Mailto: Me Your Secrets. On Bugs and Features in Email End-to-End Encryption
- OpenPGP and S/MIME are the two major standards for email end-to-end encryption. We show practical attacks against both encryption schemes in the context of email. First, we present a design flaw in the key update mechanism, allowing a third party to deploy a new key to the communication partners. Second, we show how email clients can be tricked into acting as an oracle for decryption or signing by exploiting their functionality to auto-save drafts. Third, we demonstrate how to exfiltrate the private key, based on proprietary mailto parameters implemented by various email clients. An evaluation shows that 8 out of 20 tested email clients are vulnerable to at least one attack. While our attacks do not target the underlying cryptographic primitives, they raise concerns about the practical security of OpenPGP and S/MIME email applications. Finally, we propose countermeasures and discuss their advantages and disadvantages.
| Verfasserangaben: | Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel, Jörg Schwenk |
|---|---|
| DOI: | https://doi.org/10.1109/CNS48642.2020.9162218 |
| Titel des übergeordneten Werkes (Deutsch): | 2020 IEEE Conference on Communications and Network Security (CNS) |
| Dokumentart: | Beitrag in einer Konferenzveröffentlichung |
| Sprache: | Deutsch |
| Datum der Veröffentlichung (online): | 13.08.2020 |
| Jahr der Erstveröffentlichung: | 2020 |
| Betreiber des Publikationsservers: | FH Münster - University of Applied Sciences |
| Datum der Freischaltung: | 14.08.2020 |
| Freies Schlagwort / Tag: | Cyber Security; PGP; S/MIME |
| Erste Seite: | 1 |
| Letzte Seite: | 9 |
| Fachbereiche: | Elektrotechnik und Informatik (ETI) |
| Publikationsliste: | Schinzel, Sebastian |
| Lizenz (Deutsch): |  Bibliographische Daten |