ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Mitigation of Attacks on Email End-to-End Encryption

2020-11-08 01:27:18
Hi Marcus,

Thanks for posting this (and the work itself, of course)!

On Tue, Nov 03, 2020 at 05:24:58PM +0100, Marcus Brinkmann wrote:
[...]

REPLY attacks are known for 20+ years: They rely on modifications of the
email header (SMTP) context, that allow the attacker to receive replies
to authentic ciphertexts, were the victim quotes the plaintext back to
the attacker. To our knowledge, these attacks have not been mitigated so
far. We have looked at reply attacks in our paper on covert content
attacks [COVERT].

We have looked systematically at these issues, and propose to protect
the MIME and SMTP context of an email by adding a summary of this
decryption contexts (DC) as associated data (AD) in the AEAD encryption.
This way, any significant modification to these contexts that indicate
an attack would lead to a decryption error, rather than emitting the
plaintext to the application, where it would be subject to a large
attack surface to launch DE or REPLY attacks.

To support this mechanism, OpenPGP RFC4880bis would need to be amended
to allow applications to add arbitrary data to the AD, either directly
(length+value) or by adding a hash representation (constant length). I
plan to introduce a proposal for these changes when the WG is
reinstantiated.

We have evaluated which SMTP headers are relevant for REPLY actions in
email clients, and which MIME contexts can be considered safe. Based on
this (and inspired by DKIM), we make a specific proposal for calculating
the decryption context which is sender-enforced and extensible.

I'll also leave a link to
https://tools.ietf.org/html/draft-ietf-lamps-header-protection-02 that,
IIUC, is attempting to address similar issues for S/MIME.

-Ben

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp