Measuring and characterizing weak RSA keys across PKI ecosystem
dc.contributor.advisor | Stakhanova, Natalia | |
dc.contributor.committeeMember | Eager, Derek | |
dc.contributor.committeeMember | Makaroff, Dwight | |
dc.creator | Nezhadian, Flor | |
dc.creator.orcid | 0009-0009-7206-8614 | |
dc.date.accessioned | 2023-09-21T21:55:38Z | |
dc.date.available | 2023-09-21T21:55:38Z | |
dc.date.copyright | 2023 | |
dc.date.created | 2023-08 | |
dc.date.issued | 2023-09-21 | |
dc.date.submitted | August 2023 | |
dc.date.updated | 2023-09-21T21:55:38Z | |
dc.description.abstract | The insecurities of public-key infrastructure on the Internet have been the focus of research for over a decade. The extensive presence of broken, weak, and vulnerable cryptographic keys has been repeatedly emphasized by many studies. Analyzing the security implications of cryptographic keys' vulnerabilities, several studies noted the presence of public key reuse. While the phenomenon of private key sharing was extensively studied, the prevalence of public key sharing on the Internet remains largely unknown. This work performs a large-scale analysis of public key reuse within the PKI ecosystem. This study investigates the presence and distribution of duplicate X.509 certificates and reused RSA public keys across a large collection containing over 315 million certificates and over 13 million SSH keys collected over several years. This work analyzes the cryptographic weaknesses of duplicate certificates and reused keys and investigates the reasons and sources of reuse. The results reveal that certificate and key sharing are common and persistent. The findings show over 10 million certificates and 17 million public keys are reused across time and shared between the collections. Observations show keys with non-compliant cryptographic elements stay available for an extended period of time. The widespread adoption of Android apps has led to increasing concerns about the reuse of digital certificates. Android app developers frequently depend on digital certificates to sign their applications, and users place their trust in an app when they recognize the owner provided by the same certificate. Although the presence of cryptographic misuse has been acknowledged by several studies, its extent and characteristics are not well understood. This study performs a detailed analysis of code-signing certificate reuse across the Android ecosystem and malware binaries on a collection of over 19 million certificates and over 9 million keys extracted from PE files and Android applications collected over several years. The results reveal that despite the growing nature of the Android ecosystem, the misuse of cryptographic elements is common and persistent. The findings uncover several issues and enable us to provide a series of applicable solutions to the seen security flaws. | |
dc.format.mimetype | application/pdf | |
dc.identifier.uri | https://hdl.handle.net/10388/15026 | |
dc.language.iso | en | |
dc.subject | Cryptography, Digital Certificate, Communication Protocols, Peer-to-Peer Net- works, Security Management, Security Services, PKI Ecosystem | |
dc.title | Measuring and characterizing weak RSA keys across PKI ecosystem | |
dc.type | Thesis | |
dc.type.material | text | |
thesis.degree.department | Computer Science | |
thesis.degree.discipline | Computer Science | |
thesis.degree.grantor | University of Saskatchewan | |
thesis.degree.level | Masters | |
thesis.degree.name | Master of Science (M.Sc.) |