 8, 01.08.2015, p. 1806-1813.

Research output: Contribution to journalArticle

@article{6fc785b7b90b4ae3999517f41973bf4a,
title = "Practical effect of the predictability of android openSSL PRNG",
abstract = "The built-in Pseudo Random Number Generator (PRNG) of OpenSSL on Android platform is important for producing the encryption keys and nonce needed for SSL/TLS communication. In addition, it is also widely used in generating random numbers for many applications irrelevant to SSL. We demonstrated that the initial OpenSSL PRNG state of Android apps can be restored practically, and claimed that a PreMasterSecret (PMS) can be recovered in certain apps using the RSA key agreement scheme at CCS 2013. In this paper, we investigate more deeply the practical effect of the predictability of OpenSSL PRNG. First, we precisely analyze, and reduce the complexity of a PMS recovery attack on SSL with the RSA key exchange by analyzing the ASLR mechanism of Android. As a result, we show that the PMS can be recovered in O(246) computations with a probability of 25{\%}. Next, we show that the attack is also applicable to the PMS of the ECDH key exchange by analyzing the heap memory pattern. We confirmed experimentally that the PMS can be recovered in real-time with a probability of 20{\%}. Finally, we show the relation between the predictability of OpenSSL PRNG and the vulnerability of Android SecureRandom Java class.",
keywords = "Android, OpenSSL, PRNG, SecureRandom, SSL/TLS",
author = "Kim, {Soo Hyeon} and Daewan Han and Lee, {Dong Hoon}",
year = "2015",
month = "8",
day = "1",
doi = "10.1587/transfun.E98.A.1806",
language = "English",
volume = "E98A",
pages = "1806--1813",
journal = "IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences",
issn = "0916-8508",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "8",

}

TY - JOUR

T1 - Practical effect of the predictability of android openSSL PRNG

AU - Kim, Soo Hyeon

AU - Han, Daewan

AU - Lee, Dong Hoon

PY - 2015/8/1

Y1 - 2015/8/1

N2 - The built-in Pseudo Random Number Generator (PRNG) of OpenSSL on Android platform is important for producing the encryption keys and nonce needed for SSL/TLS communication. In addition, it is also widely used in generating random numbers for many applications irrelevant to SSL. We demonstrated that the initial OpenSSL PRNG state of Android apps can be restored practically, and claimed that a PreMasterSecret (PMS) can be recovered in certain apps using the RSA key agreement scheme at CCS 2013. In this paper, we investigate more deeply the practical effect of the predictability of OpenSSL PRNG. First, we precisely analyze, and reduce the complexity of a PMS recovery attack on SSL with the RSA key exchange by analyzing the ASLR mechanism of Android. As a result, we show that the PMS can be recovered in O(246) computations with a probability of 25%. Next, we show that the attack is also applicable to the PMS of the ECDH key exchange by analyzing the heap memory pattern. We confirmed experimentally that the PMS can be recovered in real-time with a probability of 20%. Finally, we show the relation between the predictability of OpenSSL PRNG and the vulnerability of Android SecureRandom Java class.

AB - The built-in Pseudo Random Number Generator (PRNG) of OpenSSL on Android platform is important for producing the encryption keys and nonce needed for SSL/TLS communication. In addition, it is also widely used in generating random numbers for many applications irrelevant to SSL. We demonstrated that the initial OpenSSL PRNG state of Android apps can be restored practically, and claimed that a PreMasterSecret (PMS) can be recovered in certain apps using the RSA key agreement scheme at CCS 2013. In this paper, we investigate more deeply the practical effect of the predictability of OpenSSL PRNG. First, we precisely analyze, and reduce the complexity of a PMS recovery attack on SSL with the RSA key exchange by analyzing the ASLR mechanism of Android. As a result, we show that the PMS can be recovered in O(246) computations with a probability of 25%. Next, we show that the attack is also applicable to the PMS of the ECDH key exchange by analyzing the heap memory pattern. We confirmed experimentally that the PMS can be recovered in real-time with a probability of 20%. Finally, we show the relation between the predictability of OpenSSL PRNG and the vulnerability of Android SecureRandom Java class.

KW - Android

KW - OpenSSL

KW - PRNG

KW - SecureRandom

KW - SSL/TLS

UR - http://www.scopus.com/inward/record.url?scp=84938913194&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84938913194&partnerID=8YFLogxK

U2 - 10.1587/transfun.E98.A.1806

DO - 10.1587/transfun.E98.A.1806

M3 - Article

VL - E98A

SP - 1806

EP - 1813

JO - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

JF - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

SN - 0916-8508

IS - 8

ER -