EFAIL New Attacks and State of Mitigation

Home , Mailpile, Mulberry (email client)

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019)

EFAIL New attacks and state of mitigation Jörg Schwenk Joint work with: Sebastian Schinzel, Juraj Somorovsky, Damian Poddebniak, Marcus Brinkmann, Jens Müller, Christian Dresen, Fabian Ising, Simon Friedberger, Hanno Böck 16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1 Reporters without borders

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 2 2 Policy statement

„Wir wollen einfache und sichere Lösungen für die elektronische Identifizierung und Ende-zu-Ende- Verschlüsselung für jedermann verfügbar machen und es den Bürgerinnen und Bürgern ermöglichen, verschlüsselt […] zu kommunizieren (PGP/SMIME).“

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 3 3 The EFAIL attack

• EFAIL is a crypto attack! • But the press sometimes likes it simple…

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 4 The EFAIL attack

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 5 The EFAIL attacks!

Malleability Direct Gadgets Exfiltration Theoretically(2018) (2018) Fixed!

SignatureNot relevant Reply Spoofing Attacks (2019) here! (2019)

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 6 Overview

1. E-Mail, OpenPGP, S/MIME 2. EFAIL Direct Exfiltration 3. Implemented Mitigations 4. Reply-Attacks 5. New: Decryption Contexts

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 7 7 What is electronic mail?

• Really old stuff dating back to 1971/1982 • A whole bunch of RFCs: RFC 822, RFC 2822, RFC 5322, RFC 2045, RFC 2046, RFC 2047, RFC 2231, RFC 5321, RFC 3501, RFC 4551, RFC 1939, RFC 2595, RFC 3501, etc. pp. • Mail protocols: POP, IMAP, SMTP • Encryption: OpenPGP and S/MIME

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 8 8 Traditional email (RFC 822)

From: [email protected] To: [email protected] Subject: Traditional mail

*** This is oldschool ***

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 9 9 MIME email (RFC 2045ff)

From: [email protected] To: [email protected] Subject: MIME mail MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="BOUNDARY"

--BOUNDARY Content-Type: text/html

Hi there! --BOUNDARY--

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1010 Two competing mail encryption standards

OpenPGP (RFC 4880) • First “encryption for the masses” • Favored by privacy advocates • Web-of-Trust (no authorities) S/MIME (RFC 5751) • Favored by organizations • Multi-root trust-hierarchies

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1111 What to attack today?

• We won’t break the crypto (RSA, AES) • We won’t touch the crypto (BEAST, EFAIL MG) • Practical attacks based on implementations of the MIME `standard’ in combination with encrypted content • Missing security considerations in the RFCs

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1212 Overview

1. E-Mail, OpenPGP, S/MIME 2. EFAIL Direct Exfiltration 3. Implemented Mitigations 4. Reply-Attacks 5. New: Decryption Contexts

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1313 Attacker model

• Attacker obtained ciphertext as MitM or by actively hacking the mail gateway or server • Goal: wrap ciphertext into HTML mail, resend and make victim leak the decrypted message

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1414 How to make E-Mail interactive

• JavaScript: XSS cheat sheets (JS URI, events) • HTML/CSS: , , , URI attributes and schemes (ftp://, etc.) • Attachment previews: PDF, SVG, VCF, etc. • E-Mail header: MDN, X-Face, X-PGP, etc. • Certificate verification: OCSP, CRL, PGP PKI

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1515 Examples

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1616 Evaluation 2018

Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail Thunderbird KMail Claws Linux Evolution Trojitá Mutt Mail App Airmail MailMate macOS Spammers win! Mail App CanaryMail Outlook iOS but they’re fine with K-9 Mail MailDroid Android R2Mail Nine GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail Outlook.com iCloud HushMail FastMail Mailfence ZoHo Mail

Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile

good leak by default leak/bypass XSS SSRF

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1717 Direct exfiltration

• This attack was possible since 2003 in Thunderbird • Independent of the applied encryption scheme • Somewhat fixable in implementation • But worked directly in … – Apple Mail / Mail App – Thunderbird – Postbox – … • The standards do not give any definition for that!

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 1919 Mixing two worlds

The email world The crypto world

From: [email protected] -----BEGIN/usr/bin/gnupg PGP MESSAGE------decrypt To: [email protected] ... Subject: Spy vs. Spy -----END PGP MESSAGE----- Content-Type: text/html

How're you doing? Secret Meeting Tomorrow 9pm What could possible go wrong? → https://nsa.gov/Secret%20MeetingTomorrow%209pm

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 2020 Overview

1. E-Mail, OpenPGP, S/MIME 2. EFAIL Direct Exfiltration 3. Implemented Mitigations 4. Reply-Attacks 5. New: Decryption Contexts

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 2727 Countermeasures EFAIL 2018: Malleability Gadgets • OpenPGP – Implementation • GnuPG made MDC checksums mandatory in Version 2.2.8 • major interoperability and backwards compatibility problems • Users can switch off this mitigation – Specification: New cipher modes • S/MIME – Implementation: None – Specification: AES-GCM mandatory (S/MIME 4.0)

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 2828 Countermeasures EFAIL 2018: Direct Exfiltration • OpenPGP – Implementation • Apple Mail/GPG Suite: sandboxed iFrames, block remote content, reply only with first ciphertext • Thunderbird/Enigmail: Sanitize HTML (broken), decrypt only MIME level 0, open different parts in different windows – Specification: ??? • S/MIME – Implementation: • Apple Mail: Block remote images, show warning • Thunderbird: Sanitize HTML (broken), decrypt only MIME level 0 (breaks S/MIME interoperability, e.g. with GMail) – Specification: "Please separate HTML context"

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 2929 Secure E-Mail still is in bad shape 

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 3030 Overview

1. E-Mail, OpenPGP, S/MIME 2. EFAIL Direct Exfiltration 3. Implemented Mitigations 4. Reply-Attacks 5. New: Decryption Contexts

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 3131 Social engineering

• Would you – …reply to unsubscribe? – …click here to unsubscribe? – …click here to complete registration? – …click into “text” area, fake scrollbars, fake Enigmail message, or attachment? – Answer an urgent email from your colleague/boss?

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 3232 Reply-Attack without HTML (ACNS 2019)

From: Alice From: Bob To: Bob To: Alice Subject: URGENT: Time for a meeting? Subject: Re: URGENT: Time for a meeting? Content-type: multipart/mixed; Content-type: multipart/mixed; boundary="BOUNDARY2" boundary="BOUNDARY" --BOUNDARY2 --BOUNDARY Content-type: text/plain Content-type: text/plain Sorry, today I'm busy!!! Bob Do you have time for a meeting today at 2 p.m.? It's --BOUNDARY2 urgent! Content-type: text/plain Alice Do you have time for a meeting today at 2 p.m.? It's urgent! Alice ... --BOUNDARY Content-type: application/pkcs7-mime; smime- ... type=enveloped-data Content-Transfer-Encoding: base64 --BOUNDARY2 Content-type: text/plain MIAGCSqGSIb3DQEHA6CAMIACAQAxggHXMIIB0wI B... Secret meeting --BOUNDARY-- Tomorrow 9pm --BOUNDARY--

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 3333 Overview

1. E-Mail, OpenPGP, S/MIME 2. EFAIL Direct Exfiltration 3. Implemented Mitigations 4. Reply-Attacks 5. New: Decryption Contexts

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 3434 Decryption Contexts (In submission)

• Idea: Make decryption context-aware • Implementation: – Extract structure of email and code it as a string – Feed string 1. into AEAD as additional data 2. into new KDF as seed

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 3535 Decryption Contexts (In submission)

Original E-Mail Decryption Context

From: Alice from:Alice To: Bob to:Bob subject:Confidential Subject: Confidential mimelevel=0 Content-type: application/pkcs7- mime; smime-type=enveloped- data; Decryption-context: {{h=from:reply- to:to:subject}{mimelevel}} Content-Transfer-Encoding: base64 Decryption Context Policy MIAGCSqGSIb3DQEHA6CAMIAC AQAxggHXMIIB0wIB...

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 3636 Questions?

16. Deutscher IT-Sicherheitskongress (21. - 23. Mai 2019) 37