Hacking for emails hacked
Researchers crack the two most common encryption methodsRead out
Hacker reads: German researchers have managed to crack the two most common encryption methods for e-mails - the S / MIME and Open PGP standards. In the test, their attack was successful in about half of email programs using these encryption standards. The manufacturers have already been informed and have fixed the vulnerabilities. Nevertheless, this demonstrates that cryptographic procedures need to be renewed, the researchers said.
Ever since Edward Snowden and the NSA affair is clear: emails are like postcards. If they are not encrypted, any unauthorized person can read along. Among other things, companies, but also journalists in crisis areas or other private individuals use two common encryption methods: S / MIME - short for Secure / Multipurpose Internet Mail Extensions - and Open PGP.
Both encryption methods have been in use since the 1990s and were previously considered relatively secure - at least in e-mail traffic. "In other Internet standards such as TLS, a protocol for encrypting data transmissions on the Internet, this type of cryptography has already been broken several times, " explains Jörg Schwenk from the Ruhr University Bochum.
This is how the attack works
The Problem: The underlying cryptography of both methods has been unchanged since the 1990s. How safe S / MIME and Open PGP really are, Schwenk and his colleagues have now tested in the project Efail. "In a nutshell, Efail uses the active content of html emails, such as externally loaded images or style presets, " the researchers explain. First, the attacker inserts his own code into the encrypted e-mails.
Now, when the recipient's mail program opens the email and reloads the external content, this code unnoticed ensures that the decrypted text is sent to the attacker. If the modified e-mail is displayed to the recipient, it is already too late - the plaintext has already gone out to the attacker. The researchers call this novel attack technique "exfiltration with malleability gadgets". The details of the procedure are explained on their website. display
More than half cracked
The result of the test: In 25 out of 35 tested email programs for the encryption standard S / MIME, the attack was successful. The Open PGP standard was similar: Here, the researchers were able to outsmart ten out of 28 tested mail programs.
"This is the first time that we have demonstrated the suitability of these methods in e-mail encryption, " explains Schwenk. In the case of S / MIME, the successful attack has shown that the current standard is unsuitable for secure communication. "Open PGP can be configured confidently, but it is often used incorrectly in practice and should therefore be considered unsafe, " says the researcher.
The manufacturers of the mail programs have already been informed and have corrected the reported security gaps, as the scientists report. Nevertheless, the experts strongly recommend that the cryptographic procedures underlying the standards be renewed in order to be able to ward off future attacks.
(Ruhr-University Bochum, 15.05.2018 - NPO)