"Johnny, you are fired!" - Spoofing OpenPGP and S/MIME Signatures in Emails

OpenPGP and S/MIME are the two major standards to en-crypt and digitally sign emails. Digital signatures are sup-posed to guarantee authenticity and integrity of messages. Inthis work we show practical forgery attacks against variousimplementations of OpenPGP and S/MIME email signatureverification in five attack classes: (1) We analyze edge casesin S/MIME’s container format. (2) We exploit in-band sig-naling in the GnuPG API, the most widely used OpenPGPimplementation. (3) We apply MIME wrapping attacks thatabuse the email clients’ handling of partially signed mes-sages. (4) We analyze weaknesses in the binding of signedmessages to the sender identity. (5) We systematically testemail clients for UI redressing attacks.Our attacks allow the spoofing of digital signatures for ar-bitrary messages in 14 out of 20 tested OpenPGP-capableemail clients and 15 out of 22 email clients supportingS/MIME signatures. While the attacks do not target the un-derlying cryptographic primitives of digital signatures, theyraise concerns about the actual security of OpenPGP andS/MIME email applications. Finally, we propose mitigationstrategies to counter these attacks.

[1]  Don Davis,et al.  Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML , 2001, USENIX Annual Technical Conference, General Track.

[2]  Robert Biddle,et al.  Browser interfaces and extended validation SSL certificates: an empirical study , 2009, CCSW '09.

[3]  Peter W. Resnick,et al.  Internet Message Format , 2001, RFC.

[4]  Jörg Schwenk,et al.  Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels , 2018, USENIX Security Symposium.

[5]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[6]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[7]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[8]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) , 2002, RFC.

[9]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[10]  D. H. Crocker,et al.  Standard for the format of arpa intemet text messages , 1982 .

[11]  Sunny Consolvo,et al.  Rethinking Connection Security Indicators , 2016, SOUPS.

[12]  Blake Ramsdell,et al.  S/MIME Version 3 Certificate Handling , 1999, RFC.

[13]  Patrick Traynor,et al.  Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road? , 2012, ISC.

[14]  Albert Levi,et al.  Understanding the limitations of S/MIME digital signatures for e-mails: A GUI based approach , 2009, Comput. Secur..

[15]  Lijun Liao,et al.  Secure email communication with XML-based technologies , 2010 .

[16]  Sean Turner,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification , 2019, RFC.

[17]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[18]  Gang Wang,et al.  End-to-End Measurements of Email Spoofing Attacks , 2018, USENIX Security Symposium.

[19]  Blake Ramsdell,et al.  S/MIME Version 3 Message Specification , 1999, RFC.

[20]  Volker Roth,et al.  Secure Email , 2011, Encyclopedia of Cryptography and Security.