“John­ny, you are fired!” – Spoo­fing Open­PGP and S/MIME Si­gna­tu­res in Emails

Jens Mül­ler, Mar­cus Brink­mann, Da­mi­an Pod­debni­ak, Hanno Böck, Se­bas­ti­an Schin­zel, Juraj So­mo­rovs­ky, Jörg Schwenk

28th USE­NIX Se­cu­ri­ty Sym­po­si­um (USE­NIX Se­cu­ri­ty '19)


Ab­stract

Open­PGP and S/MIME are the two major stan­dards to en­crypt and di­gi­tal­ly sign emails. Di­gi­tal si­gna­tu­res are sup­po­sed to gua­ran­tee au­then­ti­ci­ty and in­te­gri­ty of mes­sa­ges. In this work we show prac­tical for­ge­ry at­tacks against va­rious im­ple­men­ta­ti­ons of Open­PGP and S/MIME email si­gna­tu­re ve­ri­fi­ca­ti­on in five at­tack clas­ses: (1) We ana­ly­ze edge cases in S/MIME's con­tai­ner for­mat. (2) We ex­ploit in-band si­gna­ling in the GnuPG API, the most wi­de­ly used Open­PGP im­ple­men­ta­ti­on. (3) We apply MIME wrap­ping at­tacks that abuse the email cli­ents' hand­ling of par­ti­al­ly si­gned mes­sa­ges. (4) We ana­ly­ze we­ak­nes­ses in the bin­ding of si­gned mes­sa­ges to the sen­der iden­ti­ty. (5) We sys­te­ma­ti­cal­ly test email cli­ents for UI re­dres­sing at­tacks.

Our at­tacks allow the spoo­fing of di­gi­tal si­gna­tu­res for ar­bi­tra­ry mes­sa­ges in 14 out of 20 tested Open­PGP-ca­pa­ble email cli­ents and 15 out of 22 email cli­ents sup­porting S/MIME si­gna­tu­res. While the at­tacks do not tar­get the un­der­ly­ing cryp­to­gra­phic pri­mi­ti­ves of di­gi­tal si­gna­tu­res, they raise con­cerns about the ac­tu­al se­cu­ri­ty of Open­PGP and S/MIME email ap­p­li­ca­ti­ons. Fi­nal­ly, we pro­po­se miti­ga­ti­on stra­te­gies to coun­ter these at­tacks.

[full ver­si­on] [ar­ti­facts]

Tags: pgp, S/MIME, Si­gna­tu­re For­ge­ry