We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a decryption oracle by replying to an unsuspicious looking email. Using this technique, the plaintext of hundreds of encrypted emails can be leaked at once. Furthermore, we show how users could be tricked into signing arbitrary text by replying to emails containing CSS conditional rules. An evaluation shows that 17 out of 19 OpenPGP-capable email clients, as well as 21 out of 22 clients supporting S/MIME, are vulnerable to at least one attack. We provide different countermeasures and discuss their advantages and disadvantages.
[1]
Don Davis,et al.
Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML
,
2001,
USENIX Annual Technical Conference, General Track.
[2]
Blake Ramsdell,et al.
S/MIME Version 3 Message Specification
,
1999,
RFC.
[3]
Jonathan Katz,et al.
A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols
,
2000,
USENIX Security Symposium.
[4]
Jon Callas,et al.
OpenPGP Message Format
,
1998,
RFC.
[5]
Laurent Cailleux,et al.
Securing Header Fields with S/MIME
,
2015,
RFC.
[6]
Jonathan Katz,et al.
Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG
,
2002,
ISC.
[7]
Jörg Schwenk,et al.
Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels
,
2018,
USENIX Security Symposium.