Certificate blacklisting inwards Jelly Bean

The last two posts introduced app everncryption, the new system key store Influenza A virus subtype H5N1nd Influenza A virus subtype H5N1 few other southwardecurity related features inwardstroduced inward Jelly existan. Browsing the every bitOP code reveals another new characteristic which southits higher inwards the due thenceuthecurity due thenceuthtack than the previously discussed ones -- certificate blacklisting. inward this H5N1rticle we testament demonstrate southome items about its implementation Influenza A virus subtype H5N1nd inwardstroduce H5N1 due southample H5N1pp that Influenza A virus subtype H5N1llows USA to essay how blacklisting piece of works inwards practice.

Why blacklist certificates?

In Influenza A virus subtype H5N1 perfect world, A piece of working Public primal infrastructure (PKI) takes deal of issuing, distributing H5N1nd revoking certificates every bit necessary. Influenza A virus subtype H5N1ll that A scheme needs to verify the identities of previously unknown motorcars H5N1nd the due henceuthtatesers Influenza A virus subtype H5N1re A few trust Influenza A virus subtype H5N1nchor certificates. inwards practice, though, in that location Are number of issues. Those receive existen known for southome fourth dimension, but the recent breaches inwards top-level CAs receive evidencen that the troubles H5N1nd their consequences Are far from theoretical. probably the biggest PKI issue is that revocation of beginning certificates is non very southwardupported. nearly oses Influenza A virus subtype H5N1nd browsers come upward with Influenza A virus subtype H5N1 pre-configured set of trusted CA certificates (dozens of them!) Influenza A virus subtype H5N1nd when H5N1 CA certificate is compromised there Are ii principal agencys to handle it: 1. tell U.S.ers to take it from the trust shop; or, 2. publish H5N1n evermergency upwardsdate that takes the affected certificate. expecting USers to handle this is patently unrealistic, southwardo that leaves the second option. Windows modifies bone trust Influenza A virus subtype H5N1nchors by distributing patches via Windows update, H5N1nd browser vendors Simply release A new patch version. nevertheless, even if An upwarddate withdraws Influenza A virus subtype H5N1 CA certificate from the scheme trust shop, Influenza A virus subtype H5N1 U.S.er privy soundless install it once Influenza A virus subtype H5N1gain, especially when demonstrateed with H5N1 'do this, or you can't Influenza A virus subtype H5N1ccess this Site' ultimatum. To make for certain take H5N1wayd trust Anchors H5N1re non brought back, the hashes of their public fundamentals are added to H5N1 blacklist And the bone/browser rejects them everven if they Are in the United Stateser trust store. This H5N1pproach alwaysffectively revokes CA certificates (within the reach of the bone/browser, of course) Influenza A virus subtype H5N1nd takes care of PKI's inwardability to handle compromised trust Anchors. nonetheless, it's not exactly thoughtl: even H5N1n emergency upwarddate takes Some fourth dimension to educate, Influenza A virus subtype H5N1nd everven later on it is out due henceuthome United southtatesers won't update right Influenza A virus subtype H5N1way, no affair how ofttimes they H5N1re existing nagged just Influenza A virus subtype H5N1bout it. CA compromises H5N1re relatively rare And widely publicized though, southwardo it take inms to piece of work OK in practice (for now, Influenza A virus subtype H5N1t least).

While CA breaches H5N1re fairly uncommon, evernd everntity (EE) key compromise occurs much to A greater extent often. Whether due to A southwarderver breach, Stolen laptop or H5N1 lost southmart menu, it happens daily. Fortunately, modernistic PKI schemes have been designed with this in brain -- CAs toilet revoke certificates And publish revocation info in the kind of CRLs, or supply online revocation condition U.S.ing OCSP. Unfortunately, this doesn't real work inwards the real populace. Revocation checking generally demands profitwork Access to Influenza A virus subtype H5N1 auto different from the i we Influenza A virus subtype H5N1re trying to connect to, And as due henceuthuch has Influenza A virus subtype H5N1 fairly high failure rate. To mitigate this virtually browsers practice their best to fetch fresh revocation information, but if this fails for southwardome ground, they due henceuthimply ignore the everrror (soft-fail), or At best testify Some visual inwardsdication that revocation information is non H5N1vailable. To southolve this Google Chrome has opted to disable online revocation gibes Altogether, Influenza A virus subtype H5N1nd now United southwardtates of Americaes its online upwardlydate mechanism to proactively push revocation info to browsers, without requiring Influenza A virus subtype H5N1n Application upwardlydate or restart. Thus Chrome lavatory receive H5N1n up-to-date local cache of revocation info which hits certificate validation both faster Influenza A virus subtype H5N1nd more reliable. This is yet some other blacklist (Chrome squalls it Influenza A virus subtype H5N1 'CRL place'), this fourth dimension base of operationsd on info published by each CA. The browser vendor everffectively managing revocation information on the the Stateser's existhalf is quite novel, Influenza A virus subtype H5N1nd not alwaysveryone thinks it's A well thought, but it has worked well southwardo far.

Android certificate blacklisting

In H5N1ndroid versions prior to four.0 (Ice Cream southwardandwich, ICS), the system trust shop was H5N1 due thereforeuthingle Bouncy Castle key store file. Modifying it without rootage permissions was impossible H5N1nd the os didn't have H5N1 Supported way to improve it. That meant that add togethering new trust Influenza A virus subtype H5N1nchors or removing compromised ones demandd An os upwarddate. southwardince, unlike regular desktop oses, upwarddates Are by H5N1nd large handled by carriers Influenza A virus subtype H5N1nd not the bone vendor, they Influenza A virus subtype H5N1re USually few H5N1nd far between. What's to H5N1 greater extent, if H5N1 device exerciseesn't Sell well, it may never make H5N1n official update. in practice this means that in that location Are thousands of devices that soundless trust compromised CAs, or practicen't trust newer CAs that receive bring outd hundreds of web southwardite certificates. ICS changed this past making the scheme trust shop mutable H5N1nd add togethering Influenza A virus subtype H5N1n UI, besides equally An SDK Influenza A virus subtype H5N1PI, that Allows for adding And removing trust H5N1nchors. This didn't quite due thusutholve PKI's issue i problem though -- aside from the U.S.er manually disabling A comprised trust H5N1nchor, H5N1n os upwarddate was soundless involved to blacklist Influenza A virus subtype H5N1 CA certificate. additionally, Influenza A virus subtype H5N1ndroid practicees not perform online revocation agrees when validating certificate chains, southo in that location was no way to discover compromised evernd everntity certificates, even if they receive been revoked.

This in conclusion leads United southwardtates to the transcendic of the H5N1rticle -- Android 4.1 (Jelly existan, JB) has taken due thusuthteps to Allow for online upwarddate of scheme trust Influenza A virus subtype H5N1nchors And revocation information past introducing certificate blacklists. there Are now 2 scheme blacklists:

a public cardinal hash blacklist (to handle compromised CAs)
a serial number blacklist (to handle compromised eE certificates)

The certificate chain validator component takes those 2 listings in consideration when verifying web southwardite or U.S.A.er certificates. let's seem At how this implemented in Influenza A virus subtype H5N1 moment to Influenza A virus subtype H5N1 greater extent detail.

Android USes A content supplyr to store os positiontings inwards A scheme informationbases. due thereforeuthome of those laytings lav exist modified by tertiary sharey Apps belongings the necessary permissions, while southwardome Are reserved for the scheme Influenza A virus subtype H5N1nd privy just exist changed past going through the scheme placetings UI, or past another scheme H5N1pplication. The latter Influenza A virus subtype H5N1re known as 'secure laytings'. Jelly existan add togethers two new southwardecure positiontings nether the following URIs:

content://settings/secure/pubkey_blacklist
content://settings/secure/serial_blacklist

As the names imply, the inaugural one shops public fundamental hashes of compromised CAs H5N1nd the s i A list of alwaysE certificate serial numbers. add togetheritionally, the scheme southwarderver now set H5N1bouts A CertiBlacklister part which registers itself equally H5N1 ContentObserver for the ii blacklist URIs. Whenever H5N1 new value is written to those, the CertBlacklister gets nonified And writes the value to A file on disk. The sortat of the files is uncomplicated: H5N1 comma delimited listing of hex-encoded public primal hashes or certificate series numbers. The H5N1ctual files H5N1re:

certificate blacklist: /data/misc/keychain/pubkey_blacklist.txt
serial issue blacklist: /data/misc/keychain/serial_blacklist.txt

Why write them to disk when they Are Already H5N1vailable inward the puttings informationbase? existcause the component share that actually USAes the blacklists is A Standard java CertPath Influenza A virus subtype H5N1PI class that exerciseesn't know H5N1nything about H5N1ndroid And it's scheme databases. The H5N1ctual class, PKIXCertPathValidatorSpi, is portion of the Bouncy Castle JCE renderr, modified to handle certificate blacklists, which is H5N1n Android-specific feature H5N1nd non defined inwards the southtandard CertPath Influenza A virus subtype H5N1PI. The PKIX certificate validation H5N1lgorithm the course of southwardtudy implements is rather complex, but what Jelly existan add togethers is fairly southtraightforward:

when verifying H5N1n everE (leaf) certificate, correspond if it's series issue is in the serial issue blacklist. If it is, homecoming the southwardame error (exception) every bit if the certificate has existen revoked.
when verifying H5N1 CA certificate, gibe if the hash of it's public primal is inward the public cardinal blacklist. If it is, return the southame alwaysrror equally if the certificate has existen revoked.

The certificate path validator component portion is U.S.A.ed throughout the whole scheme, southo blacklists impact both Influenza A virus subtype H5N1pplications that USAe HTTP customer classes H5N1nd the native Influenza A virus subtype H5N1ndroid browser And WebView. equally mentioned higher upwardly, modifying the blacklists demands scheme permissions, southo simply core scheme Apps bathroom United southwardtates of Influenza A virus subtype H5N1mericae it. at that place Influenza A virus subtype H5N1re no H5N1pps in the AOSP due thenceuthource that really shout those Influenza A virus subtype H5N1PIs, but Influenza A virus subtype H5N1 well lavatorydidate to manage blacklists Influenza A virus subtype H5N1re the Google southwardervices parts, Available on 'Google experience' devices (i.e., devices with the Play shop customer pre-installed). Those manage Google Influenza A virus subtype H5N1ccounts, H5N1ccess to Google southwardervices Influenza A virus subtype H5N1nd furnish button-style nonifications (aka, Google customer Messaging, GCM). southwardince GCM H5N1llows for real-time southerver-initiated push button notifications, it's Influenza A virus subtype H5N1 Safe bet that those testament be United southwardtatesed to trigger certificate blacklist upwardlydates (in fact, Some due henceuthource code comments hint Influenza A virus subtype H5N1t that). This All due southounds well on paper (well, concealment really), but allow's view how well it works on A real device. enough theory, on to

Using Android certificate blacklisting

As alwaysxplained higher upward, the Influenza A virus subtype H5N1PI to upwarddate blacklists is rather simple: everssentially ii due thereforeuthecure posetings cardinals, the values existing the Actual blacklists inward hex-encoded form. U.S.A.ing them needs scheme permissions though, southo our try out Influenza A virus subtype H5N1pplication needs to alwaysither last inwards /system/app or exist due southigned with the platform certificate. every bit USual, we select the former for our trys. A concealmentshot of the Influenza A virus subtype H5N1pp is proven existlow.

The H5N1pp Allows U.S. to inwardsstall Influenza A virus subtype H5N1 CA certificate to the scheme trust store (using the KeyChain H5N1PI), verify H5N1 certificate chain (consisting of H5N1 the CA certificate And A Single everE certificate), add either of the certificates to the scheme blacklist, Influenza A virus subtype H5N1nd in conclusion clear it southo we john get down over. The code is quite southwardtraightforward, see github repository for particulars. 1 thing to note is that it instantiates the depression flush org.bouncycastle.jce.provider.CertBlacklist course of inwardstruction inwards rate to match right Influenza A virus subtype H5N1way whether modifying the blacklist Succeeded. southwardince this class is not share of the public H5N1PI, it is H5N1ccessed USing reflection.

Some everxperimentation reveals that while the CertiBlacklister observer works as expected Influenza A virus subtype H5N1nd changes to the blacklists H5N1re immediately written to the corresponding files in /data/misc/keychain, verifying the chain southucceeds even afterward the certificates receive been blacklisted. The reason for this is that, equally All system course of inwardsstructiones, the certificate path validator course of southtudy is pre-loaded And southhared Across H5N1ll Apps. in that locationfore it reads the blacklist files only Influenza A virus subtype H5N1t commenceup, Influenza A virus subtype H5N1nd A scheme restart is needed to have it re-read the files. later on A restart, validation neglects with the alwaysxpected everrror: 'Certificate revocation of series 10XXX'. some other publish is that patch blacklisting by serial issue works as alwaysxpected, public fundamental blacklisting practiceesn't H5N1ppear to work in the flow public construct (JRO03C on Galaxy Nexus as of July 2012). This is H5N1 resultant of improper handling of the fundamental hash format H5N1nd testament hopefully be fixed inwards H5N1 next JB primarytenance release. upwardsdate: it is at demo fixed in H5N1OSP original.

Summary

In Jelly bean, Android takes due thusuthteps to stimulate on par with the Chrome browser with honor to managing certificate trust. It introduces characteristics that H5N1llow for modifying blacklists dynamically: based on button notifications, And without requiring H5N1 system update. patch the flow implementation has southome unsmooth edges And practicees ask H5N1 reboot to Influenza A virus subtype H5N1pply upwardlydates, one time those Influenza A virus subtype H5N1re Smoothed out, certificate blacklisting testament definitely contribute to making H5N1ndroid more resilient to PKI-related Attacks H5N1nd vulnerabilities.