Efail attack and its implications
Juraj Somorovsky
Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 About this talk
• Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018
• Johnny, you are fired! Spoofing OpenPGP and S/MIME Signatures in Email. Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2019 Email.
3 Internet Message Format („Email“)
From: Alice To: Bob Subject: Breaking News
Congratulations, you have been promoted!
4 Multipurpose Internet Mail Extensions (MIME)
From: Alice To: Bob Subject: Breaking News Content-Type: text/plain
Congratulations, you have been promoted!
5 Multipurpose Internet Mail Extensions (MIME)
From: Alice To: Bob Subject: Breaking News Content-Type: multipart/mixed; boundary="BOUNDARY"
--BOUNDARY Content-type: text/plain
Congratulations, you have been promoted! --BOUNDARY Content-type: application/pdf
Contract... --BOUNDARY--
6 av1.com av2.com
smtp.corp1 smtp.corp2
imap.corp2 imap.corp1
archive.corp1 archive.corp2 av1.com
smtp.corp1
imap.corp1
archive.corp1 There is no such thing as
“My Email”.
10 av1.com
smtp.corp1 Assumption: imap.corp1
Attacker has archive.corp1 access to emails! Motivation for using end-to-end encryption
Insecure Transport • TLS might be used – we don’t know! Nation state attackers (see also lecture given by Tibor) • Massive collection of emails • Snowden’s global surveillance disclosure Breach of email provider / email account • Single point of failure • Aren’t they reading/analyzing my emails anyway?
12 Two competing standards
OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities)
S/MIME (RFC 5751) • Favored by organizations • Multi-root trust-hierarchies
13 Signed Email (S/MIME)
From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY“; protocol="application/pkcs7-signature“
--BOUNDARY Content-type: text/plain
Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY--
14 Signed Email (S/MIME)
From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY“; protocol="application/pkcs7-signature“
--BOUNDARY Content-type: text/plain
Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY--
15 Signed Email (S/MIME)
From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY“; protocol="application/pkcs7-signature“
--BOUNDARY Content-type: text/plain
Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY--
16 Signed Email (PGP)
From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY"; protocol="application/pgp-signature“
--BOUNDARY Content-type: text/plain
Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE----- iQE/BAEBAgApBQJbW1tqIhxCcnVjZSBXYXluZSA8YnJ1Y2V3YX… -----END PGP SIGNATURE------BOUNDARY--
17 Encrypted Email (PGP)
From: Alice To: Bob Subject: Breaking News Content-Type: multipart/encrypted; boundary="BOUNDARY"; protocol="application/pgp-encrypted";
--BOUNDARY Content-Type: application/octet-stream; name="encrypted.asc" Content-Description: OpenPGP encrypted message Content-Disposition: inline; filename="encrypted.asc"
-----BEGIN PGP MESSAGE----- hQIMA0Zy9l4Cw+FaAQ//YewiWjMoX2BebbwJQJMJxvHRoF30NjkZe88m9kGts/tn DgkUPQEgJJJq/K1TwyAvR8tSLq…
-----END PGP MESSAGE-----
--BOUNDARY-- 18 New published PGP public keys per month
Known limitations! Usability ?
Snowden Effekt Enigmail New keys at keyserver Hard for S/MIME
Opsec von Snowden und thegruq Ver- und Entschlüsselung nur in separater Anwendung!
19 PGP and OpSec Some tutorials recommend using PGP outside of email client. • https://gist.github.com/grugq/03167bed45e774 551155
• https://vimeo.com/56881481
Others recommended Enigmail in default settings (i.e. HTML switched on) 20 21 Ok, so how about the security?
‘99
‘06
‘15 22 Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
23 2014: Enigmail won’t encrypt.
https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ 24 2017: Outlook includes plaintext in encrypted email.
https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/
25 2018: Enigmail/PEP won‘t encrypt.
https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html 26 Both standards use old crypto Both standards use old crypto
Ciphertext C = Enc(M)
C1 valid/invalid
C2 valid/invalid … M = Dec(C) (repeated several times)
27 Old crypto has no negative impact
CBC / CFB modes of operation used, but their usage is not exploitable
Old crypto has no negative impact Assumption: Email is non-interactive
29 Backchannel
• Any functionality that forces the email client to interact with the network • HTML/CSS
30 Evaluation of backchannels in email clients
Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail
Thunderbird KMail Claws Linux Evolution Trojitá Mutt
Apple Mail macOS Airmail MailMate Backchannels Mail App CanaryMail Outlook iOS found
K-9 Mail MailDroid Android R2Mail Nine GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail Outlook.com iCloud HushMail FastMail Mailfence ZoHo Mail
Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile
ask user leak by default leak via bypass script execution 31 Attacker model
32 Attacker model
33 Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
34 S/MIME uses CBC
Source: wikipedia • Cipher Block Chaining mode of operation • Not authenticated • Vulnerable to many attacks (TLS, XML Encryption, SSH) • Basic problem: malleability Malleability of CBC
C0 C1 C2
decryption decryption
P0 P1
36 Malleability of CBC
C0' C1 C2
decryption decryption
Content-type: te xt/html\nDear Bob
P0' P1
37 Malleability of CBC
C0' C1 C2
decryption decryption
Zontent-type: te xt/html\nDear Bob
P0' P1
38 Malleability of CBC
C0 ⊕ P0 C1 C2
decryption decryption
0000000000000000 xt/html\nDear Bob
P0' P1 CBC Gadget
39 Malleability of CBC
C0 ⊕ P0 ⊕ Pc C1 C2
decryption decryption
P0' P1
40 Malleability of CBC
C0 C1' C2
decryption decryption
Content-type: te Zt/html\nDear Bob
P0' P1'
41 Malleability of CBC
C0 C1' C2
decryption decryption
???????????????? Zt/html\nDear Bob
P0' P1'
42 Practical Attack against S/MIME
Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi
Original Crafted
????????????????
43 Practical Attack against S/MIME
44 Demo Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
46 OpenPGP
• OpenPGP uses a variation of CFB-Mode • Uses integrity protection with MDC (Modification Detection Code) • Compression is enabled by default
Ci Ci+1 Ci X
encryption encryption encryption encryption
? ? ? ? ? ? ? ? random plaintext Pi (known) Pi-1 Pc (chosen)
48 RFC4880 on Modification Detection Codes Defeating integrity protection
Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN OutlookMDC 2013 StrippedGPG4WIN MDC Incorrect SEIP -> SE Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01
Vulnerable Not Vulnerable
50 54 55 Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
56 Direct exfiltration
• This attack is possible since 2003 in Thunderbird • Independent of the applied encryption scheme • Somewhat fixable in implementation • But works directly in … • Apple Mail / Mail App • Thunderbird • Postbox • … • The standards do not give any definition for that!
57 Direct exfiltration
Alice’s mail program encrypts the email Alice writes a Mail to Bob Encrypting From: Alice To: Bob
-----BEGIN PGP MESSAGE----- Dear Bob, hQIMA1n/0nhVYSIBARAAiIsX1QsH the meeting tomorrow will be ZObL2LopVexVVZ1uvk3wieArHUg… at 9 o‘clock. -----END PGP MESSAGE-----
58 Direct exfiltration
Eve’s attack E-Mail Eve modifiescaptures the emailencrypted and sendsmail between it to Bob Alice or Alice and Bob From: Eve To: Bob
Content-Type: text/html Original E-Mail
59 Direct exfiltration
Bob’s mail program puts the Eve’s attack E-Mail decryptsclear text the back email into the body From: Eve To: Bob Decrypting Content-Type: text/html
60 Direct exfiltration
Eve’s attack E-Mail
From: Eve To: Bob
Content-Type: text/html GET
Eve Content-Type: text/html ">
61 Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
62
S/MIME OpenPGP
63 Exfiltrating many emails
Recap: • Attacker can exfiltrate hundreds of S/MIME or OpenPGP ciphertexts with single malicious email. • Victim merely needs to open the email. • In May 2018, two widely used clients (Apple Mail and Thunderbird) either • weren‘t patched or • patches were insufficient
64
It did not work well
• Embargo broken • Community angry • Of course, nobody read the paper 67 An independent summary of the disclosure timeline, compiled from public information.
http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html 68 Disclosure; lessons learnt
1. Stick to a 90 day disclosure deadline. 2. Be careful with disclosure pre-announcements, because: • People will speculate about the details and a) underrate/overrate the risk, and b) spread false information. • you won‘t be in control of communicating the details. 3. Controlling information flow right after disclosure is essential. Having a website with general information is necessary (logo ???) 70 How about the countermeasures?
71 S/MIME Version 4.0 (RFC 8551)
• References EFAIL paper • Recommends the usage of authenticated encryption with AES-GCM
72 S/MIME Version 4.0 (RFC 8551) S/MIME Version 4.0 (RFC 8551) OpenPGP - draft-ietf-openpgp-rfc4880bis-07
• Deprecates Symmetrically Encrypted (SE) data packets • Proposes AEAD protected data packets • Implementations should not allow users to access erroneous data
75 How about signatures?
• Encrypt-then-sign?
• Sign-then-encrypt?
…and of course, there are also different problems Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
77 Motivation
• We already broke email encryption • The systems are set up; • Configuring S/MIME and PGP is the most challenging part of our research
• How about email signatures? Attacker-controlled UI elements Signature Spoofing
We attack the presentation and interpretation of email signatures. We do not attack the underlying cryptography.
As a cryptographer, you should consider this as a neat warning that strong crypto is not everything 80 Methodology
• 25 clients • PGP and S/MIME • All major platforms
• Developed 5 attack classes: • 3 common • 1 specific to PGP • 1 specific to S/MIME
• Considered 3 forgery classes Forgery Classes
● Perfect forgery ◐ Partial forgery ○ Weak forgery
82 Forgery Classes
● Perfect forgery ◐ Partial forgery ○ Weak forgery
83 Forgery Classes
● Perfect forgery ◐ Partial forgery ○ Weak forgery
84 Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
86 87 88 UI Redressing – Causes
• HTML and CSS support in email clients
• Security indicators in mail body • Often implemented by third-party plugin • Intuitive (signature assigned to plaintext)
89 UI Redressing – Countermeasures
Enigmail < 2.0.8
Enigmail ≥ 2.0.8
90 91 Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
92 How Is Signer Bound to Signed Content?
93 Identity Binding Attacks
What could possibly go wrong?
94 Identity Binding Attacks
From: Eve
RFC 5322 display names
Verification logic Displayed sender
95 Identity Binding Attacks
From: [email protected]
From: [email protected] From: [email protected] From: [email protected] Sender: [email protected]
Verification logic Displayed sender
96 Identity Binding Attacks
From: [email protected] [ whitespace ]
[valid signature by [email protected]]
97 Identity Binding Attacks – Causes & Countermeasures
• Functional features (Sender, From) have become security relevant • Explicitly showing signer details shifts problem to user
98 99 106 Overview
1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions
107 Conclusions
• Introduced malleability gadgets and backchannels • Self-exfiltrating plaintexts; applicable to different standards as well • Crypto standards need to evolve • Current S/MIME is broken • OpenPGP needs clarification
• Signed emails have problems as well • Crypto standards are not only about strong cryptographic algorithms • Secure HTML email is challenging
108