[openpgp] Tapping Into Format Oracles in Email End-to-End Encryption
Marcus Brinkmann <marcus.brinkmann@rub.de> Fri, 20 January 2023 10:13 UTC
Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F3BC14F739 for <openpgp@ietfa.amsl.com>; Fri, 20 Jan 2023 02:13:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d5ya02OULsKb for <openpgp@ietfa.amsl.com>; Fri, 20 Jan 2023 02:13:26 -0800 (PST)
Received: from out1.mail.ruhr-uni-bochum.de (out1.mail.ruhr-uni-bochum.de [134.147.53.149]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 221D9C14CF12 for <openpgp@ietf.org>; Fri, 20 Jan 2023 02:13:25 -0800 (PST)
Received: from mx1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out1.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4NywLV3qk8z8SJN for <openpgp@ietf.org>; Fri, 20 Jan 2023 11:13:22 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1674209602; bh=n5YwhXjUM8MEnBE8hvrw0XYrpwCYDpuYQ1ingGJ1wUA=; h=From:Subject:Date:To:From; b=tCXi29R8CmlYDIrR5Br6Wh0NcVPipdTdp6PUufNEfuimFNDcrXqWzeJuTh49mWH15 EyyCS115DO0yNZe4LKrfnIpq76z7UtSwGO8UxKPblBdnKSwlmXI4ffcT46X4DQLvIz PrhcxieqPAp0eyMPpqLzVqVXiy2l5pMR+Jk9yNq4=
Received: from out1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx1.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4NywLV384fz8SHv for <openpgp@ietf.org>; Fri, 20 Jan 2023 11:13:22 +0100 (CET)
X-RUB-Notes: Internal origin=IPv6:2a05:3e00:c:1001::8693:2aec
X-Envelope-Sender: <marcus.brinkmann@rub.de>
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2aec]) by out1.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTPS id 4NywLV1pBtz8SHm for <openpgp@ietf.org>; Fri, 20 Jan 2023 11:13:21 +0100 (CET)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.7 at mx1.mail.ruhr-uni-bochum.de
Received: from smtpclient.apple (p5dca46f7.dip0.t-ipconnect.de [93.202.70.247]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4NywLT4rgqzDgyq for <openpgp@ietf.org>; Fri, 20 Jan 2023 11:13:21 +0100 (CET)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 1.0.0 at mail2.mail.ruhr-uni-bochum.de
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1525AA6F-2482-44AD-A0B0-4DC5EAF02243"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\))
Message-Id: <1C3A8A72-24B1-42CF-BBCD-FFAC4CF7EA72@rub.de>
Date: Fri, 20 Jan 2023 11:13:11 +0100
To: IETF OpenPGP WG <openpgp@ietf.org>
X-Mailer: Apple Mail (2.3731.300.101.1.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/me77twZcMtaNr3eMUCtLFW8Mq14>
Subject: [openpgp] Tapping Into Format Oracles in Email End-to-End Encryption
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2023 10:13:30 -0000
Hi, There has been a prepublication for a paper appearing on USENIX 2023 from our colleagues at Münster University of Applied Sciences (the research group by Sebastian Schinzel that also published EFAIL). It is about format oracles in email end-to-end encryption. https://www.usenix.org/system/files/sec23summer_217-ising-prepub.pdf The paper is titled "Content-Type: multipart/oracleTapping into Format Oracles in Email End-to-End Encryption“ and written by Fabian Ising, Damian Poddebniak, Tobias Kappert, Christoph Saatjohann, and Sebastian Schinzel, all affiliated with Münster University of Applied Sciences. The basic idea is that an attacker who can send encrypted emails to a victim and observe the (TLS protected) IMAP connection passively is able to see network patterns based on the decryption state of parts of the MIME tree. By cleverly exploiting the „interplay of MIME, IMAP, and SMTP“ they are able to construct side-channels leaking information about the decryption process. In one client this "leads to a practical format oracle attack against S/MIME." My opinion: Although limitations in email clients do not lead to practical attacks in other cases, this is something that can change over time. The importance of this work is to raise awareness that S/MIME and OpenPGP are not just static data formats for encryption at rest, but used in dynamic applications where oracle queries are possible. The OpenPGP community should be aware of this risk and ensure that the chance for format oracles in the standard is minimized. I have pointed out previously here on the mailing list that this is an emergent risk, and that the standard should be rigorous in defending against any format oracles. An important example is the correct implementation of AEAD modes, in that modified cipher text is never processed (for example, it should not be decompressed), or output. Another example are the quick check bytes, for which this risk was known. But there are other possible format oracles hidden in OpenPGP data structures and implementations. Such oracles can be hard to find, but there has also been work on automating this (see https://www.usenix.org/system/files/sec20-beck_0.pdf "Automating the Development of Chosen Ciphertext Attacks“ by Gabrielle Beck, Maximilian Zinc’s and Matthew Green at John Hopkins University). Attacks only get better! Thanks to the authors for publishing this work, which pushes the boundary of what we know attackers can do in this area! — Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann