Sebastian Schinzel

In this talk, I’ll present several attacks that leak the plaintext of OpenPGP or S/MIME encrypted emails to an attacker. Some of the attacks are technically interesting, i.e. the two different efail attacks, some are somewhat silly, yet effective. Some abuse HTML emails, some also work with plain ASCII emails. Furthermore, I’ll discuss our lessons learned and describe the efail-related changes to mail clients and the OpenPGP and S/MIME standards.

Email remains the least common denominator when two or more people communicate over the Internet. While many modern messengers use end-to-end (e2e) encryption by default, email relies on transport encryption among email servers, which offers a much weaker protection. OpenPGP and S/MIME are two competing standards that bring e2e encrypted communication to email. While S/MIME is mostly used in corporate environments and built into many of the widely used email clients, OpenPGP often requires that users install additional software and plugins. Both technologies never reached large deployment, mostly because both suffer from a range of usability issues. However, it is commonly assumed that if one manages to use OpenPGP or S/MIME to encrypt emails, it is very secure. In this talk, I’ll discuss several attacks that leak the plaintext of OpenPGP or S/MIME encrypted emails to an attacker. Some of the attacks are technically interesting, i.e. the two different efail attacks, some are somewhat silly, yet effective. Some abuse HTML emails, some also work with plain ASCII emails. The disclosure of the efail vulnerabilities caused a lot of stir in the press and the community, which also led to confusion about how the vulnerabilities work, about the mitigations and about the consequences for the OpenPGP and S/MIME standards. I’ll discuss our lessons learned and describe the efail-related changes to mail clients and the OpenPGP and S/MIME standards.

We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. Using Internet-wide scans, we find that 33% of all HTTPS servers are vulnerable to this protocol-level attack.

We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. We introduce two versions of the attack. The more general form exploits multiple unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher RSA padding-oracle attack. The victim client never initiates SSLv2 connections. We implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours, at a cost of $440 on Amazon EC2. Using Internet-wide scans, we find that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack due to widespread key and certificate reuse. For an even cheaper attack, we apply our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU—fast enough to enable man-in-the-middle attacks against modern browsers. We find that 26% of HTTPS servers are vulnerable to this attack. This talk gives an overview on the DROWN vulnerability for the hacker community with some background information that didn’t make it to the paper.

We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip.

16 years ago, Daniel Bleichenbacher presented a protocol-level padding oracle attack against SSL/TLS. As a countermeasure, all TLS RFCs starting from RFC 2246 (TLS 1.0) propose "to treat incorrectly formatted messages in a manner indistinguishable from correctly formatted RSA blocks". In our recent paper [1] we show that this objective has not been achieved yet: We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timing-based, and two of them provide the first timing-based Bleichenbacher attacks on SSL/TLS described in the literature. Our measurements confirmed that all these side channels are observable over a switched network, with timing differences between 1 and 23 microseconds. We were able to successfully recover the PreMasterSecret using three of the four side channels in a realistic measurement setup. Besides the academic relevance of breaking common SSL/TLS implementations, the timing attacks we performed are quite interesting for the hacking community. In our talk, we will thus focus on the challenges we had to solve during our attacks and on the challenges of fixing these issues. The talk extends the topics that I presented at 28c3 [2] and 29c3 [3]. [1]: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. Meyer, Somorovsky, Weiss, Schwenk, Schinzel, Tews. Usenix Security Symposium 2014. [2]: https://media.ccc.de/browse/congress/2011/28c3-4640-en-time_is_on_my_side.html [3]: https://media.ccc.de/browse/congress/2012/29c3-5044-en-time_is_not_on_your_side_h264.html