Signal-android: Insecure/Insufficient Signing Key Length

Created on 24 Jan 2020  路  7Comments  路  Source: signalapp/Signal-Android

I am worried about the signing scheme applied to sign the apk files. (I assume its the same for windows and mac as well)

Currently:
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key

My opinion:
1)This key length is too close to the most recent published successful rsa modulus factorizations.
According to Wikipedia https://en.wikipedia.org/wiki/Integer_factorization_records
795 bits in 2019. The budged of the publishers is insignificant in comparision to some well known agencies. Assuming that 1024 bits are still secure is unwise.

2)regarding the use of SHA1:
Google has advocated the deprecation of SHA-1 for many years. Collisions were found and forged as well. SHA1 is not a cryptographic building block. Better get rid of it immediately!

Since I deeply appreciate your work, I beg you to update your signing procedure.
Publish a pgp key with at least 2k bit security and sign the ENTIRE projects sha256 hash, as its done commonly.

picture mottla

Most helpful comment

RSA 1024 and SHA-1 are not secure for signing production releases. Please upgrade the APK signing key ASAP. Alternatively, please provide hashes of APK releases signed using stronger cryptographic primitives. Ref: https://github.com/signalapp/Signal-Android/issues/6833

picture drduh on 14 Feb 2020
👍3

All 7 comments

I could not find your signing key somewhere.

Of course not, that key is kept private. Otherwise everyone could build a backdoored Signal and sign it with their official key so Android would accept it as being genuine.

According to APK Info the key uses a SHA-256 hash.

The apk uses 3 signatures, v1, 2 and 3. If you want the apk to work on Android 6 and below it needs to be also signed with jarsigner according to https://source.android.com/security/apksigning/v2

johanw666 picture johanw666 on 26 Jan 2020

Thanks for the info!
A signing key consists of two parts. one is public and one is supposed to be kept private. If someone writes "i could not find your key", he or she usually refers to the public part.

According to APK Info the key uses a SHA-256

keytool -list -printcert -jarfile Signal-website-release-4.1X.apk tells me its sha1

mottla picture mottla on 27 Jan 2020

A public key does not have a hash, tat's something completely different. You can calculate any hash from the public key, even CRC32 if you like. Your command on the latest apk shows me this:

keytool -list -printcert -jarfile Signal-Android-play-armeabi-v7-4.53.7.apk
Signer #1:

Signature:

Owner: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pit
tsburgh, ST=PA, C=US
Issuer: CN=Whisper Systems, OU=Research and Development, O=Whisper Systems, L=Pi
ttsburgh, ST=PA, C=US
Serial number: 4bfbebba
Valid from: Tue May 25 17:24:42 CEST 2010 until: Tue May 16 17:24:42 CEST 2045
Certificate fingerprints:
         MD5:  D9:0D:B3:64:E3:2F:A3:A7:BD:A4:C2:90:FB:65:E3:10
         SHA1: 45:98:9D:C9:AD:87:28:C2:AA:9A:82:FA:55:50:3E:34:A8:87:93:74
         SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0:EA:FB:A2:DA:35:
AF:35:C1:64:16:FC:44:62:76:BA:26
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3

AFAIK the SHA1withRSA is mandatory for Android apk signing. at least for the v1 signatures. But please correct me if I'm wrong here.

johanw666 picture johanw666 on 27 Jan 2020

Thank you again. Yes hashfunctions and asymetric crypto are tools which rely on different assumptions, however often used in combination.

AFAIK the SHA1withRSA is mandatory for Android apk signing. at least for the v1 signatures.

So youre indicating that its mandatory for Signal to have an highly vulnerable distribution mechanism? But please correct me if I'm wrong here.

mottla picture mottla on 28 Jan 2020

Android 9 supports APK Signature Scheme v3, and with the APK key rotation feature the 1024 bit key could be upgraded.

Supported keys sizes and EC curves:
RSA: 1024, 2048, 4096, 8192, 16384
EC: NIST P-256, P-384, P-521
DSA: 1024, 2048, 3072

https://source.android.com/security/apksigning/v2
https://source.android.com/security/apksigning/v3

Safari77 picture Safari77 on 28 Jan 2020

Thank you Safari! So Signal uses version 3 with the weakest possible choice of signing key lenght and a self signed certificate.
(DSA 1024 might be less secure, but I didnt check weather solving DLP is harder then factoring)

mottla picture mottla on 29 Jan 2020

RSA 1024 and SHA-1 are not secure for signing production releases. Please upgrade the APK signing key ASAP. Alternatively, please provide hashes of APK releases signed using stronger cryptographic primitives. Ref: https://github.com/signalapp/Signal-Android/issues/6833

drduh picture drduh on 14 Feb 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vvug picture vvug  路  3Comments
hiredgunhouse picture hiredgunhouse  路  3Comments
ilikenwf picture ilikenwf  路  3Comments
kwlg picture kwlg  路  3Comments
donjoe0 picture donjoe0  路  3Comments