 My name is Hosefa. I work with Z Hat as a principal product security engineer. I have worked on issues like heart bleed. If you've heard of heart bleed or you know, I've worked on a shock. So this year I'm going to talk a little bit about attacking email encryption, right? How many people in the room use GPG? Email address nowadays is associated with a lot of things. So when you go to a particular website and you know, when you try to create an account, the first thing you probably need to do when you buy a phone is, you know, create an account and you know, your Gmail account with the phone. So email is very, very common. Now the problem with email is that email is very, very old. These are protocols which are responsible for sending and receiving the email. They were basically designed, they were invented when internet started, which was like, you know, 30 years back or you know, for 40 years back. And at that time when internet started, internet was like 12 machines, which were connected together by some kind of a network cable or something like that, right? So one day internet would make the big that we will actually need security. So when these protocols were designed, they were not designed with security in mind. So later on when internet spread, when email spread, people figured out that there needs to be some security around these protocols, attackers, which are normally referred to as MIT, a man in the middle attacker, which could be your IT, it could be your government agency, or you know, it could be your network administrator of the company which you are working on. So you know, these people could easily see what you are doing. They could modify your emails and they could do a lot of harm. So later they figured out that, you know, we need to have some kind of a security around this thing. So basically two forms of security were invented for email. And this is what we will see in the presentation. There's one technology which is called Galu PG. And there's one technology which is called S-Mine, which is basically responsible for encrypting your email and both of them are susceptible to attacks. So let's basically see how your email works. So things which you see in green over here is basically trusted. So green solid lines are trusted. Green dotted lines are probably trusted. And Z lines are not trusted at all. So when you send an email, you start by typing your email from the device which you have, which could be your mobile or it could be your handheld device or whatever you have. It could be your laptop or your desktop or whatever. So when you start sending your email and when you actually send out the email, you are sending your data via your local router or your wireless device or whatever device which you have. And we assume that you have control of the device. So if you are working in a company, the company network administrator probably has a control of the device. So this is green. Then it goes to the SMTP server which is there. And since the SMTP server is controlled by the company which you are working for, which we are calling it as Corp 1. This is also green, which makes that, which means that all of these things are trusted. You can basically control whatever is happening. Now one thing which normally happens is your network administrator or your system administrator will often like to take backup of your email. And if he takes this backup on a public cloud, then it's probably not trusted because the data is going outside your company. It's probably not encrypted at all. Or if it is encrypted, then you don't know who has the keys to encryption. So if you host it on Google, you are not sure whether Google has the keys or not. So you are not sure whether Google is able to see your data or not. So that's why we have this dotted line saying that if you are taking a backup of your email, there is a good chance that this backup is not trusted and people are able to see your email. Then your email goes to the, your email goes to the antivirus server which is there. And antivirus software actually needs to see the content of your email in order to figure out if there's a virus inside your email. So most likely antivirus may not be trusted. It goes out to the internet. This guy in the hoodie is probably, or the guy with the cap is the attacker. He's able to see the packets which are going through the internet. He's able to see what you have typed on your email. And then it goes to SMTP corp2. Corp2 is the person whom you're trying to send the email to. And then it again goes to the same path. And then it goes to the device of your friend or whoever you are going to send the email to. So if you see the entire email path from the sender to the receiver, there's only a small part which is actually under your control. And there's only a small part which you can basically say that it is trusted. Everything else out there, once it goes out on the internet, then it is not trusted at all. So there is no such thing as my email. There is no such thing as my email. Once the email has left your machine, then there are a lot of people out there on the internet who are able to modify. They're able to see what you have typed. They're able to modify his high, high, high, these things. And in this presentation, we will see that even if you encrypt your email via GanuPG, even if you encrypt your email via SMIME, it is quite possible that by using a lot of attacks, people are still able to modify your email. So even if you own the email source or server, so even if you own your own email server, even if you have an email server at home, then it is not very useful because once the email goes out on the internet, then there is a problem. People can send the, people can change the email. So attackers have access to your email, right? So the solution is to use something called end-to-end encryption. End-to-end encryption basically means that you encrypt the sender will encrypt and the receiver will decrypt, right? So this is basically what end-to-end encryption means that normally when you use SSL TTLS with the protocols, like as I mentioned, there is SMTP which is used for sending email. Similarly, there is IMSS and there is POPS which is used for receiving email. These are not basically end-to-end encryption because the SSL TTLS tunnel is between the sender and the server only. If there is an SMTP server and there is a sender, the tunnel is between the sender and the server only. There is no end-to-end encryption involved, right? So end-to-end encryption basically means that you encrypt at your end and the email travels through the internet in an encrypted way and then it reaches the receiver and the receiver, only the receiver is able to decrypt it, right? So there are two standards which are prevalent on the internet. There's OpenPGP which is RFC488Z0, I think. This is the first standard to bring encryption to everybody, right? So any person can set up a GPG key, any person can do encryption, any person can send an encryption email. So this is the first mass encryption standard which was out there which anybody can use, most widely used, right? I have a graph which shows the statistics. So it is the most widely used method of encrypting emails. The only downside is you need a plugin for your email client. So most of the email clients will not natively support OpenGPG or AutoPGP, right? So if you are using Thunderbird, then there's a plugin called Enigmail or you know, if you are using other clients, there are different plugins which are available. So the only downside is a plugin is required. There is a second technology which you can use which is called S-MIME. S-MIME is normally favored by companies and the reason why it is favored by companies is because it works on certificates, right? So what normally companies do is they generate a per user certificate. So when a new person joins the company, they will generate a certificate for the person. They will put the certificate on a USB key, right? And they will give the USB key to the person who has joined. Now when he has to encrypt the email, what he will do is he will put the USB key in the USB drive, he will enter the password and that should automatically encrypt the email, right? So this is a more centralized, corporate way of encrypting and decrypting your emails, but again, you need an infrastructure for this. You need a certificate server and there's a lot of infrastructure which is required. So if you are doing this on an individual basis, then people will normally prefer open PGP. If you are doing it on a corporate basis, then companies normally prefer S-MIME. The advantage is most of the email clients will natively support this, right? So now how many PGP keys are there on the internet? So I think last time somebody saw they were like 300 million GPG keys which were generated. And if you see the graph over here, the graph shows a very interesting pattern, right? So initially when 1997, when the technology becomes slightly famous, there were very few PGP keys, right? And it goes up to 2004. If you see 2004, 2004 is the place where there is a sudden spike in the number of people creating PGP keys and probably using PGP keys, right? So you know why this spike is there in 2014? Snowden, so 2014 is the time when Snowden came out and spoke about NSA and how they are trying to snoop in onto your email and how they are trying to do stuff. This really enlightened people and everybody started creating PGP keys, right? So we see a similar statistics in Enigmail. Enigmail is a plugin which is used for Thunderbolt which is used for PGP, right? We see similar statistics for Enigmail as well. If you see 2014, in 2014 there's a sudden spike in the number of people actually downloading Enigmail and you know trying to use Enigmail, right? So now there is a problem with both of these tools and the problem is usability, right? It is not really easy to use Enigmail or it is not easy to use OpenPGP. It is not easy to use S-MIME and there's a lot of work done on trying to understand the usability of both of these different securities. So there was a paper which was published in 1999. There was a paper published in 1999 about usability of OpenPGP and the paper is called Why Johnny Can't Encrypt, right? Which shows how difficult it is for a layman to actually use OpenPGP, right? And then there was one more paper which was published in 2006 and the paper is called Why Johnny Still Can't Encrypt which shows that there was no work done on usability at all, right? There was a paper which was published in 2015 which is called Why Johnny Still Can't Encrypt which shows that again no work was done on usability at all. So let's talk about S-S-MIME for S-MIME there was a paper which was published in 2012 which is called Not Silled but Delivered, okay? S-MIME, Not Silled but Delivered. There was one more paper which says we are on the same page which means that there is no security at all. So these technologies are not, these technologies are not really easy to use. They are very, very difficult. They are so difficult that in 2014 Edward Snowden made a tutorial on the internet and the tutorial is still available on this website called Vimeo, right? So if you Google Edward Snowden GPG tutorial, you will, this will probably be the first hit. So Edward Snowden made a tutorial on Vimeo showing journalists how to encrypt, right? Because journalists are the most non-technical people out there at least most of the journalists are, right? Most of the journalists are very non-technical. So he wrote this video tutorial to show journalists how you can set up a GPG key, how you can encrypt by using GPG key, how you can decrypt so that, so, so, so that they can securely transmit information without the government agencies snooping into what they are doing and trying to figure out what their source of information is, right? So Snowden basically says that, you know, you use a plain text, you use g-edit or you know something like that and you generate the encrypted message, you copy the encrypted message, you paste it into an email client and then you do the same thing when you want to decrypt it, right? So Snowden's method is very, very easy, but again, there is a big usability factor involved over here. None of these technologies are very easy to use, right? So what is the worst attack which you can think about? What is the worst attack, right? So in 2014, Enigmail version 1.7, right? So Enigmail is a plugin which is used by Thunderbird and you know as we saw from the last slides, there are millions of downloads. So we are assuming that millions of people actually use Enigmail to encrypt and decrypt their email, right? So in 2014, it was found that Enigmail will not encrypt your emails at all, right? So basically you open your Thunderbird, you type your email, you click on the button which is encrypt my email and you send the email, right? And you assume that encrypted email will be sent. So Enigmail will print a message saying email is encrypted, but email is not encrypted. It will send out a plain text email, right? So these are one of the worst attacks which were found. In 2017, it was of Outlook, okay? And this is a very unique case. 2017 Microsoft Outlook had a flaw in which it will encrypt your email. It will send an encrypted email, but it will also send a plain text email. Right? So this is very, very novel. It does encrypt your email. So I mean, it is doing its job, but it will also send a plain text email so that all the man in the middle attackers can actually read your email, right? So in 2017, there was a flaw with Enigmail and the flaw was with something which is known as a PAP extension. And what it does is basically it will send an unencrypted email, right? It not only sends an unencrypted email, but when you actually go to your sent items, in the sent items, it will show you that the email was encrypted and send in an encrypted way, right? So there is no way for you to find out if an encrypted email was sent or a non-encrypted email was sent, right? So let's quickly look at how PGP. So we are trying to, this talk is about trying to attack email encryption, right? So let's quickly look at how we can attack both of the technologies which we have, which is PGP and SMIME. So how PGP basically works. So I'm not going to go through all the maths and the crypto over here, but what happens is when you encrypt an email using PGP, M is your message, right? So M is the email, the text message which you are actually trying to send. What PGP does is it creates a per session key. So for each of the email which you are trying to send, it will create a random key, right? So if you send 10 emails, then each email which you are sending will have a different random key. So it creates a per session key, so it's called S. Then what it basically does is it does AES encryption, right? It does AES encryption of your message M and it uses S as the key to actually do the encryption, right? Now once the encryption has been done, it needs to send over the session key as well, right? Because this is symmetric encryption which means that you did the same key for encryption and decryption. Now this session key needs to be sent over as well. Does is it uses say and the GPG key which you have generated, it uses the GPG key to encrypt the session key, right? And this encrypted session key and the actual message which is encrypted by using the session key is then sent over the internet, right? And then we use a very similar protocol to decrypt it. You need to actually first decrypt the session key. Once you get the session key, use AES to decrypt the, so this is basically GPG, encryption, decryption works. Now there is a fundamental problem in this and a fundamental problem over here is AES uses CBC, right? So CBC is a mode of encryption. So mode of encryption basically means is that if you have a large message which you want to encrypt, right? So if you have say one MB or you know 10 MB or if you have a very large message which you want to encrypt, AES cannot work with large messages. So what AES does is AES will break the message into small blocks, right? So if I have a one KB message, what AES will do is break it into smaller blocks and it will encrypt each block separately, right? So if I have a long message, say break it into 10 blocks, encrypt block number one, encrypt block number two, encrypt block number three, do it for all the 10 blocks and then the encrypted output which you get, it's join all the encrypted output and it's going to send it out on the internet. So this is basically what mode of encryption basically means. CBC is slightly different. So what happens in CBC is I have three messages, right? So I have three blocks. So this is what we discussed sometime back that because my message is very big, my algorithm cannot handle such a big message. So what happens in CBC is that output of one of the previous block is used as a feedback for the next block, right? So this is basically what CBC means that we use the output from block zero as a feedback from block one, use output from block one as a feedback from block two and so on and so forth. So this is basically how the CBC mode of encryption works. Now what you see on the screen is actually the decryption process. So decryption also needs to work in the same way as the encryption process, right? So what you see is the decryption process. We have one block. So each block over here which you see is for example, say eight bytes or you know, yeah I better hurry up. So each block which you see has got some size, right? And we use CBC method to basically decrypt the blocks, right? Now the problem with CBC is that CBC is malleable. So what malleable basically means that when I change one of the blocks, then you know the output will slightly change. When I change one of the size, size, size for text blocks, then the output will slightly change and that change will propagate to the next block as well. So what the attacker can basically do is, the attacker can use the malleability problem with CBC and what he does is he creates something which is known as a CBC gadget, right? So there are a lot of things which I think I'm slightly out of time. So I'll try to explain it a little bit faster. So what CBC basically does is what the attacker does is, attacker creates something which is known as a CBC gadget, right? In which he's able to control what the output of the first block is, which is going to kind of, you know, transform into the second and the third block. So what the attacker basically does is, the attacker controls the first block, right? And by using malicious values in the first block, he's able to change the output of the decryption, right? So he's able to change the output of the decryption. So what the attacker has done over here is, the attacker has changed, if you see the last block. The attacker has changed content type and the attacker is able to change this and is able to change this to, is able to insert an evil link inside the email, right? So what the attacker, what the man in the middle attacker can basically do is, without knowing the key, without knowing the contents of the email, is able to insert a malicious link inside the email, right? And when you basically decrypt your email, you see this malicious link, right? You assume that this malicious link, which you don't think is malicious in the first place, is sent by friend or you know, whoever has sent you an encrypted email, you click on the malicious link and then, you know, done, right? So the attacker is able to do that. And the reason why the attacker is able to control the first block is, because in S-mime, the first block is always content type, right? So the attacker exactly knows what the first eight bytes or you know, what the first six to 16 bytes are. So he is able to, is able to properly control that and you know, he's able to insert this. And similarly, he's able to control the second block also, right? So similarly, he can use CBC gadget and he can control the second block. And what basically happens is, you get an email. You basically get an email which has got a malicious link. Some of the characters of the email are non-Ascii. Some of the characters are non-Ascii. But if you use HTML email, how many people use HTML email? Excellent. So if you use HTML email, HTML as a standard says that, if you have a non-Ascii character, which you are not able to render, then please don't show those characters on the screen, right? So if you have a non-Ascii character, which your browser or your email client is not able to render in the current language which you have set, those non-Ascii characters will be ignored and they will not be shown on the display screen. So by using this, the attacker is able to conveniently hide any malicious things which he has done with the blocks, right? So how we can prevent this? You can use Mac, right? And it is very interesting that S-MIME does not use Mac. Mac is a method of ensuring that contents of the email or contents of your message are not changed, but S-MIME doesn't do it. Similarly, we can have a similar kind of attack on S-MIME as well. And I'm just going to scroll through this because I want to show you something which is even more interesting. So he can use a similar, and he can kind of insert links in email, right? So one thing which we need to understand over here is your email is encrypted, right? You assume that by encrypting, nobody will be able to change the email. The attacker does not have your key, right? But in spite of that, the attacker is able to modify your email, right? So this is very, very important. So we can do this with S-MIME as well. Now one thing very, very important is how can we make this attack better, right? So we have a method of infiltrating into the emails and you know we have a method of changing the email, but we can make this attack better by using something called, yeah, by using something called as a back channel. And back channels are flaws which were found in email clients. I'm sure, you know, most of you are using one of these email clients probably, right? So these are flaws which were found with email clients. So for example, in Linux, if you are using Thunderbird, okay, in Linux, Thunderbird is a flaw in which it will load a JavaScript without asking for your permission at all, right? So if somebody sends you an email with JavaScript, right? It is possible for the person to hide the JavaScript in such a way that the JavaScript will run and load without your permission at all. So we can use a combination of the attacks which I described sometime back, plus these back channels to completely own the browser or to completely own the email client, right? And since I'm out of time, I'll probably, there are a lot of things. Yeah, last but not least, this is a very, very good email. This is a very good link which talks about how to set up GPG in a secure way, right? And that's it.