Repository logo
 

Measuring and characterizing weak RSA keys across PKI ecosystem

dc.contributor.advisorStakhanova, Natalia
dc.contributor.committeeMemberEager, Derek
dc.contributor.committeeMemberMakaroff, Dwight
dc.creatorNezhadian, Flor
dc.creator.orcid0009-0009-7206-8614
dc.date.accessioned2023-09-21T21:55:38Z
dc.date.available2023-09-21T21:55:38Z
dc.date.copyright2023
dc.date.created2023-08
dc.date.issued2023-09-21
dc.date.submittedAugust 2023
dc.date.updated2023-09-21T21:55:38Z
dc.description.abstractThe insecurities of public-key infrastructure on the Internet have been the focus of research for over a decade. The extensive presence of broken, weak, and vulnerable cryptographic keys has been repeatedly emphasized by many studies. Analyzing the security implications of cryptographic keys' vulnerabilities, several studies noted the presence of public key reuse. While the phenomenon of private key sharing was extensively studied, the prevalence of public key sharing on the Internet remains largely unknown. This work performs a large-scale analysis of public key reuse within the PKI ecosystem. This study investigates the presence and distribution of duplicate X.509 certificates and reused RSA public keys across a large collection containing over 315 million certificates and over 13 million SSH keys collected over several years. This work analyzes the cryptographic weaknesses of duplicate certificates and reused keys and investigates the reasons and sources of reuse. The results reveal that certificate and key sharing are common and persistent. The findings show over 10 million certificates and 17 million public keys are reused across time and shared between the collections. Observations show keys with non-compliant cryptographic elements stay available for an extended period of time. The widespread adoption of Android apps has led to increasing concerns about the reuse of digital certificates. Android app developers frequently depend on digital certificates to sign their applications, and users place their trust in an app when they recognize the owner provided by the same certificate. Although the presence of cryptographic misuse has been acknowledged by several studies, its extent and characteristics are not well understood. This study performs a detailed analysis of code-signing certificate reuse across the Android ecosystem and malware binaries on a collection of over 19 million certificates and over 9 million keys extracted from PE files and Android applications collected over several years. The results reveal that despite the growing nature of the Android ecosystem, the misuse of cryptographic elements is common and persistent. The findings uncover several issues and enable us to provide a series of applicable solutions to the seen security flaws.
dc.format.mimetypeapplication/pdf
dc.identifier.urihttps://hdl.handle.net/10388/15026
dc.language.isoen
dc.subjectCryptography, Digital Certificate, Communication Protocols, Peer-to-Peer Net- works, Security Management, Security Services, PKI Ecosystem
dc.titleMeasuring and characterizing weak RSA keys across PKI ecosystem
dc.typeThesis
dc.type.materialtext
thesis.degree.departmentComputer Science
thesis.degree.disciplineComputer Science
thesis.degree.grantorUniversity of Saskatchewan
thesis.degree.levelMasters
thesis.degree.nameMaster of Science (M.Sc.)

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
NEZHADIAN-THESIS-2023.pdf
Size:
827.33 KB
Format:
Adobe Portable Document Format
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
LICENSE.txt
Size:
2.27 KB
Format:
Plain Text
Description: