Abstract
We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a decryption oracle by replying to an unsuspicious looking email. Using this technique, the plaintext of hundreds of encrypted emails can be leaked at once. Furthermore, we show how users could be tricked into signing arbitrary text by replying to emails containing CSS conditional rules. An evaluation shows that 17 out of 19 OpenPGP-capable email clients, as well as 21 out of 22 clients supporting S/MIME, are vulnerable to at least one attack. We provide different countermeasures and discuss their advantages and disadvantages.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
According to Google’s transparency report, 88% of the email traffic was TLS encrypted in the fourth quarter of 2018: https://transparencyreport.google.com/safer-email/.
- 2.
Note that digital signatures do not prevent this attack because Eve can strip them and re-sign the message under her identity as discussed in Sect. 8.1 of this paper.
- 3.
According to an email marketing statistics and metrics study conducted by Juniper Research, 97% of all email clients used in 2007 supported HTML messages.
- 4.
There are alternative ways to handle multipart messages. The email client “The Bat!” shows a new tab for each body part, while Outlook only displays the very first part. However, a majority of the evaluated clients follows the described approach.
- 5.
At some point, the SMTP server may enforce a resource limit, e.g., 25 MB for Gmail.
- 6.
It must be noted that for two clients, MailMate and Airmail, some additional effort was required to bypass filters which would otherwise strip internal CSS styles.
References
Cailleux, L., Bonatti, C.: Securing Header Fields with S/MIME, April 2015. http://tools.ietf.org/rfc/rfc7508.txt, RFC7508
Callas, J., Donnerhacke, L., Finney, H., Thayer, R.: OpenPGP Message Format, November 1998. http://tools.ietf.org/rfc/rfc2440.txt, RFC2440
Davis, D.: Defective sign & encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML. In: Proceedings of the General Track: 2001 USENIX Annual Technical Conference, pp. 65–78. USENIX Association, Berkeley (2001). http://dl.acm.org/citation.cfm?id=647055.715781
Gillmor, D.K.: Memory Hole spec and documentation (2014). https://github.com/autocrypt/memoryhole
Jallad, K., Katz, J., Schneier, B.: Implementation of chosen-ciphertext attacks against PGP and GnuPG. In: Chan, A.H., Gligor, V. (eds.) ISC 2002. LNCS, vol. 2433, pp. 90–101. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45811-5_7
Katz, J., Schneier, B.: A chosen ciphertext attack against several e-mail encryption protocols. In: Proceedings of the 9th Conference on USENIX Security Symposium, SSYM 2000, vol. 9, p. 18. USENIX Association, Berkeley (2000). http://dl.acm.org/citation.cfm?id=1251306.1251324
Poddebniak, D., et al.: Efail: breaking S/MIME and OpenPGP email encryption using exfiltration channels. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 549–566. USENIX Association, Baltimore (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/poddebniak
Ramsdell, B.: S/MIME Version 3 Message Specification, June 1999. http://tools.ietf.org/rfc/rfc2633.txt, RFC2633
Ribeiro, F.: The Ropemaker Email Exploit (2017)
Strenzke, F.: Improved Message Takeover Attacks against S/MIME, February 2016. https://cryptosource.de/posts/smime_mta_improved_en.html
W3C: CSS Conditional Rules Module Level 3 (2013). https://www.w3.org/TR/css3-conditional/
Acknowledgements
The authors thank Juraj Somorovsky for his valuable feedback and insightful discussions. Jens Müller was supported by the research training group ‘Human Centered System Security’ sponsored by the state of North-Rhine Westfalia. In addition, this work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CASA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Screenshots of Decryption Oracles
1.1 A.1 Plaintext Hidden in a Referenced Inline ‘Image’
Figure 10 depicts a covert content attack against Thunderbird/Enigmail based on the example email given in Fig. 6. The ciphertext is hidden in an embedded ‘image’ file, referenced from the attacker’s part via a cid: URI scheme. The OpenPGP plugin – Enigmail – detects the ‘image’ as PGP/MIME content and decrypts it. The decrypted ‘image’ is then Base64 encoded by Thunderbird and included in the reply message, therefore leaking the plaintext.
Convert content attack using Thunderbird as PGP decryption oracle.
B HTML/CSS Email Support
C Other Conditional Features
Proprietary features and CSS to target only certain clients.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Müller, J., Brinkmann, M., Poddebniak, D., Schinzel, S., Schwenk, J. (2019). Re: What’s Up Johnny?. In: Deng, R., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2019. Lecture Notes in Computer Science(), vol 11464. Springer, Cham. https://doi.org/10.1007/978-3-030-21568-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-21568-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21567-5
Online ISBN: 978-3-030-21568-2
eBook Packages: Computer ScienceComputer Science (R0)