Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Android App - weak signer Certificate (SHA1withRSA) #4

Open
gvarisco opened this issue Oct 5, 2017 · 1 comment
Open

Android App - weak signer Certificate (SHA1withRSA) #4

gvarisco opened this issue Oct 5, 2017 · 1 comment
Assignees
Labels

Comments

@gvarisco
Copy link
Member

@gvarisco gvarisco commented Oct 5, 2017

The app is signed with SHA1withRSA. SHA1 hash algorithm is known to have collision issues.

[
[
  Version: V3
  Subject: CN=Ipzs S.p.A, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, L=Roma, ST=Italia, C=00138
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  
  Validity: [From: Wed Mar 30 12:48:27 UTC 2016,
               To: Sun Mar 24 12:48:27 UTC 2041]
  Issuer: CN=Ipzs S.p.A, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, L=Roma, ST=Italia, C=00138
  SerialNumber: [    56fbcb1b]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 11 BF A4 72 7D F2 27 25   3D 7A A1 71 AB 8D AE 26  ...r..'%=z.q...&
0010: B2 7F A6 6C 21 25 87 2C   D4 51 68 99 83 AC 45 FC  ...l!%.,.Qh...E.
0020: 88 FC A9 69 FB 6E D8 DE   C2 65 36 64 F4 D5 97 38  ...i.n...e6d...8
0030: AD 13 4A 01 62 3F 32 AF   59 00 33 DF E1 F5 49 6D  ..J.b?2.Y.3...Im
0040: D5 22 70 9D E9 FD 12 86   4D 97 AD 31 FE FF 76 16  ."p.....M..1..v.
0050: 0D 1A A6 0C 5D 84 A1 07   1B A7 13 3C 27 65 24 9B  ....]......<'e$.
0060: 85 BB 06 87 F5 34 41 94   73 42 F4 54 83 38 A7 3F  .....4A.sB.T.8.?
0070: 0E EF 5A E4 30 DA D9 31   ED 3B 0F F3 A9 59 00 A6  ..Z.0..1.;...Y..

]

Current key info extracted from CERT.RSA:

$ openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1459342107 (0x56fbcb1b)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=00138, ST=Italia, L=Roma, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, CN=Ipzs S.p.A
        Validity
            Not Before: Mar 30 12:48:27 2016 GMT
            Not After : Mar 24 12:48:27 2041 GMT
        Subject: C=00138, ST=Italia, L=Roma, O=Istituto Poligrafico e Zecca Dello Stato S.p.A, CN=Ipzs S.p.A
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:aa:ce:2f:27:03:af:79:28:49:4c:1f:d5:6f:40:
                    ea:7a:41:79:d6:f3:37:3c:a5:1b:29:c7:5b:5d:12:
                    dc:c7:0d:2f:e8:4d:a2:3a:69:e0:55:25:41:e6:63:
                    23:e8:bc:7b:b6:bc:51:f0:7d:cc:9d:54:76:cb:aa:
                    50:03:b4:95:58:13:31:82:04:e3:48:e0:49:9b:b2:
                    ea:ff:7e:8f:5c:6d:bb:b3:df:65:bc:95:aa:43:dd:
                    39:72:ff:54:72:7c:27:15:b9:6b:b4:c5:1d:52:c8:
                    0a:d0:d7:b9:42:b9:b2:4f:9a:03:8d:25:00:55:03:
                    4b:16:8e:ff:bd:3a:20:02:15
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         11:bf:a4:72:7d:f2:27:25:3d:7a:a1:71:ab:8d:ae:26:b2:7f:
         a6:6c:21:25:87:2c:d4:51:68:99:83:ac:45:fc:88:fc:a9:69:
         fb:6e:d8:de:c2:65:36:64:f4:d5:97:38:ad:13:4a:01:62:3f:
         32:af:59:00:33:df:e1:f5:49:6d:d5:22:70:9d:e9:fd:12:86:
         4d:97:ad:31:fe:ff:76:16:0d:1a:a6:0c:5d:84:a1:07:1b:a7:
         13:3c:27:65:24:9b:85:bb:06:87:f5:34:41:94:73:42:f4:54:
         83:38:a7:3f:0e:ef:5a:e4:30:da:d9:31:ed:3b:0f:f3:a9:59:
         00:a6

It is time to update to a stronger signing key for this Android app! The old default RSA 1024-bit key is weak and officially deprecated.

Note: We should keep in mind that if we use a SHA256 algorithm, the app does not work with some older Android devices (mostly pre Android 4.3). This means that builds made with the new cert management system currently create APK files that may not install on some Android 4.0-4.2 devices (some devices will install, some will fail, depends on the manufacturer).

Quoting this report on Android apps' signing keys:

There is security vs compatibility trade off a few might be interested in. Pre-4.3, Android did not support any signature algorithms except SHA1. With Android >= 4.3, SHA256 support was fixed, and SHA384, SHA512, and ECDSA were added (source). There are still android 2.3.3 (android-10) devices being sold, so anyone interested in backwards compatibility will have to heed this.
Also, the larger the keysize and hashsize used, the longer it takes to install and update the application. So extremely large values might be unsuitable for slower hardware. The following probably doesn’t buy you a tremendous amount of additional security but cranks the paranoia to 11. It does so at the cost of compatibility and performance.

Gen with:
keytool -genkey -v -keystore test.keystore -alias testkey -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -dname "cn=Test,ou=Test,c=CA" -validity 10000

Sign with:
jarsigner -verbose -sigalg SHA512withRSA -digestalg SHA512 -keystore test.keystore test.apk testkey

We can probably rely on what's written here:

keytool -genkey -v -keystore test.keystore -alias testkey -keyalg RSA -keysize 4096 -sigalg SHA1withRSA -dname "cn=Test,ou=Test,c=CA" -validity 10000
do not specify passwords on the command line (i.e. do not use -keypass or -storepass)
-keysize 2048 is the minimum, but -keysize 4096 is better
-keysize 8192 is overkill and might not work on older Android versions
**SHA256withRSA and other better hashes supported on Android 4.3 and above only!**
SHA1withDSA should work, but we haven't tested it

Further references:

@gvarisco

This comment has been minimized.

Copy link
Member Author

@gvarisco gvarisco commented Oct 5, 2017

According to the app's metadata, the app already requires Android 4.4 and up. We should be safe.

@italia italia deleted a comment from aantetomaso Oct 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.