MASTG-TEST-0308: Runtime Use of Asymmetric Key Pairs Used For Multiple Purposes

Overview

This test is the dynamic counterpart to References to Asymmetric Key Pairs Used For Multiple Purposes, but it focuses on intercepting cryptographic operations rather than generating keys with multiple purposes.

Some of the relevant functions to intercept are:

• Cipher.init(int opmode, Key key, AlgorithmParameters params) where opmode is one of:
  • Cipher.ENCRYPT_MODE
  • Cipher.DECRYPT_MODE
  • Cipher.WRAP_MODE
  • Cipher.UNWRAP_MODE
• Signature.initSign(PrivateKey privateKey)
• Signature.initVerify(PublicKey publicKey)

Steps

1. Use Installing Apps to install the app.
2. Use Method Hooking to hook the relevant API calls.
3. Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.

Observation

The output should contain a list of all cryptographic operations together with their corresponding keys.

Evaluation

The test case fails if you find any keys used for multiple roles.

Using the output, ensure that each key (or key pair) is restricted to exactly one of the following groups of operations:

• Encryption/Decryption (used in Cipher operations with ENCRYPT_MODE or DECRYPT_MODE)
• Signing/Verification (used in Signature operations)
• Key Wrapping (used in Cipher operations with WRAP_MODE or UNWRAP_MODE)

Demos

MASTG-DEMO-0072: Runtime Use of Asymmetric Key Pairs Used For Multiple Purposes With Frida