Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails. We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails. These snippets abuse existing and standard conforming backchannels to exfiltrate the full plaintext after decryption. We describe malleability gadgets for emails using HTML, CSS, and X.509 functionality. The attack works for emails even if they were collected long ago, and it is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker. We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is advisable to update the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.

[1]  Nathaniel S. Borenstein,et al.  Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies , 1996, RFC.

[2]  Peter Deutsch,et al.  DEFLATE Compressed Data Format Specification version 1.3 , 1996, RFC.

[3]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[4]  Jonathan Katz,et al.  A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols , 2000, USENIX Security Symposium.

[5]  Gordon Good,et al.  The LDAP Data Interchange Format (LDIF) - Technical Specification , 2000, RFC.

[6]  Don Davis,et al.  Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML , 2001, USENIX Annual Technical Conference, General Track.

[7]  Peter W. Resnick,et al.  Internet Message Format , 2001, RFC.

[8]  Donald Davis Sender Authentication and the Surreptitious Forwarding Attack in CMS and S/MIME , 2001 .

[9]  Jonathan Katz,et al.  Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG , 2002, ISC.

[10]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) , 2002, RFC.

[11]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[12]  David Shaw,et al.  The OpenPGP HTTP Keyserver Protocol (HKP) , 2003 .

[13]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on the ISO CBC Mode Encryption Standard , 2004, CT-RSA.

[14]  Chris J. Mitchell,et al.  Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? , 2005, ISC.

[15]  Clemens Fruhwirth,et al.  New Methods in Hard Disk Encryption , 2005 .

[16]  Robert J. Zuccherato,et al.  An Attack on CFB Mode Encryption as Used by OpenPGP , 2005, Selected Areas in Cryptography.

[17]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type , 2007, RFC.

[18]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  Dan Harkins,et al.  Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES) , 2008, RFC.

[20]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[21]  Blake Ramsdell,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification , 2010, RFC.

[22]  Kenneth G. Paterson,et al.  On the (in)security of IPsec in MAC-then-encrypt configurations , 2010, CCS '10.

[23]  Thai Duong,et al.  Practical Padding Oracle Attacks , 2010, WOOT.

[24]  Tibor Jager,et al.  How to break XML encryption , 2011, CCS '11.

[25]  Kenneth G. Paterson,et al.  One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography , 2013, NDSS.

[26]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[27]  Stefan Savage,et al.  Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild , 2014, Internet Measurement Conference.

[28]  Gorka Irazoqui Apecechea,et al.  Lucky 13 Strikes Back , 2015, AsiaCCS.

[29]  Bryan Ford Modernizing the OpenPGP Message Format , 2015 .

[30]  Kenneth G. Paterson,et al.  Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS , 2016, EUROCRYPT.

[31]  Juraj Somorovsky,et al.  Systematic Fuzzing and Testing of TLS Libraries , 2016, CCS.

[32]  Kenneth G. Paterson,et al.  A Surfeit of SSH Cipher Suites , 2016, CCS.

[33]  Paul Wouters,et al.  DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP , 2016, RFC.