Predictability of Android OpenSSL's pseudo random number generator

Soo Hyeon Kim, Daewan Han, Dong Hoon Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

32 Citations (Scopus)

Abstract

OpenSSL is the most widely used library for SSL/TLS on the Android platform. The security of OpenSSL depends greatly on the unpredictability of its Pseudo Random Number Generator (PRNG). In this paper, we reveal the vulnerability of the OpenSSL PRNG on the Android. We first analyze the architecture of the OpenSSL specific to Android, and the overall operation process of the PRNG from initialization until the session key is generated. Owing to the nature of Android, the Dalvik Virtual Machine in Zygote initializes the states of OpenSSL PRNG early upon booting, and SSL applications copy the PRNG states of Zygote when they start. Therefore, the applications that use OpenSSL generate random data from the same initial states, which is potential problem that may seriously affect the security of Android applications. Next, we investigate the possibility of recovering the initial states of the OpenSSL PRNG. To do so, we should predict the nine external entropy sources of the PRNG. However, we show that these sources can be obtained in practice if the device is fixed. For example, the complexity of the attack was O(232+t) in our smartphone, where t is the bit complexity for estimating the system boot time. In our experiments, we were able to restore the PRNG states in 74 out of 100 cases. Assuming that we knew the boot time, i.e., t=0, the average time required to restore was 35 min on a PC with four cores (eight threads). Finally, we show that it is possible to recover the PreMasterSecret of the first SSL session with O(258) computations using the restored PRNG states, if the application is implemented by utilizing org.webkit package and a key exchange scheme is RSA. It shows that the vulnerability of OpenSSL PRNG can be a real threat to the security of Android.

Original languageEnglish
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
Pages659-668
Number of pages10
DOIs
Publication statusPublished - 2013 Dec 9
Event2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany
Duration: 2013 Nov 42013 Nov 8

Other

Other2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
CountryGermany
CityBerlin
Period13/11/413/11/8

Fingerprint

Smartphones
Entropy
Experiments
Virtual machine

Keywords

  • android
  • entropy
  • openssl
  • pseudo random number generator
  • ssl/tls

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Kim, S. H., Han, D., & Lee, D. H. (2013). Predictability of Android OpenSSL's pseudo random number generator. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 659-668) https://doi.org/10.1145/2508859.2516706

Predictability of Android OpenSSL's pseudo random number generator. / Kim, Soo Hyeon; Han, Daewan; Lee, Dong Hoon.

Proceedings of the ACM Conference on Computer and Communications Security. 2013. p. 659-668.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kim, SH, Han, D & Lee, DH 2013, Predictability of Android OpenSSL's pseudo random number generator. in Proceedings of the ACM Conference on Computer and Communications Security. pp. 659-668, 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 13/11/4. https://doi.org/10.1145/2508859.2516706
Kim SH, Han D, Lee DH. Predictability of Android OpenSSL's pseudo random number generator. In Proceedings of the ACM Conference on Computer and Communications Security. 2013. p. 659-668 https://doi.org/10.1145/2508859.2516706
Kim, Soo Hyeon ; Han, Daewan ; Lee, Dong Hoon. / Predictability of Android OpenSSL's pseudo random number generator. Proceedings of the ACM Conference on Computer and Communications Security. 2013. pp. 659-668
@inproceedings{560eccc6b82e453cb553fd24dc1927be,
title = "Predictability of Android OpenSSL's pseudo random number generator",
abstract = "OpenSSL is the most widely used library for SSL/TLS on the Android platform. The security of OpenSSL depends greatly on the unpredictability of its Pseudo Random Number Generator (PRNG). In this paper, we reveal the vulnerability of the OpenSSL PRNG on the Android. We first analyze the architecture of the OpenSSL specific to Android, and the overall operation process of the PRNG from initialization until the session key is generated. Owing to the nature of Android, the Dalvik Virtual Machine in Zygote initializes the states of OpenSSL PRNG early upon booting, and SSL applications copy the PRNG states of Zygote when they start. Therefore, the applications that use OpenSSL generate random data from the same initial states, which is potential problem that may seriously affect the security of Android applications. Next, we investigate the possibility of recovering the initial states of the OpenSSL PRNG. To do so, we should predict the nine external entropy sources of the PRNG. However, we show that these sources can be obtained in practice if the device is fixed. For example, the complexity of the attack was O(232+t) in our smartphone, where t is the bit complexity for estimating the system boot time. In our experiments, we were able to restore the PRNG states in 74 out of 100 cases. Assuming that we knew the boot time, i.e., t=0, the average time required to restore was 35 min on a PC with four cores (eight threads). Finally, we show that it is possible to recover the PreMasterSecret of the first SSL session with O(258) computations using the restored PRNG states, if the application is implemented by utilizing org.webkit package and a key exchange scheme is RSA. It shows that the vulnerability of OpenSSL PRNG can be a real threat to the security of Android.",
keywords = "android, entropy, openssl, pseudo random number generator, ssl/tls",
author = "Kim, {Soo Hyeon} and Daewan Han and Lee, {Dong Hoon}",
year = "2013",
month = "12",
day = "9",
doi = "10.1145/2508859.2516706",
language = "English",
isbn = "9781450324779",
pages = "659--668",
booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",

}

TY - GEN

T1 - Predictability of Android OpenSSL's pseudo random number generator

AU - Kim, Soo Hyeon

AU - Han, Daewan

AU - Lee, Dong Hoon

PY - 2013/12/9

Y1 - 2013/12/9

N2 - OpenSSL is the most widely used library for SSL/TLS on the Android platform. The security of OpenSSL depends greatly on the unpredictability of its Pseudo Random Number Generator (PRNG). In this paper, we reveal the vulnerability of the OpenSSL PRNG on the Android. We first analyze the architecture of the OpenSSL specific to Android, and the overall operation process of the PRNG from initialization until the session key is generated. Owing to the nature of Android, the Dalvik Virtual Machine in Zygote initializes the states of OpenSSL PRNG early upon booting, and SSL applications copy the PRNG states of Zygote when they start. Therefore, the applications that use OpenSSL generate random data from the same initial states, which is potential problem that may seriously affect the security of Android applications. Next, we investigate the possibility of recovering the initial states of the OpenSSL PRNG. To do so, we should predict the nine external entropy sources of the PRNG. However, we show that these sources can be obtained in practice if the device is fixed. For example, the complexity of the attack was O(232+t) in our smartphone, where t is the bit complexity for estimating the system boot time. In our experiments, we were able to restore the PRNG states in 74 out of 100 cases. Assuming that we knew the boot time, i.e., t=0, the average time required to restore was 35 min on a PC with four cores (eight threads). Finally, we show that it is possible to recover the PreMasterSecret of the first SSL session with O(258) computations using the restored PRNG states, if the application is implemented by utilizing org.webkit package and a key exchange scheme is RSA. It shows that the vulnerability of OpenSSL PRNG can be a real threat to the security of Android.

AB - OpenSSL is the most widely used library for SSL/TLS on the Android platform. The security of OpenSSL depends greatly on the unpredictability of its Pseudo Random Number Generator (PRNG). In this paper, we reveal the vulnerability of the OpenSSL PRNG on the Android. We first analyze the architecture of the OpenSSL specific to Android, and the overall operation process of the PRNG from initialization until the session key is generated. Owing to the nature of Android, the Dalvik Virtual Machine in Zygote initializes the states of OpenSSL PRNG early upon booting, and SSL applications copy the PRNG states of Zygote when they start. Therefore, the applications that use OpenSSL generate random data from the same initial states, which is potential problem that may seriously affect the security of Android applications. Next, we investigate the possibility of recovering the initial states of the OpenSSL PRNG. To do so, we should predict the nine external entropy sources of the PRNG. However, we show that these sources can be obtained in practice if the device is fixed. For example, the complexity of the attack was O(232+t) in our smartphone, where t is the bit complexity for estimating the system boot time. In our experiments, we were able to restore the PRNG states in 74 out of 100 cases. Assuming that we knew the boot time, i.e., t=0, the average time required to restore was 35 min on a PC with four cores (eight threads). Finally, we show that it is possible to recover the PreMasterSecret of the first SSL session with O(258) computations using the restored PRNG states, if the application is implemented by utilizing org.webkit package and a key exchange scheme is RSA. It shows that the vulnerability of OpenSSL PRNG can be a real threat to the security of Android.

KW - android

KW - entropy

KW - openssl

KW - pseudo random number generator

KW - ssl/tls

UR - http://www.scopus.com/inward/record.url?scp=84889020006&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84889020006&partnerID=8YFLogxK

U2 - 10.1145/2508859.2516706

DO - 10.1145/2508859.2516706

M3 - Conference contribution

AN - SCOPUS:84889020006

SN - 9781450324779

SP - 659

EP - 668

BT - Proceedings of the ACM Conference on Computer and Communications Security

ER -