15 years of broken encrypted emails
play

15 Years of Broken Encrypted Emails and were still doing it wrong - PowerPoint PPT Presentation

Jan 31, 2024 •207 likes •459 views

15 Years of Broken Encrypted Emails and were still doing it wrong Alfredo Pironti IOActive alfredo.pironti@ioactive.com IMDEA - NEXTLEAP 3 Mar 2017 1 Agenda Intro to OpenPGP An efficient attack on signatures And

  1. 15 Years of Broken Encrypted Emails …and we’re still doing it wrong Alfredo Pironti – IOActive alfredo.pironti@ioactive.com IMDEA - NEXTLEAP 3 Mar 2017 1

  2. Agenda • Intro to OpenPGP • An efficient attack on signatures • And other well known attacks • Application to encrypted emails • Proposing a fix • Future work and conclusion 2

  3. Intro to OpenPGP 3

  4. The OpenPGP Standard • RFC 4880 (2007) • How to perform encryption • Encrypt; Sign; Sign & Encrypt • RFC 3156 (2001) • How to use OpenPGP to encrypt email • Widely used • Email, password managers, git… • Design is about 20 years old 4

  5. OpenPGP Sign & Encrypt s [m] s sign sym enc m m’ {k} r <m’|[m] s > k compress k r asym enc 5

  6. OpenPGP Sign & Encrypt Properties: • Probabilistic encryption • Efficient for large messages • Efficient for multiple recipients 6

  7. Multiple Recipients s [m] s sign sym enc m m’ k {k} r1 {k} rn … {k} r <m’|[m] s > k compress r 1 … r asym enc r n 7

  8. An Efficient Attack on Signatures and Other Well-Known Attacks 8

  9. Surreptitious Forwarding [1] • A à B: { [ “I love you” ] a } b • B à C: { [ “I love you” ] a } c • A à B: { [ “sales plan” ] a } b • B à C: { [ “sales plan” ] a } c • A à B: { [ “I owe you 10K” ] a } b • B à C: { [ “I owe you 10K” ] a } c [1] Davis, D.: Defective sign & encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP and XML. In USENIX 2001 9

  10. Efficient Surreptitious Forwarding s [m] s sign sym enc m m’ k {k} r1 {k} rn … <m’|[m] s > k compress r 1 … asym enc r n PoC tool available on demand 10

  11. Message Compression • Seriously? • “OpenPGP implementations should compress the message after applying signature but before encryption” – RFC 4880 • Remember CRIME attack on TLS? • Compression leaks information about entropy of plaintex 11

  12. Application to Encrypted Emails 12

  13. RFC 3156 – Email Sign & Encrypt Msg Header From: <alice@example.com> To: <bob@example.com> Subject: Encrypted Email Msg Body Encrypted content Sample email content for Bob <encoded binary Msg Body Signature by Alice encryption> <encoded binary signature> Alternatively, use the OpenPGP Sign & Encrypt scheme 13

  14. Tampering with Email Headers • From: • Confidentiality traded for routing purposes • Could use pseudonyms • Should be signed • To: • Confidentiality traded for routing purposes • Could use pseudonyms • No signature makes encryption pointless! • Subject: • Not encrypted: strong contrast with user expectation • Hard to encrypt in a backward-compatible way • Reply-To: • Please, re-encrypt the whole thread with the attacker’s key! 14

  15. Tampering with Reply-To: in Practice • Sent several encrypted test reports to “secure@” of software vendors • Added an attacker-controlled Reply-To: address • Avoiding the social engineering aspect: Reply-To: address totally different from sender’s • Attacker got more than 50% responses • One informed him that the message was signed, but not encrypted • One replied to both, asking which address should be used • Some answers were not signed • Caveats • Small sample: < 10 recipients • Test data did not look critical; no rise in attention 15

  16. Proposing a Fix 16

  17. AEAD for OpenPGP • Authenticated Encryption with Additional Data • Additional data are signed, but not encrypted • Examples in the symmetric world: AES-GCM • Email headers are AD 17

  18. An OpenPGP-compatible Scheme • Enc(s,r,m,ad) • Sign-encrypt-sign OpenPGP m c’ sign-encrypt r OpenPGP c Key Identifiers sign s ad 18

  19. Details and Properties • On decryption, inner and outer signature keys must match • Generalization of Sign-Encrypt- Sign scheme proposed by Davis [1] • Accounts for AD • Fits into the OpenPGP standard • Compression is disabled • Preserves probabilistic encryption • Provides CTXT-INT 19

  20. Formal Verification • ProVerif, symbolic model 20

  21. Application to Emails • Headers are AD • Must agree on signed headers order, or use extra header • Watch out for outer signature stripping (don’t allow legacy email encryption) 21

  22. Future Work and Conclusion 22

  23. End-to-End Email Encryption • Extension for in-browser email encryption • From the docs: • Implements RFC 4880 • Headers unencrypted (nor signed?) • RFC 3156 not currently supported • Uses elliptic curves • Centralized key distribution with transparency • Not yet ready for general use 23

  24. Conclusion • Mismatch between user expectations and cryptographic properties • Relying on dated standards with known design flaws • Practical attacks are possible • AEAD with backward compatibility is possible • New momentum in secure email 24

  25. Thank you! Questions? 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian

Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian

https://efail.de/ Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian Poddebniak, Christian Dresen, Twitter: @seecurity Jens Mller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, Jrg

1.01k views • 73 slides
Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit evidence that intelligence agencies are globally wiretapping Internet backbone connections Massive collection of web tra ffi c, emails, instant

512 views • 50 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website by Friday afternoon students receive registration cards &amp; elective course

392 views • 25 slides
Reddits Architecture And how its broken over the years Neil Williams QCon SF, 13 November

Reddits Architecture And how its broken over the years Neil Williams QCon SF, 13 November

Reddits Architecture And how its broken over the years Neil Williams QCon SF, 13 November 2017 What is Reddit? Reddit is the frontpage of the internet A social network where there are tens of thousands of communities around whatever

1.31k views • 91 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website students received registration cards &amp; elective course descriptions

622 views • 22 slides
Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus &amp; have given up on being their own savior! Abraham Sarah (wife) Isaac (son) Hagar (maidservant) Ishmael (son) Abraham, our broken spiritual

258 views • 21 slides
Because you cant fix what you dont know is broken About me Initiator of the Automated

Because you cant fix what you dont know is broken About me Initiator of the Automated

Because you cant fix what you dont know is broken About me Initiator of the Automated Error Reporting Initiative Project Lead of Eclipse Code Recommenders Eclipse Committer since 2010 Plug-in Developer for 10+ years

811 views • 66 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website by Friday afternoon students receive registration cards registration cards

451 views • 32 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

207 views • 6 slides
GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines that led me straight to Christ. MATTHEW 1:1-17 UNCONDITIONAL &amp; CONDITIONAL I. UNDERLYING COVENANTS Edenic &amp; Adamic Covenants A. 1.

364 views • 20 slides
Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted Applications Learnings From Etesync Applications Learnings From Etesync stosb.com/talks Tom Hacohen tom@stosb.com FOSDEM 2019 @TomHacohen

361 views • 32 slides
RADIATIVE and NONLEPTONIC HYPERON DECAYS in BROKEN SU(3) P. enczykowski Institute of Nuclear

RADIATIVE and NONLEPTONIC HYPERON DECAYS in BROKEN SU(3) P. enczykowski Institute of Nuclear

RADIATIVE and NONLEPTONIC HYPERON DECAYS in BROKEN SU(3) P. enczykowski Institute of Nuclear Physics Polish Academy of Sciences Krakw, Poland BEACH 2006 Lancaster July 6 Puzzle #1: S:P problem in NLHD 50 years old parity

320 views • 13 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from

FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from

FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from field should be YOUR name You need a compelling subject line The content must be digestible You cant send too many emails You need to

323 views • 16 slides
D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t years Figure 2. Precipitation anomalies during 11 years of the dust bowl (1930-1940) Station Set-up Montana Mesonet January 2018 4 36 ranchers

533 views • 36 slides
Electronic Mail Prof. Indranil Sen Gupta Professor, Dept. of Computer Science &amp; Engineering

Electronic Mail Prof. Indranil Sen Gupta Professor, Dept. of Computer Science &amp; Engineering

Electronic Mail Prof. Indranil Sen Gupta Professor, Dept. of Computer Science &amp; Engineering Indian Institute of Technology Kharagpur 1 Introduction Most heavily used application on the Internet. Simple Mail Transfer Protocol

555 views • 27 slides
(First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas

(First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas

Welcome! (First) NSF AiTF Workshop on Algorithms for Software-Defined Networking Michael Dinitz Vyas Sekar JHU CMU 1 Context for this workshop Software-defined Networking taking off! E.g., Google Software-defined WAN E.g.,

501 views • 9 slides
Ahmed Gaffar Email: ahmed_gaffar@yahoo.com Telematics Group Institute for Informatics

Ahmed Gaffar Email: ahmed_gaffar@yahoo.com Telematics Group Institute for Informatics

Modeling &amp; analyzing Location Routing in Sensor Networks. &amp; Design &amp; Analysis of (HIT) for Sensor Networks Ahmed Gaffar Email: ahmed_gaffar@yahoo.com Telematics Group Institute for Informatics University of Gttingen, Germany

264 views • 22 slides
Integrating Active Networking and Commercial-Grade Routing Platforms The University of Maryland

Integrating Active Networking and Commercial-Grade Routing Platforms The University of Maryland

Integrating Active Networking and Commercial-Grade Routing Platforms The University of Maryland Rob Jaeger (rfj@cs.umd.edu) J.K. Hollingsworth Bobby Bhattacharjee 1 The Network Paradigm Spectrum The Network Paradigm Spectrum Active

566 views • 35 slides
1 DARIUS . WOOD @ BEAZLEY . COM AHART @ CRAI . COM BRADKE @ POLSINELLI . COM 2 B USINESS E MAIL C

1 DARIUS . WOOD @ BEAZLEY . COM AHART @ CRAI . COM BRADKE @ POLSINELLI . COM 2 B USINESS E MAIL C

1 DARIUS . WOOD @ BEAZLEY . COM AHART @ CRAI . COM BRADKE @ POLSINELLI . COM 2 B USINESS E MAIL C OMPROMISES (BEC) T RENDS P ROTECTION L EGAL I MPLICATIONS R ANSOMWARE A TTACKS T RENDS R ECOVERY P ROTECTION L EGAL I

594 views • 17 slides
john@dwagents.com www.JoinDWHSA.com (Contact John for the link to a special DWHSA application

john@dwagents.com www.JoinDWHSA.com (Contact John for the link to a special DWHSA application

11/16/2013 DWHSA Webinars Tame Your Phone Calls and Voicemails With Google Voice Questions? john@dwagents.com www.JoinDWHSA.com (Contact John for the link to a special DWHSA application form with the $25 discount [good through Dec. 20].)

519 views • 13 slides
Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),

1.04k views • 15 slides
Towards Scatterbox: A Context-Aware Message Forwarding Platform Stephen Knox, Adrian K Clear,

Towards Scatterbox: A Context-Aware Message Forwarding Platform Stephen Knox, Adrian K Clear,

Towards Scatterbox: A Context-Aware Message Forwarding Platform Stephen Knox, Adrian K Clear, Lorcan Coyle, Ross Shannon, Simon Dobson, Aaron Quigley and Paddy Nixon Systems Research Group School of Computer Science and Informatics UCD CASL,

431 views • 19 slides

More recommend