Predictability of Android OpenSSL's pseudo random number generator

Soo Hyeon Kim, Daewan Han, Dong Hoon Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

34 Citations (Scopus)

Abstract

OpenSSL is the most widely used library for SSL/TLS on the Android platform. The security of OpenSSL depends greatly on the unpredictability of its Pseudo Random Number Generator (PRNG). In this paper, we reveal the vulnerability of the OpenSSL PRNG on the Android. We first analyze the architecture of the OpenSSL specific to Android, and the overall operation process of the PRNG from initialization until the session key is generated. Owing to the nature of Android, the Dalvik Virtual Machine in Zygote initializes the states of OpenSSL PRNG early upon booting, and SSL applications copy the PRNG states of Zygote when they start. Therefore, the applications that use OpenSSL generate random data from the same initial states, which is potential problem that may seriously affect the security of Android applications. Next, we investigate the possibility of recovering the initial states of the OpenSSL PRNG. To do so, we should predict the nine external entropy sources of the PRNG. However, we show that these sources can be obtained in practice if the device is fixed. For example, the complexity of the attack was O(232+t) in our smartphone, where t is the bit complexity for estimating the system boot time. In our experiments, we were able to restore the PRNG states in 74 out of 100 cases. Assuming that we knew the boot time, i.e., t=0, the average time required to restore was 35 min on a PC with four cores (eight threads). Finally, we show that it is possible to recover the PreMasterSecret of the first SSL session with O(258) computations using the restored PRNG states, if the application is implemented by utilizing org.webkit package and a key exchange scheme is RSA. It shows that the vulnerability of OpenSSL PRNG can be a real threat to the security of Android.

Original languageEnglish
Title of host publicationCCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security
Pages659-668
Number of pages10
DOIs
Publication statusPublished - 2013
Event2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany
Duration: 2013 Nov 42013 Nov 8

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
CountryGermany
CityBerlin
Period13/11/413/11/8

Keywords

  • android
  • entropy
  • openssl
  • pseudo random number generator
  • ssl/tls

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Predictability of Android OpenSSL's pseudo random number generator'. Together they form a unique fingerprint.

  • Cite this

    Kim, S. H., Han, D., & Lee, D. H. (2013). Predictability of Android OpenSSL's pseudo random number generator. In CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (pp. 659-668). (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2508859.2516706