attacking end to end encrypted emails
play

Attacking End-to-End Encrypted Emails Joint research with : Prof. - PowerPoint PPT Presentation

https://efail.de/ Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian Poddebniak, Christian Dresen, Twitter: @seecurity Jens Mller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, Jrg


  1. https://efail.de/ Attacking End-to-End Encrypted Emails Joint research with : Prof. Dr. Sebastian Schinzel Damian Poddebniak, Christian Dresen, Twitter: @seecurity Jens Müller, Fabian Ising, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk, Marcus Brinkmann.

  2. Email. 2

  3. av2.com av1.com smtp.corp2 smtp.corp1 imap.corp2 imap.corp1 archive.corp1 archive.corp2

  4. av1.com smtp.corp1 imap.corp1 archive.corp1

  5. There is no such thing as “My Email”. 5

  6. av1.com Assumption: smtp.corp1 imap.corp1 Attacker has archive.corp1 access to emails!

  7. Two competing standards OpenPGP (RFC 4880) • First “encryption for the masses” • Favored by privacy advocates • Most widely used email clients require plugin S/MIME (RFC 5751) • Favored by corporate organizations • Native support in most widely used email clients 7

  8. New published PGP public keys per month ? Known limitations!  Usability  Snowden Effekt Thanks to Marcus Brinkmann @neopg_  Enigmail  New keys at keyserver  Hard for S/MIME  Opsec von Snowden und thegruq  Ver- und Entschlüsselung nur in separater Anwendung! 8

  9. Daily users of Enigmail Known limitations!  Usability  Snowden Effekt  Enigmail  New keys at keyserver  Hard for S/MIME  Opsec von Snowden und thegruq  Ver- und Entschlüsselung nur in separater Anwendung! 9

  10. ‘99 ‘06 ‘15 10

  11. PGP and OpSec  Some tutorials recommend using PGP outside of email client. • https://gist.github.com/grugq/ 03167bed45e774551155 • https://vimeo.com/56881481  Others recommended Enigmail in default settings (i.e. HTML switched on) 11

  12. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker 12

  13. 2014: Enigmail won’t encrypt. https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ 13

  14. 2017: Outlook includes plaintext in encrypted email. https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/ 14

  15. 2018: Enigmail/PEP won‘t encrypt. https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html 15

  16. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker Plaintext bugs 16

  17. Hybrid decryption • Choose message 𝑛 Content-type: app/encrypted • Generate session key 𝑡 𝒍 𝑡 • Encrypt message 𝑛 with session key 𝑡 Dear Alice, – 𝑑 = 𝐵𝐹𝑇 𝑡 (𝑛) • Encrypt session key 𝑡 with public key c thank you for your email. 𝑞𝑣𝑐 of recipient The meeting tomorrow – 𝑙 = 𝑆𝑇𝐵 𝑞𝑣𝑐 (𝑡) will be at 9 o‘clock . • Send the encrypted session key and the encrypted message to the recipient 17

  18. Hybrid decryption • Obtain the encrypted email Content-type: app/encrypted • Extract ciphertext 𝑙 and ciphertext 𝑑 𝒍 𝑡 • Decrypt 𝑙 with private key 𝑡𝑓𝑑 to Dear Alice, obtain session key 𝑡 – 𝑡 = 𝑆𝑇𝐵 𝑡𝑓𝑑 (𝑙) c thank you for your email. • Decrypt ciphertext 𝑑 with session key The meeting tomorrow 𝑡 to obtain the cleartext 𝑛 will be at 9 o‘clock . – 𝑛 = 𝐵𝐹𝑇 𝑡 𝑑 18

  19. Ciphertext malleability 𝑡 Dear Alice, ↯ ????????????????ur efail. The meeting tomorrow will 𝒅 be at 9 o‘clock . 19

  20. CBC Mode of Encryption C 2 C 1 C 0 decryption decryption Content-type: te xt/html\nDear Bob P 0 P 1 20

  21. Malleability of CBC/CFB C 2 C 1 C 0 ' decryption decryption Z ontent-type: te xt/html\nDear Bob P 0 ' P 1 21

  22. Malleability of CBC/CFB C 2 C 1 C 0 ⊕ P 0 decryption decryption 0000000000000000 xt/html\nDear Bob P 0 ' P 1 CBC Gadget 22

  23. Malleability of CBC/CFB C 2 C 1 C 0 ⊕ P 0 ⊕ P c decryption decryption <img src =” ev.il/ xt/html\nDear Bob P c P 1 23

  24. Malleability of CBC/CFB C 2 C 1 ' C 0 decryption decryption Content-type: te Z t/html\nDear Bob P 0 ' P 1 ' 24

  25. Malleability of CBC/CFB C 2 C 1 ' C 0 decryption decryption ???????????????? Z t/html\nDear Bob P 0 ' P 1 ' 25

  26. Ciphertext Malleability 𝑡 Dear Alice, ↯ ????????????????ur efail. The meeting tomorrow will 𝒅 be at 9 o‘clock . 26

  27. MAC != digital signature “valid signature” Message Authentication Codes • Protection against ciphertext tampering “invalid signature” Digital Signatures? • Merely used to display status message or icon • In many cases, attacker can – remove signatures “encrypted, not signed” – sign unknown ciphertext under own identity 27

  28. S/MIME 28

  29. S/MIME 29

  30. Attacking S/MIME Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi Original Crafted <base " " href="http:"> ???????????????? ???????????????? <img " ???????????????? ???????????????? " src="efail.de/ Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi "> ???????????????? Modify Duplicate Reorder 30

  31. Backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail KMail Claws Thunderbird Linux Evolution Trojitá Mutt 40/47 clients have User interaction Airmail MailMate Apple Mail macOS No user interaction backchannels requiring Mail App Outlook CanaryMail iOS Leak via bypass no user interaction K-9 Mail MailDroid J avascript execution Android R2Mail Nine GMail Yahoo! GMX Mail.ru Mailbox ProtonMail Webmail iCloud FastMail Mailfence ZoHo Mail HushMail Outlook.com Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile 32

  32. • S/MIME has no standard- conforming countermeasure • Email clients try to mitigate this (insufficiently) 33

  33. Demo ohne html

  34. Outlook: Non-HTML CBC Gadgets? recommendations PDF 28.12.2018 35

  35. Outlook: Non-HTML CBC Gadgets? recommendations PDF 28.12.2018 36

  36. Outlook: Non-HTML CBC Gadgets? recommendations MS Word 28.12.2018 37

  37. Outlook: Non-HTML CBC Gadgets? recommendations LibreOffice 28.12.2018 38

  38. Outlook: Non-HTML CBC Gadgets? Challenge: 1. Write a non-HTML demo that exfiltrates OpenPGP or S/MIME email plaintext blocks via attachments (PDF, Word, XML, ...). 2. First successful submission gets a crate of Club Mate and Efail swag! 39

  39. Efail-related changes to S/MIME Efail CBC Gadget attack: Efail direct exfiltration attack: EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, 28.12.2018 40 https://tools.ietf.org/html/draft-ietf-lamps-rfc5751-bis-12#page-45 Schwenk

  40. OPENPGP 41

  41. Differences S/MIME  OpenPGP • OpenPGP uses a variation of CFB-Mode • Plaintext compression is enabled by default • OpenPGP defines Modification Detection Code “MDC“ ( 𝑇𝐼𝐵1(𝑛) ) MDC SEIP m sha1(m) 42

  42. OpenPGP RFC on invalid MDCs 43

  43. # new PGP keys with/without MDCs per year Thanks to Marcus Brinkmann @neopg_ 28.12.2018 44

  44. # cumulative valid PGP keys not supporting MDCs per year Thanks to Marcus Brinkmann @neopg_ 28.12.2018 45

  45. Attacking OpenPGP 1. MDC stripped: SEIP m sha1(m) 2. MDC incorrect: SEIP m‘ sha1(m) 3. SEIP->SE downgrade SEIP m sha1(m) 46

  46. Attacking OpenPGP Client Plugin (up to MDC Stripped MDC Incorrect SEIP -> SE version) Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 Vulnerable Not Vulnerable 47

  47. Efail-related changes to OpenPGP https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#section-5.8 48

  48. Efail-related changes to OpenPGP https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#page-104 49

  49. Efail-related changes to OpenPGP Checking MDC only possible after full decryption – GnuPG streams plaintext to app during decryption – Only when finished, GnuPG prints flag whether or not decryption was successful. OpenPGP draft already supported chunking of plaintext – Pro: Authenticate chunks before giving it to app! – Con: Recommended chunk size is 128MByte (OpenPGP implementations may not want to cache 128MByte and thus use streaming again) https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-05#page-63 https://mailarchive.ietf.org/arch/msg/openpgp/KXM9nqbhkn3ELTznP6YBQhEipC0 50

  50. Efail-related changes to GnuPG • MDC errors now result in hard failures (not merely warnings). • GnuPG now always uses MDC independently if key denotes MDC support or not. • But: – Sets default chunks sizes from 1GByte to 128MByte. – Still streams unauthenticated plaintext. 51

  51. av1.com smtp.corp1 imap.corp1 archive.corp1

  52. Agenda Efail CBC/CFB Gadgets Efail Direct Exfiltration Reply to attacker Plaintext bugs 53

  53. Efail Direct Exfiltration Alice’s mail program encrypts the email Alice writes a Mail to Bob Encryption From: Alice To: Bob -----BEGIN PGP MESSAGE----- Dear Bob, hQIMA1n/0nhVYSIBARAAiIsX1QsH the meeting tomorrow will be ZObL2LopVexVVZ1uvk3wieArHUg… at 9 o‘clock . -----END PGP MESSAGE----- 54

Recommend


More recommend