cure53 Security Audit 2015

Dominik Schürmann edited this page Jan 5, 2017 · 10 revisions

The Security Audit can be downloaded at https://cure53.de/pentest-report_openkeychain.pdf

All identified vulnerabilities have been discussed with cure53 and fixed in OpenKeychain 3.6. OKC-01-006 has been fixed in 4.2. We will work on two "Miscellaneous Issues" (not vulnerabilities) for a future version of OpenKeychain.

Identified Vulnerabilities

OKC-01-001 Private Keys can be imported from Keyserver (Medium)

FIXED IN

OKC-01-004 Arbitrary file write when decrypting and saving messages (High)

Filenames with slashes are rejected

FIXED IN

OKC-01-006 Keyserver can send arbitrary Public Keys without Verification (Low)

A comparison of user ids is difficult to implement as keyservers could, in some circumstances, return User IDs with a broken encoding. We would also need to check for revocation status, key size etc. which introduces much code complexity. Downloading all search results and parsing them locally before prompting the user which key(s) he wants would result in too much network traffic. Keys are several to many kilobytes in size, e.g., 66kb.

FIXED in 4.2: Before importing keys from keyservers, they are downloaded fully, verified, and displayed to the user.

OKC-01-009 Bypassable Fingerprint-Check for Key Exchange via QR Code (High)

The fingerprint check is now performed after canonicalization and the method has been changed to check primary and mutually bound keys only.

FIXED IN

OKC-01-010 Database can be exported using Encrypt Operation (Low)

Proposed fix has been implemented.

FIXED FOR ANDROID >= 5 IN (We will leave this open for Android < 5 for now due to the low priority) https://github.com/open-keychain/open-keychain/commit/57a04cb8a14a4777a3d77a92952d9fbdbd72b527

OKC-01-011 Unconfirmed Main Identities are shown as confirmed (Low)

Confirmed identities (if they exist) are now prioritized over non-confirmed ones.

FIXED IN

OKC-01-012 Database Extraction possible via Version Downgrade (Medium)

The database version has been increased, this already prevents a downgrade. In addition onDowngrade has been overridden.

FIXED IN

OKC-01-013 Key Usage unchecked upon Decryption / Signature Verification (Low)

Now only uses keys for verification which are allowed to sign.

FIXED IN

OKC-01-014 Multiple File overwrite Vulnerabilities via Path Traversal (High)

The save functionality has been removed for Android < 4.4, on Android >= 4.4 the new Document Storage Framework is used. The problematic file dialog has been removed.

FIXED IN

OKC-01-015 Export of PGP Information in clear-text on insecure Storage (Medium)

Logs are no longer saved. Instead a dialog is shown that warns the user about potential sensitive information inside the log and allows to share the log directly with another app such as a mail program. Save functionality removed for Android < 4.4, only the new backup function has code for saving files on Android < 4.4. On Android >= 4.4 saving is enabled via the Document Provider API, which handles everything Backup/Export. Backups are now symmetrically encrypted via a randomly generated Backup Code.

FIXED IN:

OKC-01-017 Predictable File Creation on insecure Location (Medium)

see OKC-01-015

OKC-01-018 Key Server Verification Bypass via HTTP Redirect (Medium)

We now disallow all redirects, a warning is now shown when a keyserver is added without a pinned certificate, users needs to uncheck "only trusted keyserver" to get past the warning. We pinned sks-keyserver, pgp.mit.edu, keybase.io.

FIXED IN

Miscellaneous Issues

OKC-01-002 Malicious public Key can lead to persistent Denial of Service (Medium)

OpenKeychain now processes 100 User IDs at maximum.

FIXED IN

OKC-01-003 Malicious Key Server response can lead to Denial of Service (Low)

OpenKeychain now skips keys or User IDs with broken encodings or other wrong values, the get-method no longer crashes on empty or wrong data.

FIXED IN

OKC-01-005 Insufficient and insecure RSA/DSA Key Sizes permitted (Medium)

Min key length for key creation is now at 2048 bit for RSA, DSA, ElGamal.

FIXED IN

OKC-01-007 Signing Operations with weak Key lead to Denial of Service (Info)

In the future, we like to tag insecure keys inside our database, like revoked or expired keys and make them unselectable. There will be future work on this, when other issues have been sorted out, see https://github.com/open-keychain/open-keychain/issues/1476

WILL BE FIXED LATER

OKC-01-008 OpenKeychain accepts weak Passwords without any Warning (Info)

In the future, we like to switch to a model where the whole database of OpenKeychain is encrypted, not every single secret key separately, see https://github.com/open-keychain/open-keychain/issues/1541

WILL BE FIXED LATER

OKC-01-016 No Warnings when adding a clear-text HTTP Key Server (Low)

Http is still allowed, but http keyservers are not one of the trusted keyservers, so the warning is shown that we implemented for OKC-01-018.

FIXED