When Textbook RSA is Used to Protect the Privacy of Hundreds of Millions

of Users

Jeffrey Knockel Thomas Ristenpart Jedidiah R. Crandall

Dept. of Computer Science Cornell Tech Dept. of Computer Science
University of New Mexico [email protected] University of New Mexico
[email protected] [email protected]
arXiv:1802.03367v1 [cs.CR] 9 Feb 2018

Abstract The pedagogical value of attacking very poor cryp-

We evaluate Tencent’s QQ Browser, a popular mobile tography comes from simplicity. For example, one of
browser in China with hundreds of millions of users— the contributions of this paper is an adaptive chosen-
including 16 million overseas, with respect to the threat ciphertext attack (CCA2) on a real-world RSA imple-
model of a man-in-the-middle attacker with state ac- mentation that can be easily understood by, e.g., intro-
tor capabilities. This is motivated by information in ductory cybersecurity class students.
the Snowden revelations suggesting that another Chinese Through reverse engineering, we have documented
mobile browser, UC Browser, was being used to track the encryption protocols used by QQ Browser to protect
users by Western nation-state adversaries. the trove of sensitive information each client uploads to
Among the many issues we found in QQ Browser that QQ Browser’s servers (this is summarized in Section 2).
are presented in this paper, the use of “textbook RSA”— This sensitive information includes International Mobile
that is, RSA implemented as shown in textbooks, with Equipment Identifier (IMEI) numbers, web pages vis-
no padding—is particularly interesting because it affords ited, locational data, and many other kinds of private data
us the opportunity to contextualize existing research in about a QQ Browser user. The possibility that Tencent
breaking textbook RSA. We also present a novel attack shares this information with state actors is explored in
on QQ Browser’s use of textbook RSA that is distin- existing reports [15], and QQ Browser’s data collection
guished from previous research by its simplicity. We em- mirrors competing browsers such as UC Browser [12]
phasize that although QQ Browser’s cryptography and and Baidu Browser [14]. In this paper we consider a dif-
our attacks on it are very simple, the impact is serious. ferent threat model, that of attacks by a state actor on QQ
Thus, research into how to break very poor cryptography Browser’s cryptography implementation so that the state
(such as textbook RSA) has both pedagogical value and actor does not require Tencent’s complicity to violate
real-world impact. user privacy. This is motivated by reports [1, 21] that UC
Browser’s poor cryptography was being exploited by the
1 Introduction Five Eyes intelligence agencies1 to index that browser’s
Research into “real-world” cryptography often focuses users by IMEI. Note that QQ Browser has over 16 mil-
on relatively hard targets, such as SSL/TLS [2] or lion users that are outside of China.
ASP.NET [10]. Certain market segments, however, hide One set of vulnerabilities that we present (in Sec-
much softer targets behind the veil of security-through- tion 3) would easily enable indexing of QQ Browser’s
obscurity. Analyzing the cryptography of these self- users by IMEI and decryption of private data transmit-
rolled, lower quality applications of cryptography has ted to QQ Browser’s servers. This set of attacks is based
value mainly in terms of impact and pedagogy. The im- on, e.g., QQ’s poor pseudorandom number generation,
pact can be great because, for a variety of reasons ranging use of hard-coded symmetric keys, and use of a 128-
from education to market forces, major software vendors bit RSA key in earlier versions. These attacks are par-
with hundreds of millions of users often implement very ticularly devastating, since they would allow any man-
poor cryptography, as we show in this paper. We present in-the-middle attacker, with minimal resources, to easily
QQ Browser, a browser developed by Chinese company decrypt all sessions completely passively and offline.
Tencent, as a case study and identify research opportu- The second set of vulnerabilities (presented in Sec-
nities that are specific to the kinds of exploits that are 1 Australia, Canada, New Zealand, the United Kingdom, and the
useful for this type of market segment. United States.

1
tion 4) is centered around QQ Browser’s use of textbook 2 QQ Browser Cryptography
RSA. This affords us the opportunity to contextualize When users run QQ Browser on Android, it makes a se-
existing research on breaking textbook RSA and present ries of what QQ Browser interally terms as “WUP re-
a novel attack on QQ Browser that is exceptionally sim- quests” to QQ Browser’s server. These WUP requests
ple. This CCA2 attack allows an attacker to decrypt any contain information such as a user’s International Mobile
session by making 128 of their own connections to QQ Equipment Identifier (IMEI), International Mobile Sub-
Browser’s servers to crack the session key. This is a very scriber Identification (IMSI), QQ username, WiFi MAC
serious flaw, but would not scale to indexing all users by address, SSID of connected WiFi access point and of all
IMEI and is not a passive, offline attack. in-range access points, Android ID, URLs of all web-
The third set of vulnerabilities (presented in Section 5) pages visited, and other private information. More de-
is even more severe, because they would, in some cases, tails about WUP requests are available in the report by
allow a man-in-the-middle attacker to take complete con- Knockel et al. [15] which analyzes version 6.3.0.1920 of
trol over a user’s device. We analyze QQ Browser’s up- QQ Browser. Here we focus on the encryption protocol
date mechanisms for both Android and Windows. of the version of QQ Browser that Tencent released as
Our specific contributions are: a response to the vulnerabilities identified in that report.
The main vulnerability that they fixed that is relevant to
• We demonstrate an extremely simple attack on
the attacks that we present is that they increased the size
QQ Browser’s pseudorandom number generator
of the RSA key from 128 bits to 1024 bits. Before this
(PRNG) that would enable a state actor, or any other
fix using factorization to crack the private key took less
man-in-the-middle attacker, to easily decrypt any
than a second on Wolfram Alpha.
sessions that they were able to record from the net-
Specifically, we analyzed version 6.5.0.2170 of QQ
work. This would be the easiest way to decrypt
Browser for Android. This version, and the updated QQ
all sessions offline and index them by IMEI. We
Browser server, implement the following steps to encrypt
also discuss how previous versions of QQ Browser
WUP requests from the client to the server:
used hard-coded symmetric session keys and 128-
bit RSA keys. 1. First, the client generates a 128-bit AES session key
for the session, using a pseudorandom number gen-
• We present an exceptionally simple CCA2 attack on erator (PRNG) seeded with the current time in mil-
QQ Browser’s implementation of RSA, which is an liseconds since the Unix epoch.
example of “textbook RSA” being used to protect
the private data of hundreds of millions of users. 2. Then, the client encrypts this session key using a
This attack has pedagogical value because of its 1024-bit RSA public key. The public key has expo-
real-world impact and simplicity, and is novel. nent 65537, and the RSA implementation is “text-
book RSA,” meaning that no form of padding—
• We re-evaluate Boneh et al.’s [7] meet-in-the- such as OAEP [3]—is applied at all.
middle style attack on textbook RSA for 128-bit key
sizes and modern understandings of state actor ca- 3. The client uses the AES session key to encrypt the
pabilities. We find that this attack, which would be WUP request, in ECB mode.
attractive because it is passive and offline, does not 4. The client sends the RSA-encrypted AES session
scale to 128-bit symmetric session keys. key and the encrypted WUP request to the server.

• We present man-in-the-middle attacks on the update 5. The server decrypts the RSA-encrypted AES key it
mechanisms of both the Android and Windows ver- received from the client using its private key, then
sions of QQ Browser. Taken in the context of simi- chooses the least significant 128 bits of the plaintext
lar attacks from previous work, we find that patterns to be the AES session key.
emerge where man-in-the-middle attackers can de-
6. The server decrypts the WUP request using the AES
velop powerful attack primitives.
session key that it obtained via RSA decryption.
Finally, we put these vulnerabilities and related ex- 7. If the AES ciphertext received from the client de-
ploits in the context of related work in Section 6, and crypts to a valid WUP request correctly, the server
find that more research is needed in certain areas of in- sends an AES-encrypted response using the AES
quiry to address the problem of poor security and privacy session key (also using ECB mode).
practices in specific (but very large and important) mar-
ket segments. This is followed by a brief summary in the We reiterate the following important points about this
conclusion. protocol because they will be relevant to the attacks:

2
 • The only entropy source used by the client to choose \x25\x92\x3c\x7f\x2a\xe5\xef\x92
the AES session key is the current time in millisec-
onds. for DES encryption of the mobile device’s WiFi adapter
MAC address.
• The client encrypts with the session key first, and Unlike in version 6.5.0.2170 where the AES session
the server only responds if the client’s request is key is used for both WUP requests and their responses, in
properly encrypted with the correct AES key that version 6.3.0.1920 the session key is only used for the re-
the client sent to the server with RSA encryption. quests. Responses from the server are sent using a mod-
ified version of the Tiny Encryption Algorithm (TEA) in
• The server “chops off” all but the 128 least signifi-
a modified CBC block cipher mode. The following hard-
cant bits of the decrypted RSA plaintext, with these
coded ASCII-encoded key is used:
128 least significant bits becoming the 128-bit AES
session key and all the other bits being ignored. sDf434ol*123+-KD

3 Passive, Offline attacks QQ Browser has at least an attempted implementation

In this section, for completeness, we present vulnerabili- of asymmetric cryptography, distinguishing it from less
ties in QQ Browser that are devastating in the sense that security-conscious browsers such as UC Browser [12]
they allow all sessions to be decrypted completely of- and Baidu Browser [14].
fline. 3.4 PRNG attack in QQ Browser
3.1 PRNG attack in QQ Browser 6.5.0.2170 for Android
6.3.0.1920 for Android The most recent vulnerability, the attack for which
As described in a previous report [15] analyzing QQ we will refer to as the PRNG attack, is that the
Browser version 6.3.0.1920, that version’s PRNG algo- AES key randomly generated for each WUP re-
rithm, shown in in Figure 1, decreases the entropy of the quest is generated using a random number generator
AES session key used by the client for WUP requests (java.util.Random) seeded with the current time in mil-
from the normal 2128 to 899999992 < 253 . This vul- liseconds (java.lang.System.currentTimeMillis()) before
nerability was rendered moot by the fact that this session generating every key (this is shown in Figure 2.) Thus,
key is protected by a 128-bit RSA key. to guess the key, one must know only the time that the
key was generated, which can be approximated by the
3.2 128-bit RSA key in QQ Browser time that the WUP request was observed being transmit-
6.3.0.1920 ted. By observing a WUP request and using the time
Although QQ Browser distinguishes itself from compet- of its observation and simultaneously searching forward
ing browsers by attempting to implement asymmetric and backward from that time, we were able to guess the
cryptography, the RSA key in version 6.3.0.1920 was correct AES key in fewer than 70,000 guesses, i.e., the
128 bits long and is easily factored using Wolfram Al- key had been generated within 35,000 milliseconds.
pha or a factorization library: To resolve this vulnerability, QQ Browser can use the
java.security.SecureRandom random number generator
245406417573740884710047745869965023463 with no explicitly passed seed (i.e., with the no-args con-
= 14119218591450688427 · 17381019776996486069. structor).

To resolve this vulnerability, QQ Browser increased

4 Active Attacks on QQ Browser’s Use of
the RSA key size to 1024 bits in version 6.5.0.2170, but Textbook RSA
the implementation of RSA is still textbook RSA with In this section, we explore attacks on QQ Browser’s use
no padding of any kind, leading to attacks on RSA’s mal- of textbook RSA.
leability as we discuss in Section 4. Note that even 1024-
bit RSA keys are considered to be too short for modern 4.1 CCA2 attack
attackers, and RSA keys of 2048 bits or more are gener- The first attack, which we refer to as the CCA2 attack,
ally recommended. results from the fact that no key padding such as OAEP
is used when encrypting the AES key with RSA. Be-
3.3 Hard-coded symmetric keys in QQ
cause of this, we are able to leverage the malleability of
Browser 6.3.0.1920 RSA to perform a chosen ciphertext attack to guess the
As described in a previous report [15], QQ Browser ver- AES key one bit at a time. The threat model for this
sion 6.3.0.1920 does use hard-coded symmetric keys in attack is an attacker with the ability to record a user’s en-
some places, such as crypted session from the network. We call the client that

3
 int i = 10000000 + new Random().nextInt(89999999);
int j = 10000000 + new Random().nextInt(89999999);
return (String.valueOf(i) + String.valueOf(j)).getBytes();
Figure 1: Decompiled Java method generating an AES session key in version 6.3.0.1920.

Random random = new Random(System.currentTimeMillis());

byte[] bArr = new byte[8];
byte[] bArr2 = new byte[8];
random.nextBytes(bArr);
random.nextBytes(bArr2);
return new SecretKeySpec(ByteUtils.mergeByteData(bArr, bArr2), "AES");
Figure 2: Decompiled Java method generating an AES session key in version 6.5.0.2170.

the user is using the victim client. After recording the that the bit was zero, since it was able to decrypt our
user’s session, the attacker wants to determine the AES request. If not, the bit must have been a one. After we
key used for the WUP session so that they can decrypt know this bit, we consider C126 and guess the next bit
it. The attacker accomplishes this by making a series (note that we know one of C126 ’s bits from C127 ). We
of connections, using its own client, to the QQ Browser repeat this process for each bit of the AES key. In total,
server and attempting encrypted communications with this requires 128 guesses, since the AES key is 128 bits
the server with a series of transformed RSA ciphertexts and each request reveals one bit of the key. By using this
to gain information about the original key used by the approach, we can iteratively learn every bit of the AES
victim client. key.
Let C be the RSA encryption of 128-bit AES key k Recall from Section 2 that the server only responds if
with RSA public key (n, e). Thus, we have the client sends a properly encrypted WUP request. If the
server sent predictable plaintext encrypted with the ses-
C ≡ ke (mod n) sion key from the client without first checking the client’s
request to make sure it decrypts properly, we could infer
Now let Cb be the RSA encryption of the AES key more than one bit at a time by chopping off, e.g., 16 or
32 bits and performing a brute-force attack on the plain-
kb = 2b k
text/ciphertext pairs obtained from the server. However,
i.e., k bitshifted to the left by b bits. Thus, we have the client must properly encrypt the WUP request for the
server to respond, so inferring the session key one bit at
Cb ≡ kb e (mod n) a time is the most efficient method of attack, which re-
quires 128 sessions to be initiated with the server by the
We can compute Cb from only C and the public key, as attacker.
As discussed in Section 6.2, we have implemented this
Cb ≡ C(2be mod n) (mod n) attack and tested it, and informed Tencent of the issue
e
≡ (k mod n)(2 be
mod n) (mod n) as per ethical disclosure standards. To resolve this is-
e be sue, QQ Browser can use the OAEP key padding algo-
≡k 2 (mod n)
rithm to encrypt all AES keys. However, we recommend
b e
≡ (2 k) (mod n) that they use a well-tested implementation of SSL/TLS
≡ kb e (mod n) to communicate all WUP requests as this would not only
fix this and other issues (such as the PRNG attack), but
The third line follows from the fundamental property of also any other undiscovered issues in their cryptographic
multiplication in modular arithmetic. implementation.
We begin the attack by considering C127 . It is the RSA
encryption of k127 , the AES key where every bit but the 4.2 Offline attacks on textbook RSA
highest bit are necessarily zero and where k127 ’s highest The CCA2 attack on QQ Browser is powerful in the
bit is k’s lowest bit (recall that the QQ Browser server sense that a man-in-the-middle attacker can record a
ignores all but the lowest 128 bits of the decrypted key). user’s session and then easily recover the session key by
We first guess that k127 ’s high bit is zero and send a WUP testing bits via 128 connections to QQ Browser’s server.
request with C127 and encrypt the request with the key For a state actor that wants to decrypt all sessions and in-
where that bit is zero. If the server responds, that means dex them by IMEI, however, this is not ideal since over

4
 Bit-length m m1 m2 Probability than two factors. Also, it may be possible to combine at-
32 32 17% tacks that reduce the entropy of the session key with this
33 33 29% attack. Lastly, it may be possible in the CCA2 attack
64
34 34 33% to use RSA’s malleability in combination with Boneh
30 36 40% et al.’s meet-in-the-middle style attack to hide from QQ
64 64 15% Browser’s server which session key is being cracked.
66 66 28%
128
68 68 34%
5 Attacks on QQ Browser’s Update Mech-
60 72 39% anisms for Arbitrary Code Execution
In this section we discuss attacks on QQ Browser’s up-
Table 1: Experimental probabilities of splitting into two date mechanisms, which are even more serious than at-
factors. tacks on QQ Browser’s cryptography in the sense that
any man-in-the-middle attacker (including state actors)
could execute arbitrary code on a targeted user’s ma-
99% of the traffic to QQ Browser’s server would be gen- chine. We first discuss a straightforward attack on the
erated by the attacker. For this reason, we investigated mobile version of QQ Browser’s update process. Then,
known offline attacks on textbook RSA, finding that they although we have discussed only the mobile version of
would not be practical for attacking QQ Browser. QQ Browser in this paper thus far, we then discuss
Boneh et al. [7] demonstrate a meet-in-the-middle the update mechanism in the Windows version of QQ
style attack on textbook RSA, that is based on the ob- Browser for desktop PCs. Market share data is unavail-
servation that for an encrypted RSA message c ≡ M e able for the Windows version, suggesting that it has far
(mod N ), if we can find small enough integers M1 ≤ short of the hundreds of millions of users that its mo-
2m1 and M2 ≤ 2m2 such that M = M1 · M2 , then: bile counterpart has. However, together with the vulner-
ability in the mobile version, we present three increas-
c ingly sophisticated attacks on QQ Browser’s update pro-
≡ M1 e (mod N )
M2 e cess that demonstrate how digital signature verification
By building a table with 2m1 +1 · max(m1 , m2 ) bits of of downloaded software is insufficient to secure an up-
memory and performing 2m2 modular exponentiations, date process against active man-in-the-middle attacks.
messages (i.e., session keys) can be recovered if they can 5.1 Attack on mobile version updates
be written as M = M1 · M2 . The table and search are
per modulus and exponent, so for a single RSA scheme The mobile version of QQ Browser checks for and in-
(such as QQ Browser’s) the work would only need to be stalls updates as follows:
done once and all sessions could be decrypted. 1. The browser makes a WUP request to the update
Table 1 shows the probabilities that a random 64- or server containing the current version of the browser
128-bit number, m, can be written as M = M1 ·M2 such and asking if there are any updates available.
that M1 ≤ 2m1 and M2 ≤ 2m2 . The data for 64-bit num-
bers nearly matches the corresponding probabilities from 2. The server’s response contains a URL to an APK2
Table 1 of Boneh et al. [7], and are only presented here and an MD5 hash of the APK file. (If no update is
for verification and comparison purposes. We generated available, the server returns a response containing
data for 128-bit numbers because that is the size of QQ no update information and the update process halts.)
Browser’s AES session keys. In terms of the underlying
assumption of Boneh et al.’s attack about factoring M , 3. The browser downloads the APK.
the attack is applicable to QQ Browser’s 128-bit session 4. The browser computes its MD5 hash and verifies it
keys. The resources necessary to carry out the attack are against the one provided by the server. (If the hashes
probably out of the reach of even a state actor, however. mismatch, the browser displays an error message
For example, for m1 = m2 = 64 and m = 128, the at- and the update process halts.)
tack would require a table of size 295,148 petabytes and
264 modular exponentiations. 5. The browser executes the ACTION_VIEW Android
We discuss Boneh et al.’s attack here because we an- intent against the downloaded APK.
ticipate that in certain market segments textbook RSA
with smaller session key sizes may be common. We note At this point, the Android operating system takes over.
that implementations of ElGamal may be susceptible to Under normal conditions, the system will present a UI
attacks for 128-bit session keys, since the attack on El- 2 An
APK is an Android Application Package, a file format used by
Gamal presented by Boneh et al. can be split into more the Android operating system for distributing mobile apps.

5
asking the user whether to upgrade QQ Browser to a 2. The server’s unencrypted JSON response contains a
newer version. However, other prompts are possible de- URL to an EXE3 , an MD5 hash of an EXE file, and
pending on the APK the browser downloads that a man- the name of the file to save the file as. (If no update
in-the-middle attacker may exploit. Android requires is available, the server returns a response containing
that an APK upgrading an app be signed with the same no update information and the update process halts.)
key as that of the currently installed APK, so an at-
tacker cannot simply upgrade QQ Browser to arbitrary 3. The browser downloads the EXE and saves it in a
code. Moreover, Android also does not allow installing temporary directory using the file name provided by
any APK that would downgrade an app, and so a down- the server.
grade attack is not possible. However, if the downloaded
4. The browser computes its MD5 hash and verifies it
APK is for a different app than that of QQ Browser or
against the one provided by the server. (If the hashes
any other app currently installed, then the user will be
mismatch, the browser displays an error message
prompted to install the APK instead of upgrading QQ
and the update process halts.)
Browser. Although this requires user interaction, most
users would be unlikely to notice or appreciate the sig- 5. The browser verifies the EXE’s Authenticode digi-
nificance of being prompted to install a new package in- tal signature to ensure that it was signed by Tencent.
stead of upgrading an existing one, especially if the new (If it is not, the browser displays an error message
package were designed by an attacker to have the same and the update process halts.)
title and icon of QQ Browser.
In order for a man-in-the-middle attacker to cause the 6. The browser executes the downloaded EXE.
browser to prompt to install a malicious APK, the at-
5.2.1 Attack via directory traversal
tacker must cause the browser to download the malicious
APK and send the browser the corresponding hash. As Since the update metadata is not protected by any asym-
the URLs to APKs we observed being sent by the QQ metric cryptography, a man-in-the-middle attacker can
Browser server were all unencrypted HTTP, a man-in- modify any of it. One attack is possible by modifying
the-middle attacker could attack the APK download it- the field specifying the name of the file. We found that
self, but then the APK would not have the same MD5 this field is not sanitized by the browser to prevent di-
hash as that sent by the server. The feasibility of an rectory traversal. An attacker can overwrite any file on
attacker forging the MD5 hash depends on the version the user’s machine that the user has permission to over-
of QQ Browser requesting updates and the encryption it write. (Since the file is downloaded before it is verified,
uses for WUP requests. it need not have the correct digital signature nor even be
Version 6.3.0.1920 of the browser always receives re- an EXE file.) For instance, we found that by using the
sponses from the server encrypted with a symmetric, file name ../../../../../../../../../programfiles/
hard-coded key (see Section 3.3). In this version the tencent/qqbrowser/qqbrowser.exe, we were
attacker can respond to any WUP request to the up- able to overwrite the QQ Browser executable with an ar-
date server with a forged response containing a malicious bitrary program.4
APK URL and its corresponding MD5 hash. 5.2.2 Attack via other signed binaries
In later versions that use the AES session key to de-
We found another vulnerability in the update process that
crypt server responses, the attack requires a full man-in-
results from the fact that digital signature verification of
the-middle position or a man-on-the-side attacker who
an EXE file does not, in general, verify that the down-
can crack the session key fast enough using the attack
loaded EXE will perform its intended task such as up-
in Section 2 before the browser receives the real server’s
grading the browser. It only guarantees that the EXE
response. Alternatively, a man-on-the-side attacker can
was signed by Tencent, and so any EXE signed by Ten-
have already redirected all traffic via (e.g.) DNS redirec-
cent can be substituted to satisfy the check. We found an
tion and then perform a man-in-the-middle attack.
older web installer for QQ Browser signed by Tencent
5.2 Attack on Windows version updates that downloads an EXE unencrypted without any digital
signature verification. By first attacking QQ Browser to
The Windows version of QQ Browser checks for and in- download the web installer, and then attacking the web
stalls updates as follows:
3 Specifically, an EXE is a Windows Portable Executable (PE) for-

1. The browser sends an unencrypted JSON request mat binary program that can be executed on machines running the Win-
dows operating system.
to the update server containing the current version 4 Although backslashes are typically used as a path separator on
of the browser and asking if there are any updates Windows, the Windows kernel generally accepts forward slashes as a
available. path separator as well.

6
installer to download a malicious EXE, a man-in-the- in Section 3.1 will be very valuable during this transition
middle attacker can still attack the browser’s update pro- in order to keep “raising the bar.”
cess to run an arbitrary program even though the browser Lastly, attacks on update mechanisms could use a
verifies the downloaded program’s digital signature. This more formal treatment to survey the different attack
attack requires user interaction to run the web installer, primitives that are possible. Buffer overflows and other
but it is unlikely that a user would be surprised to have memory corruption vulnerabilities have seen consider-
to run an installer after checking for updates. More- able research to categorize different primitives to enable
over, there may exist an undiscovered Tencent-signed ex- advanced exploit techniques (see, e.g., Bratus et al. [8] or
ecutable that would download and execute code without Shacham [22]). Attacks on update mechanisms by man-
any required user interaction that would remove the re- in-the-middle attackers are not new, but they are becom-
quirement for user interaction from this attack. ing increasingly important as state actors build up their
capabilities to detect vulnerable update services [1, 21]
6 Discussion and Related Work and exploit them (see, e.g., [18]). Patterns emerge when
Here, we discuss opportunities for research and ethical QQ Browser’s vulnerabilities are taken in the context of
issues. existing work [13, 4], such as the re-use of code signed
by a company for other purposes as an exploit primitive.
6.1 Opportunities for research We believe that more research in this important area is
Although market segments such as Chinese mobile web needed.
browsers have very sophomoric cryptography implemen-
6.2 Ethical considerations
tations that lead to very simple attacks, there are several
interesting potential avenues of research. As pointed out With the exception of the respective vulnerabilities ex-
by Bratus et al. [8], an exploit serves as a constructive ploited in our PRNG attack and CCA2 attack, all vul-
proof that “unforeseen computations are indeed possi- nerabilities presented in this paper have been previously
ble.” Exploits also lend credibility to security concerns published [15], and before that they were subjected to a
and therefore have pedagogical value in relaying the im- 45-day vulnerability disclosure process in line with in-
portance of current best practices (cryptographic or oth- ternational standards on vulnerability disclosure [9]. We
erwise) to software developers, policy makers, the pub- reported the two vulnerabilities that are newly presented
lic, and others. Thus, research into exploiting vulnerabil- in this paper to Tencent (the developers of QQ Browser)
ities in less-developed (in terms of security and privacy) on 20 April 2016, so this paper is no longer emargoed as
market segments can have great value. Here, we point of 4 June 2016.
out potential avenues of research in this respect that are, We tested the CCA2 attack in Section 4.1 against QQ
in our opinion, under-served. Browser’s servers to verify that it worked. We cracked
First, we found that there are relatively few attacks session keys for three of our own test sessions. By send-
in the literature for textbook RSA. Boneh’s survey pa- ing QQ Browser’s servers ciphertexts that decrypted into
per [6] about attacks on RSA mostly covers different plaintexts that went beyond the 128-bit boundary of a
padding schemes and issues with, e.g., the choice of pub- typical session key we were putting QQ Browser’s server
lic exponent. Existing CCA2 attacks on RSA implemen- at no more than usual risk of denial-of-service than any
tations [2, 10, 20, 11, 17] are all Bleichenbacher-style at- other public-facing web server.
tacks [5]. Two exceptions are Boneh et al. [7] (discussed
in Section 4.2) and Kühn [16]. The latter presents attacks 7 Conclusion
that are similar to our CCA2 attack, but for schemes that In summary, we have presented three classes of attacks
are de-facto padding schemes. To the best of our knowl- against QQ Browser, a piece of software that has hun-
edge, our CCA2 attack is the simplest and possibly the dreds of millions of users and collects and transmits a
only published attack for a real implementation of RSA wide array of private data about them. The first class of
that has no padding. attacks allowed offline, passive decryption of all sessions
Second, research into combining PRNG vulnerabili- recorded. The second class of attacks was based on QQ
ties with other attacks, such as Boneh et al. [7], could Browser’s use of plaintext RSA and included a CCA2
be very valuable for demonstrating the exploitability of attack that allowed decryption of targeted sessions via
more subtle PRNG issues such as those reported by 128 active connections to QQ Browser’s servers. The
Michaelis et al. [19]. We anticipate that the evolution third class of attacks enabled arbitrary code execution by
from the current state of cryptography in markets such a man-in-the-middle attacker. All three classes of attacks
as Chinese mobile browsers to current best practices will are very serious and illustrate the importance of further
be a gradual evolution, and attacks that exploit conver- research into attack techniques and primitives that are
sion issues such as DecryptoCat [23] or what we showed common to the emerging threats posed by state actors,

7
especially in market segments where security and privacy [9] Vulnerability Disclosure Policy. https:
best practices are underdeveloped. //www.cert.org/vulnerability-analysis/vul-
disclosure.cfm.
Acknowledgments
This material is based upon work supported by the Na- [10] D UONG , T., AND R IZZO , J. Cryptography in
tional Science Foundation under Grant Nos. #1518523 the web: The case of cryptographic design flaws
and #1518878. Kenny Paterson provided useful insights in ASP.NET. In Proceedings of the 2011 IEEE
on attacking QQ Browser’s RSA implementation. Symposium on Security and Privacy (Washington,
DC, USA, 2011), SP ’11, IEEE Computer Society,
References pp. 481–489.
[1] A MBER H ILDEBRANDT AND DAVE S EGLINS.
[11] JAGER , T., AND S OMOROVSKY, J. How to break
Spy agencies target mobile phones, app
XML encryption. In Proceedings of the 18th ACM
stores to implant spyware. Available at
Conference on Computer and Communications Se-
http://www.cbc.ca/news/canada/spy-agencies-
curity, CCS 2011, Chicago, Illinois, USA, October
target-mobile-phones-app-stores-to-implant-
17-21, 2011 (2011), pp. 413–422.
spyware-1.3076546.
[12] JAKUB DALEK et al. A Chatty Squirrel: Privacy
[2] AVIRAM et al. DROWN: Breaking TLS us- and Security Issues with UC Browser. Citizen Lab
ing SSLv2. Available at https://drownattack.com/ report, available at https://citizenlab.org/2015/05/
drown-attack-paper.pdf. a-chatty-squirrel-privacy-and-security-issues-with
[3] B ELLARE , M., AND ROGAWAY, P. Optimal asym- -uc-browser/.
metric encryption–How to encrypt with RSA. Ad- [13] K NOCKEL , J., AND C RANDALL , J. R. Protect-
vances in Cryptology–EUROCRYPT’94, 1994. ing free and open communications on the Internet
against man-in-the-middle attacks on third-party
[4] B ELLISSIMO , A., B URGESS , J., AND F U , K. Se-
software: We’re FOCI’d. In FOCI 12: Proceedings
cure software updates: Disappointments and new
of the 2nd USENIX Workshop on Free and Open
challenges. In Proceedings of the 1st USENIX
Communications on the Internet (2012).
Workshop on Hot Topics in Security (Berkeley, CA,
USA, 2006), HOTSEC’06, USENIX Association, [14] K NOCKEL , J., M C K UNE , S., AND S ENFT, A.
pp. 7–7. Baidu’s and Don’ts: Privacy and Security Is-
sues in Baidu Browser. Citizen Lab report,
[5] B LEICHENBACHER , D. Chosen ciphertext attacks
available at https://citizenlab.org/2016/02/privacy-
against protocols based on the rsa encryption stan-
security-issues-baidu-browser/.
dard pkcs #1. In Proceedings of the 18th Annual
International Cryptology Conference on Advances [15] K NOCKEL , J., S ENFT, A., AND D EIBERT, R.
in Cryptology (London, UK, UK, 1998), CRYPTO WUP! There It Is: Privacy and Security Issues
’98, Springer-Verlag, pp. 1–12. in QQ Browser. Citizen Lab report, available
at https://citizenlab.org/2016/03/privacy-security-
[6] B ONEH , D. Twenty years of attacks on the RSA
issues-qq-browser/.
cryptosystem. NOTICES OF THE AMS 46 (1999),
203–213. [16] K ÜHN , U. Side-channel attacks on textbook RSA
and ElGamal encryption. Public Key Cryptogra-
[7] B ONEH , D., J OUX , A., AND N GUYEN , P. Q. Why phy — PKC 2003: 6th International Workshop on
textbook ElGamal and RSA encryption are inse- Practice and Theory in Public Key Cryptography
cure. In the Proceedings of Advances in Cryptology Miami, FL, USA, January 6–8, 2003 Proceedings,
— ASIACRYPT 2000: 6th International Conference 324–336.
on the Theory and Application of Cryptology and
Information Security, Kyoto, Japan, December 3– [17] K UPSER , D., M AINKA , C., S CHWENK , J., AND
7, 2000 (2000), 30–43. S OMOROVSKY, J. How to break XML encryption –
automatically. In 9th USENIX Workshop on Offen-
[8] B RATUS , S., L OCASTO , M. E., PATTERSON , sive Technologies (WOOT 15) (Washington, D.C.,
M. L., S ASSAMAN , L., AND S HUBINA , A. Ex- Aug. 2015), USENIX Association.
ploit Programming: From Buffer Overflows to
"Weird Machines" and Theory of Computation. ;lo- [18] M ARCZAK , B., W EAVER , N., DALEK , J., E N -
gin: issue: December 2011, Volume 36, Number 6. SAFI , R., F IFIELD , D., M C K UNE , S., R EY, A.,

8
 S COTT-R AILTON , J., D EIBERT, R., AND PAX -
SON , V. An analysis of China’s “Great Cannon”. In
5th USENIX Workshop on Free and Open Commu-
nications on the Internet (FOCI 15) (Washington,
D.C., Aug. 2015), USENIX Association.

[19] M ICHAELIS , K., M EYER , C., AND S CHWENK ,

J. Randomly failed! The state of randomness
in current Java implementations. In Proceed-
ings of the 13th International Conference on Top-
ics in Cryptology (Berlin, Heidelberg, 2013), CT-
RSA’13, Springer-Verlag, pp. 129–144.

[20] R IZZO , J., AND D UONG , T. Practical padding or-

acle attacks. In Proceedings of the 4th USENIX
Workshop on Offensive Technologies (Berkeley,
CA, USA, 2010), WOOT’10, USENIX Associa-
tion.

[21] RYAN G ALLAGHER. NSA Planned to Hijack

Google App Store to Hack Smartphones. Avail-
able at https://theintercept.com/2015/05/21/nsa-
five-eyes-google-samsung-app-stores-spyware/.

[22] S HACHAM , H. The geometry of innocent flesh on

the bone: Return-into-libc without function calls
(on the x86). In Proceedings of CCS 2007 (Oct.
2007), S. De Capitani di Vimercati and P. Syver-
son, Eds., ACM Press, pp. 552–61.

[23] T HOMAS , S. DecryptoCat. https://tobtu.com/

decryptocat.php.