logo

Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

Conference:  BlackHat USA 2018

2018-08-09

Summary

The presentation discusses the vulnerabilities in email encryption standards and the need for constant evolution of crypto standards to meet high demands for privacy and security.
  • Email encryption standards have vulnerabilities that can be exploited through malleability attacks
  • Crypto standards need to constantly evolve to meet high demands for privacy and security
  • HTML email is particularly vulnerable to privacy and security breaches
  • Mitigations include disabling HTML, updating standards, and creating workarounds
  • Proof of concepts for attacks exist, but there is no indication that they have been used in the past
The presenter demonstrated how an attacker can use a malleability attack to modify an encrypted email and send it as a new email to the recipient, without the recipient realizing that the email has been tampered with. The presenter also discussed the need for updated standards and workarounds to mitigate vulnerabilities in email encryption standards.

Abstract

OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. From today's viewpoint this is surprising as both standards rely on outdated cryptographic primitives that were responsible for vulnerabilities in major cryptographic standards. The belief in email security is likely based on the fact that email is non-interactive and thus an attacker cannot directly exploit vulnerability types present in TLS, SSH, or IPsec.We show that this assumption is wrong. We use a novel attack technique called malleability gadgets to inject malicious plaintext snippets into encrypted emails via malleable encryption. These snippets abuse existing and standard-conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption. The attack is triggered when the victim decrypts a single maliciously crafted email from the attacker.We devise working malleability gadgets for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.

Materials:

Tags: