Mitigation of Attacks on Email End-to-End Encryption Schwenk, Jörg Brinkmann, Marcus Poddebniak, Damian Müller, Jens Somorovsky, Juraj Schinzel, Sebastian decryption contexts EFAIL OpenPGP S/MIME AEAD OpenPGP and S/MIME are two major standards for securing email communication introduced in the early 1990s. Three recent classes of attacks exploit weak cipher modes (EFAIL Malleability Gadgets, or EFAIL-MG), the flexibility of the MIME email structure (EFAIL Direct Exfiltration, or EFAIL-DE), and the Reply action of the email client (REPLY attacks). Although all three break message confidentiality by using standardized email features, only EFAIL-MG has been mitigated in IETF standards with the introduction of AEAD algorithms. So far, no uniform and reliable countermeasures have been adopted by email clients to prevent EFAIL-DE and REPLY attacks. Instead, email clients implement a variety of different ad-hoc countermeasures which are only partially effective, cause interoperability problems, and fragment the secure email ecosystem.We present the first generic countermeasure against both REPLY and EFAIL-DE attacks by checking the decryption context including SMTP headers and MIME structure during decryption. The decryption context is encoded into a string DC and used as Associated Data (AD) in the AEAD encryption. Thus the proposed solution seamlessly extends the EFAIL-MG countermeasures. The decryption context changes whenever an attacker alters the email source code in a critical way, for example, if the attacker changes the MIME structure or adds a new Reply-To header. The proposed solution does not cause any interoperability problems and legacy emails can still be decrypted. We evaluate our approach by implementing the decryption contexts in Thunderbird/Enigmail and by verifying their correct functionality after the email has been transported over all major email providers, including Gmail and iCloud Mail. Association for Computing Machinery 2020 info:eu-repo/semantics/conferenceObject doc-type:conferenceObject text http://purl.org/coar/resource_type/c_5794 https://ris.uni-paderborn.de/record/25336 Schwenk J, Brinkmann M, Poddebniak D, Müller J, Somorovsky J, Schinzel S. Mitigation of Attacks on Email End-to-End Encryption. In: <i>Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security</i>. CCS ’20. Association for Computing Machinery; 2020:1647–1664. doi:<a href="https://doi.org/10.1145/3372297.3417878">10.1145/3372297.3417878</a> eng info:eu-repo/semantics/altIdentifier/doi/10.1145/3372297.3417878 info:eu-repo/semantics/altIdentifier/isbn/9781450370899 info:eu-repo/semantics/closedAccess