---
_id: '25334'
author:
- first_name: Paul
full_name: Fiterau-Brostean, Paul
last_name: Fiterau-Brostean
- first_name: Bengt
full_name: Jonsson, Bengt
last_name: Jonsson
- first_name: Robert
full_name: Merget, Robert
last_name: Merget
- first_name: Joeri
full_name: de Ruiter, Joeri
last_name: de Ruiter
- first_name: Konstantinos
full_name: Sagonas, Konstantinos
last_name: Sagonas
- first_name: Juraj
full_name: Somorovsky, Juraj
id: '83504'
last_name: Somorovsky
orcid: 0000-0002-3593-7720
citation:
ama: 'Fiterau-Brostean P, Jonsson B, Merget R, de Ruiter J, Sagonas K, Somorovsky
J. Analysis of DTLS Implementations Using Protocol State Fuzzing. In: 29th
{USENIX} Security Symposium ({USENIX} Security 20). {USENIX} Association;
2020:2523-2540.'
apa: Fiterau-Brostean, P., Jonsson, B., Merget, R., de Ruiter, J., Sagonas, K.,
& Somorovsky, J. (2020). Analysis of DTLS Implementations Using Protocol State
Fuzzing. 29th {USENIX} Security Symposium ({USENIX} Security 20), 2523–2540.
bibtex: '@inproceedings{Fiterau-Brostean_Jonsson_Merget_de Ruiter_Sagonas_Somorovsky_2020,
title={Analysis of DTLS Implementations Using Protocol State Fuzzing}, booktitle={29th
{USENIX} Security Symposium ({USENIX} Security 20)}, publisher={{USENIX} Association},
author={Fiterau-Brostean, Paul and Jonsson, Bengt and Merget, Robert and de Ruiter,
Joeri and Sagonas, Konstantinos and Somorovsky, Juraj}, year={2020}, pages={2523–2540}
}'
chicago: Fiterau-Brostean, Paul, Bengt Jonsson, Robert Merget, Joeri de Ruiter,
Konstantinos Sagonas, and Juraj Somorovsky. “Analysis of DTLS Implementations
Using Protocol State Fuzzing.” In 29th {USENIX} Security Symposium ({USENIX}
Security 20), 2523–40. {USENIX} Association, 2020.
ieee: P. Fiterau-Brostean, B. Jonsson, R. Merget, J. de Ruiter, K. Sagonas, and
J. Somorovsky, “Analysis of DTLS Implementations Using Protocol State Fuzzing,”
in 29th {USENIX} Security Symposium ({USENIX} Security 20), 2020, pp. 2523–2540.
mla: Fiterau-Brostean, Paul, et al. “Analysis of DTLS Implementations Using Protocol
State Fuzzing.” 29th {USENIX} Security Symposium ({USENIX} Security 20),
{USENIX} Association, 2020, pp. 2523–40.
short: 'P. Fiterau-Brostean, B. Jonsson, R. Merget, J. de Ruiter, K. Sagonas, J.
Somorovsky, in: 29th {USENIX} Security Symposium ({USENIX} Security 20), {USENIX}
Association, 2020, pp. 2523–2540.'
date_created: 2021-10-04T18:56:41Z
date_updated: 2022-01-06T06:57:01Z
department:
- _id: '632'
language:
- iso: eng
page: 2523-2540
publication: 29th {USENIX} Security Symposium ({USENIX} Security 20)
publication_identifier:
isbn:
- 978-1-939133-17-5
publisher: '{USENIX} Association'
status: public
title: Analysis of DTLS Implementations Using Protocol State Fuzzing
type: conference
user_id: '83504'
year: '2020'
...
---
_id: '25336'
abstract:
- lang: eng
text: OpenPGP and S/MIME are two major standards for securing email communication
introduced in the early 1990s. Three recent classes of attacks exploit weak cipher
modes (EFAIL Malleability Gadgets, or EFAIL-MG), the flexibility of the MIME email
structure (EFAIL Direct Exfiltration, or EFAIL-DE), and the Reply action of the
email client (REPLY attacks). Although all three break message confidentiality
by using standardized email features, only EFAIL-MG has been mitigated in IETF
standards with the introduction of AEAD algorithms. So far, no uniform and reliable
countermeasures have been adopted by email clients to prevent EFAIL-DE and REPLY
attacks. Instead, email clients implement a variety of different ad-hoc countermeasures
which are only partially effective, cause interoperability problems, and fragment
the secure email ecosystem.We present the first generic countermeasure against
both REPLY and EFAIL-DE attacks by checking the decryption context including SMTP
headers and MIME structure during decryption. The decryption context is encoded
into a string DC and used as Associated Data (AD) in the AEAD encryption. Thus
the proposed solution seamlessly extends the EFAIL-MG countermeasures. The decryption
context changes whenever an attacker alters the email source code in a critical
way, for example, if the attacker changes the MIME structure or adds a new Reply-To
header. The proposed solution does not cause any interoperability problems and
legacy emails can still be decrypted. We evaluate our approach by implementing
the decryption contexts in Thunderbird/Enigmail and by verifying their correct
functionality after the email has been transported over all major email providers,
including Gmail and iCloud Mail.
author:
- first_name: Jörg
full_name: Schwenk, Jörg
last_name: Schwenk
- first_name: Marcus
full_name: Brinkmann, Marcus
last_name: Brinkmann
- first_name: Damian
full_name: Poddebniak, Damian
last_name: Poddebniak
- first_name: Jens
full_name: Müller, Jens
last_name: Müller
- first_name: Juraj
full_name: Somorovsky, Juraj
id: '83504'
last_name: Somorovsky
orcid: 0000-0002-3593-7720
- first_name: Sebastian
full_name: Schinzel, Sebastian
last_name: Schinzel
citation:
ama: 'Schwenk J, Brinkmann M, Poddebniak D, Müller J, Somorovsky J, Schinzel S.
Mitigation of Attacks on Email End-to-End Encryption. In: Proceedings of the
2020 ACM SIGSAC Conference on Computer and Communications Security. CCS ’20.
Association for Computing Machinery; 2020:1647–1664. doi:10.1145/3372297.3417878'
apa: Schwenk, J., Brinkmann, M., Poddebniak, D., Müller, J., Somorovsky, J., &
Schinzel, S. (2020). Mitigation of Attacks on Email End-to-End Encryption. Proceedings
of the 2020 ACM SIGSAC Conference on Computer and Communications Security,
1647–1664. https://doi.org/10.1145/3372297.3417878
bibtex: '@inproceedings{Schwenk_Brinkmann_Poddebniak_Müller_Somorovsky_Schinzel_2020,
place={New York, NY, USA}, series={CCS ’20}, title={Mitigation of Attacks on Email
End-to-End Encryption}, DOI={10.1145/3372297.3417878},
booktitle={Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications
Security}, publisher={Association for Computing Machinery}, author={Schwenk, Jörg
and Brinkmann, Marcus and Poddebniak, Damian and Müller, Jens and Somorovsky,
Juraj and Schinzel, Sebastian}, year={2020}, pages={1647–1664}, collection={CCS
’20} }'
chicago: 'Schwenk, Jörg, Marcus Brinkmann, Damian Poddebniak, Jens Müller, Juraj
Somorovsky, and Sebastian Schinzel. “Mitigation of Attacks on Email End-to-End
Encryption.” In Proceedings of the 2020 ACM SIGSAC Conference on Computer and
Communications Security, 1647–1664. CCS ’20. New York, NY, USA: Association
for Computing Machinery, 2020. https://doi.org/10.1145/3372297.3417878.'
ieee: 'J. Schwenk, M. Brinkmann, D. Poddebniak, J. Müller, J. Somorovsky, and S.
Schinzel, “Mitigation of Attacks on Email End-to-End Encryption,” in Proceedings
of the 2020 ACM SIGSAC Conference on Computer and Communications Security,
2020, pp. 1647–1664, doi: 10.1145/3372297.3417878.'
mla: Schwenk, Jörg, et al. “Mitigation of Attacks on Email End-to-End Encryption.”
Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications
Security, Association for Computing Machinery, 2020, pp. 1647–1664, doi:10.1145/3372297.3417878.
short: 'J. Schwenk, M. Brinkmann, D. Poddebniak, J. Müller, J. Somorovsky, S. Schinzel,
in: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications
Security, Association for Computing Machinery, New York, NY, USA, 2020, pp. 1647–1664.'
date_created: 2021-10-04T18:58:37Z
date_updated: 2022-08-03T09:57:27Z
department:
- _id: '632'
doi: 10.1145/3372297.3417878
keyword:
- decryption contexts
- EFAIL
- OpenPGP
- S/MIME
- AEAD
language:
- iso: eng
page: 1647–1664
place: New York, NY, USA
publication: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications
Security
publication_identifier:
isbn:
- '9781450370899'
publication_status: published
publisher: Association for Computing Machinery
series_title: CCS '20
status: public
title: Mitigation of Attacks on Email End-to-End Encryption
type: conference
user_id: '83504'
year: '2020'
...