OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. From today's viewpoint this is surprising as both standards rely on outdated cryptographic primitives that were responsible for vulnerabilities in major cryptographic standards. The belief in email security is likely based on the fact that email is non-interactive and thus an attacker cannot directly exploit vulnerability types present in TLS, SSH, or IPsec.

We show that this assumption is wrong. We use a novel attack technique called malleability gadgets to inject malicious plaintext snippets into encrypted emails via malleable encryption. These snippets abuse existing and standard-conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption. The attack is triggered when the victim decrypts a single maliciously crafted email from the attacker.

We devise working malleability gadgets for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.

Speakers

Christian Dresen

Christian Dresen is PhD-Student at the University of Applied Sciences in Muenster and Ruhr-University Bochum. He is researcher in the field of IT-Security and CTF enthusiast

Jens Müller

Jens Müller is a PhD student at the Chair for Network and Data Security, Ruhr University Bochum. He has experience as a freelancer in network penetration testing and security auditing. In his spare time, he develops free open source software, for example tools related to network printer exploitation.

Detailed Presentation:

(Source: Black Hat USA 2018, Las Vegas)

8669820464?profile=original

 

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)