[guardian-dev] APK signing keys are vulnerable WAS: pgp, nsa, rsa

Eugen Leitl eugen at leitl.org
Mon Sep 9 01:57:13 PDT 2013 

----- Forwarded message from Daniel McCarney <daniel at binaryparadox.net> -----

Date: Sun, 8 Sep 2013 18:31:35 -0400
From: Daniel McCarney <daniel at binaryparadox.net>
To: Hans of Guardian <hans at guardianproject.info>, guardian-dev <guardian-dev at lists.mayfirst.org>
Subject: Re: [guardian-dev] APK signing keys are vulnerable WAS: pgp, nsa, rsa

> Wow, that is bad news indeed.  It would be awesome to have androidobservatory.org also display full info about the signing keys, like the algorithm used, the bitness, generation date, etc. so we can easily check which keys are vulnerable.

Working on rolling that functionality out. I had to rewrite the app import
pipeline so that I could store that information. I have the data collected but
it isn't user facing yet. I can tell you that looking at the ~6,000 unique
certificates in the observatory data about 75% are RSA 1024.

As far as I'm aware it isn't possible to learn the key generation date from the
certificate data in the PKCS7 structure stored in the META-INF directory of an
APK.

> I figure if the NSA can break 1024 bit RSA, its only a matter of time before China also has that capability.  China are experts at industrial espionage, and they certainly know how to make chips.  It is very conceivable that they could acquire the NSA's RSA cracking chip design and then build it domestically.  Then I imagine that China would also be willing to sell those chips to allies, or perhaps even the highest bidder.

Yeah, the current NIST[1] advice on key sizes is very clear that 1024 bit RSA
should be deprecated (though evidently NIST might not be an unbiased source of
information...).

> We'll have to make sure our signing key is not 1024 bit, and if so, work on a migration plan.  The easiest way to start is to sign all new apps with a new key.

The pubkey in the cert used for the core Guardian Properties (ChatSecure,
Obscuracam, etc) is definitely 1024 RSA. So is the pubkey in the cert used for
Orweb. It would definitely be a good idea to start talking about migration
plan, (and using a strong keysize in a new cert for all new properties)

- Dan

[1] http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf



_______________________________________________
Guardian-dev mailing list

Post: Guardian-dev at lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org

You are subscribed as: eugen at leitl.org


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the cypherpunks mailing list