EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de
1 Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Münster University of Applied Sciences 2 Ruhr University Bochum Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 3 NXP Semiconductors
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 1 Motivation for email encryption
Nation state attackers • Massive collection of emails • Snowden revelations on pervasive surveillance Breach of email provider / email account • Single point of failure • Aren’t they reading / analyzing my emails anyway? Insecure transport • TLS might be used – we don’t know in advance!
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 2 Email e2e encryption TWO COMPETING STANDARDS
OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities)
S/MIME (RFC 5751) • Favored by organizations • Multi root trust hierarchies
3 Security of email encryption
Request/response protocols Email is non-interactive
?
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 4 Backchannel techniques
Forcing an email client to send responses via backchannels
• HTML/CSS
5 Evaluation of backchannels in email clients
Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail
Thunderbird KMail Claws Linux Evolution Trojitá Mutt User interaction macOS Apple Mail Airmail40/47MailMate clients have No user interaction Mail App CanaryMail Outlook iOS backchannels requiring Leak via bypass K-9 Mail MailDroid Android R2Mail Nineno user interaction Javascript execution GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail Outlook.com iCloud HushMail FastMail Mailfence ZoHo Mail
Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile
6 Attacker model
7 S/MIME
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 8 Malleability of CBC
C0 C1 C2
decryption decryption
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 9 Malleability of CBC
C0 C1 C2 0 0 1 0 1 0 1 0
decryption decryption
1 1 1 1 1 1 1 1
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 10 Malleability of CBC
C0 C1 C2 0 1 1 0 1 0 1 0
decryption decryption
1 1 1 1 1 1 1 1
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 11 Malleability of CBC
C0 C1 C2 0 1 1 0 1 0 1 0
decryption decryption
1 0 1 1 1 1 1 1
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 12 Malleability of CBC
C0 C1 C2 0 1 1 1 1 0 1 0
decryption decryption
1 0 1 1 1 1 1 1
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 13 Malleability of CBC
C0 C1 C2 0 1 1 1 1 0 1 0
decryption decryption
1 0 1 0 1 1 1 1
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 14 Malleability of CBC
C0 C1 C2 0 1 1 1 1 0 0 0
decryption decryption
1 0 1 0 1 1 1 1
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 15 Malleability of CBC
C0 C1 C2 0 1 1 1 1 0 0 0
decryption decryption
1 0 1 0 1 1 0 1
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 16 Malleability of CBC
C0 C1 C2 0 1 1 1 1 0 0 0 ?
decryption decryption
1 0 1 0 1 1 0 1
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 17 Malleability of CBC
C0 C1 C2
decryption decryption
Content-type: te xt/html\nDear Bob
P0 P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 18 Malleability of CBC
C0' C1 C2
decryption decryption
Zontent-type: te xt/html\nDear Bob
P0' P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 19 Malleability of CBC
C0 ⊕ P0 C1 C2
decryption decryption
0000000000000000 xt/html\nDear Bob
P0' P1 CBC Gadget
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 20 Malleability of CBC
C0 ⊕ P0 ⊕ Pc C1 C2
decryption decryption
P0' P1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 21 Malleability of CBC
C0 C1' C2
decryption decryption
Content-type: te Zt/html\nDear Bob
P0' P1'
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 22 Malleability of CBC
C0 C1' C2
decryption decryption
???????????????? Zt/html\nDear Bob
P0' P1'
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 23 Attacking S/MIME
No MAC
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 24 Attacking S/MIME PRACTICAL ATTACK AGAINST S/MIME
Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi
Original Crafted
????????????????
????????????????
Changing Duplicating Reordering
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 25 Practical attack against S/MIME ATTACKER MODEL
26 OpenPGP
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 27 Attacking OpenPGP DIFFERENCES TO S/MIME • OpenPGP uses a variation of CFB-Mode • OpenPGP defines primitives for integrity protection • Plaintext compression is enabled by default
Ci Ci+1 Ci X
encryption encryption encryption encryption
? ? ? ? ? ? ? ? random plaintext Pi (known) Pi-1 Pc (chosen)
28 Attacking OpenPGP DEFEATING INTEGRITY PROTECTION
Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE Outlook 2007 GPG4WIN 3.0.0 OutlookMDC 2010 strippedGPG4WINMDC incorrect SEIP -> SE Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 Vulnerable Not Vulnerable
29 Attacking OpenPGP RFC 4880 ON MODIFICATION DETECTION CODES
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 30 OpenPGP COMPRESSION (DEFLATE)
• Challenge: create chosen compressed plaintext • We present a solution for this in the paper
• In a nutshell: • Our shortest exploit needs 11 bytes of known plaintext • The first 4 bytes are known header data • Remaining 7 bytes have to be guessed
? ? ? ? ? ? ?
31 OpenPGP GUESSING BYTES IN COMPRESSION
PGP-encrypted Facebook password recovery • 211 guesses to break every email
PGP-encrypted Enron dataset • 500 guesses to break 41% of the emails
Multiple guesses per email possible • Up to 1.000 MIME parts per email
32 33 Impact on the standards CURRENT DRAFTS
S/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11 • References EFAIL paper • Recommends usage of authenticated encryption
OpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05 • Deprecates Symmetrically Encrypted (SE) data packets (due to downgrade attack) • Proposes chunk size limits for AEAD protected data packets • Implementations should not allow users to access modified plaintexts
34 Conclusions
• Introduced malleability gadgets Thank you! • Self-exfiltrating plaintexts Questions? • Evaluation of backchannels
• Crypto standards need to evolve • Current S/MIME is broken • OpenPGP needs clarification
• Secure HTML email is challenging https://www.efail.de/
35