View the Slides

Home , Airmail (email client), Foxmail, HTML email, Mailbox (application), Mailpile, Mulberry (email client)

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de

1 Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Münster University of Applied Sciences 2 Ruhr University Bochum Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 3 NXP Semiconductors

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 1 Motivation for email encryption

Nation state attackers • Massive collection of emails • Snowden revelations on pervasive surveillance Breach of email provider / email account • Single point of failure • Aren’t they reading / analyzing my emails anyway? Insecure transport • TLS might be used – we don’t know in advance!

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 2 Email e2e encryption TWO COMPETING STANDARDS

OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities)

S/MIME (RFC 5751) • Favored by organizations • Multi root trust hierarchies

3 Security of email encryption

Request/response protocols Email is non-interactive

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 4 Backchannel techniques

Forcing an email client to send responses via backchannels

• HTML/CSS : [email protected] • Email header • Attachment preview ...…PDF, SVG, VCards, etc. OCSP, CRL, intermediate certs • Certificate verification

5 Evaluation of backchannels in email clients

Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail

Thunderbird KMail Claws Linux Evolution Trojitá Mutt User interaction macOS Apple Mail Airmail40/47MailMate clients have No user interaction Mail App CanaryMail Outlook iOS backchannels requiring Leak via bypass K-9 Mail MailDroid Android R2Mail Nineno user interaction Javascript execution GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail Outlook.com iCloud HushMail FastMail Mailfence ZoHo Mail

Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile

6 Attacker model

7 S/MIME

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 8 Malleability of CBC

C0 C1 C2

decryption decryption

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 9 Malleability of CBC

C0 C1 C2 0 0 1 0 1 0 1 0

decryption decryption

1 1 1 1 1 1 1 1

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 10 Malleability of CBC

C0 C1 C2 0 1 1 0 1 0 1 0

decryption decryption

1 1 1 1 1 1 1 1

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 11 Malleability of CBC

C0 C1 C2 0 1 1 0 1 0 1 0

decryption decryption

1 0 1 1 1 1 1 1

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 12 Malleability of CBC

C0 C1 C2 0 1 1 1 1 0 1 0

decryption decryption

1 0 1 1 1 1 1 1

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 13 Malleability of CBC

C0 C1 C2 0 1 1 1 1 0 1 0

decryption decryption

1 0 1 0 1 1 1 1

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 14 Malleability of CBC

C0 C1 C2 0 1 1 1 1 0 0 0

decryption decryption

1 0 1 0 1 1 1 1

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 15 Malleability of CBC

C0 C1 C2 0 1 1 1 1 0 0 0

decryption decryption

1 0 1 0 1 1 0 1

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 16 Malleability of CBC

C0 C1 C2 0 1 1 1 1 0 0 0 ?

decryption decryption

1 0 1 0 1 1 0 1

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 17 Malleability of CBC

C0 C1 C2

decryption decryption

Content-type: te xt/html\nDear Bob

P0 P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 18 Malleability of CBC

C0' C1 C2

decryption decryption

Zontent-type: te xt/html\nDear Bob

P0' P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 19 Malleability of CBC

C0 ⊕ P0 C1 C2

decryption decryption

0000000000000000 xt/html\nDear Bob

P0' P1 CBC Gadget

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 20 Malleability of CBC

C0 ⊕ P0 ⊕ Pc C1 C2

decryption decryption

P0' P1

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 21 Malleability of CBC

C0 C1' C2

decryption decryption

Content-type: te Zt/html\nDear Bob

P0' P1'

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 22 Malleability of CBC

C0 C1' C2

decryption decryption

???????????????? Zt/html\nDear Bob

P0' P1'

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 23 Attacking S/MIME

No MAC

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 24 Attacking S/MIME PRACTICAL ATTACK AGAINST S/MIME

Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi

Original Crafted

????????????????

Changing Duplicating Reordering

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 25 Practical attack against S/MIME ATTACKER MODEL

26 OpenPGP

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 27 Attacking OpenPGP DIFFERENCES TO S/MIME • OpenPGP uses a variation of CFB-Mode • OpenPGP defines primitives for integrity protection • Plaintext compression is enabled by default

Ci Ci+1 Ci X

encryption encryption encryption encryption

? ? ? ? ? ? ? ? random plaintext Pi (known) Pi-1 Pc (chosen)

28 Attacking OpenPGP DEFEATING INTEGRITY PROTECTION

Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE Outlook 2007 GPG4WIN 3.0.0 OutlookMDC 2010 strippedGPG4WINMDC incorrect SEIP -> SE Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 Vulnerable Not Vulnerable

29 Attacking OpenPGP RFC 4880 ON MODIFICATION DETECTION CODES

30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 30 OpenPGP COMPRESSION (DEFLATE)

• Challenge: create chosen compressed plaintext • We present a solution for this in the paper

• In a nutshell: • Our shortest exploit needs 11 bytes of known plaintext • The first 4 bytes are known header data • Remaining 7 bytes have to be guessed

? ? ? ? ? ? ?

31 OpenPGP GUESSING BYTES IN COMPRESSION

PGP-encrypted Facebook password recovery • 211 guesses to break every email

PGP-encrypted Enron dataset • 500 guesses to break 41% of the emails

Multiple guesses per email possible • Up to 1.000 MIME parts per email

32 33 Impact on the standards CURRENT DRAFTS

S/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11 • References EFAIL paper • Recommends usage of authenticated encryption

OpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05 • Deprecates Symmetrically Encrypted (SE) data packets (due to downgrade attack) • Proposes chunk size limits for AEAD protected data packets • Implementations should not allow users to access modified plaintexts

34 Conclusions

• Introduced malleability gadgets Thank you! • Self-exfiltrating plaintexts Questions? • Evaluation of backchannels

• Crypto standards need to evolve • Current S/MIME is broken • OpenPGP needs clarification

• Secure HTML email is challenging https://www.efail.de/