Email encryption standards hacked

May 14, 2018

A research team from the University of Applied Sciences (FH) in Münster, Horst Görtz Institute for IT Security at Ruhr-Universität Bochum (RUB), and Katholieke Universiteit Leuven has demonstrated that the two most common email encryption standards are vulnerable to attacks. Their attack, referred to as Efail, proved successful in 25 out of 35 tested email programs using the S/MIME encryption standard and in 10 out of 28 tested programs using OpenPGP. The program developers have been informed and have fixed the security gaps. The experts urgently recommend updating the underlying cryptographic algorithms in order to withstand any potential attacks in future. Detailed information on their attack has been published on their website https://efail.de/.

Realistic attack scenario

Emails are encrypted in order to hide their contents from network providers, cybercriminals, and intelligence services who might gain access to them via hacked routers, an email server, or by recording a message during transmission. "In the wake of Snowden's whistleblowing and countless hacked email servers, this is very much a realistic scenario," stresses Prof Dr Sebastian Schinzel from the Department Electrical Engineering and Computer Science at FH Münster.

The intercepted message is manipulated by the attacker as he adds his own malicious commands in encrypted form. Thus altered, the message is sent to one of the recipients or to the sender, i.e. where the data is stored that's necessary for deciphering it.

After the message has been deciphered, the inserted commands cause the victim's email program to establish a communication connection with the attacker the next time the email is opened. This form of communication is pretty much standard when, for example, images or design elements in emails are loaded. Via that connection, the decoded email is then sent to the attacker who can read them. The researchers named this novel attack method "Exfiltration with Malleability Gadgets".

Enterprise, journalist, whistleblower

The email encryption standards S/MIME - short for Secure/Multipurpose Internet Mail Extensions - and OpenPGP have been in use since the 1990s. S/MIME is frequently deployed by enterprises that encrypt all outgoing and decrypt all incoming emails. OpenPGP is preferably used by individuals, for example, by journalists in conflict areas or by whistleblowers like Edward Snowden.

The underlying cryptography hasn't been updated since the 1990s, even though better techniques have long been available. "This type of cryptography has been broken more than once in other Internet standards, e.g. in TLS, short for Transport Layer Security, a protocol for the encryption of online data transmission. We have now demonstrated for the first time that it is also vulnerable as far as email encryption is concerned," explains Prof Dr Jörg Schwenk from the Chair for Network and Data Security at RUB.

In its current version, S/MIME is not suitable for secure communication

In the case of S/MIME, the successful attack has shown that the current standard is not suitable for secure communication. "OpenPGP can be configured and used securely; however, this is often not the case as we showed in our practical analyses and should therefore be considered insecure," says Jörg Schwenk.

Now, the Internet Engineering Task Force, a developer-independent international organisation, is called upon to provide a new standard, according to the researchers. Following their successful attack, the research team have informed the developers of all tested email programs of the security gap identified by them. Measures have been taken to close it, in order to minimise the risk of a successful genuine attack.
-end-
Presented at conferences

The attack will figure on the agenda of a number of conferences: on May 17 and 18, 2018 at Ruhrsec at RUB (https://www.ruhrsec.de/2018/) and in the summer at the Usenix Security Symposium, which will be taking place from August 15 to 17, 2018 in Baltimore, USA.

Ruhr-University Bochum

Related Communication Articles from Brightsurf:

Video is not always effective in science communication
What we can learn for online public relations: - Keep the information concise so that one can go thorough it within about 1 minute.

Ultraviolet communication to transform Army networks
Of ever-increasing concern for operating a tactical communications network is the possibility that a sophisticated adversary may detect friendly transmissions.

Adding noise for completely secure communication
How can we protect communications against 'eavesdropping' if we don't trust the devices used in the process?

How serotonin balances communication within the brain
Our brain is steadily engaged in soliloquies. These internal communications are usually also bombarded with external sensory events.

Breaking the communication code
Ever wonder how mice talk to each other. We don't have a dictionary quite yet, but UD neuroscientist Josh Neunuebel and his lab have linked mice chatter (their ultrasonic vocalizations) with specific behaviors.

A new twist on quantum communication in fiber
New research done at the University of the Witwatersrand in Johannesburg, South Africa, and Huazhang University of Science and Technology in Wuhan, China, has exciting implications for secure data transfer across optical fiber networks.

Study traces evolution of acoustic communication
A study tracing acoustic communication across the tree of life of land-living vertebrates reveals that the ability to vocalize goes back hundreds of millions of years, is associated with a nocturnal lifestyle and has remained stable.

Should preschool writing be more communication and less ABCs?
Writing instruction in early education should be about more than letter formation and penmanship, argue Michigan State University researchers who found preschool teachers don't often encourage writing for communication purposes.

Trump's Twitter communication style shifted over time based on varying communication goals
The linguistic and discursive style of Donald Trump's tweets varied systematically before, during, and after the 2016 presidential campaign, depending on the communicative goals of Trump and his team, according to a study published Sept.

Intercultural communication crucial for engineering education
In an increasingly connected world it helps to engage with other cultures without prejudice or assumption.

Read More: Communication News and Communication Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.