Home Security Encryption flaws claimed, but researchers' findings questioned

Encryption flaws claimed, but researchers' findings questioned

Encryption flaws claimed, but researchers' findings questioned Featured

European researchers have been forced to advance the announcement of what they claim are vulnerabilities in commonly used encryption technologies used in email after the German newspaper Suddeutsche Zeitung carried a report about their research which had been originally embargoed for release early Wednesday morning Australian time.

The claimed flaws, in OpenPGP and S/MIME and detailed under the name Efail on a dedicated website, were said to leak the plaintext of encrypted emails. But their effect was contested by others in the community, notably by developer Werner Koch who founded the GnuPG project, a free implementation of PGP.

The European team, which comprised researchers from universities in Muenster and Bochum in Germany, and Leuven in Belgium, said in one case, attackers could exfiltrate emails in plaintext by exploiting a weakness in HTML. Many common mail user agents have mail displayed in HTML by default.

The team cited Apple Mail, iOS Mail and Mozilla Thunderbird as all being vulnerable to this attack.

In a second case, they said it was possible to take advantage of vulnerabilities in OpenPGP and S/MIME to inject malicious text. This, in turn, made stealing the plaintext of encrypted emails possible.

The GnuPG team issued an official statement about the susceptibility of OpenPGP, GnuPG and Gpg4Win, saying the research paper was misnamed, the attack targeted buggy mail clients and that the authors had provided a list of such clients. They clarified that they were not speaking about the flaw claimed to be in S/MIME.

The statement said that The GnuPG team had realised back in 1999 that OpenPGP's symmetric cipher mode (a variant of cipher feedback) had a weakness: in some cases an attacker could modify text.

"As Koch put it: "[Phil Zimmermann, the creator of PGP] and Jon Callas asked me to attend the AES conference in Rome to discuss problems with the CFB mode which were on the horizon. That discussion was in March 1999 and PGP and GnuPG implemented a first version [of our countermeasure] about a month later. According to GnuPG's NEWS file, [our countermeasure] went live in Summer 2000."

The counter-measure is known as Modification Detection Code, or MDC. "It's been a standard part of GnuPG for almost 18 years. For almost all that time, any message which does not have an MDC attached has caused GnuPG to throw up big, clear, and obvious warning messages."

The statement indicated that the GnuPG team was annoyed at the way the vulnerabilities had been promoted by the European researchers.

"We made three statements about the Efail attack at the beginning. We're going to repeat them here and give a little explanation. Now that we've explained the situation, we're confident you'll concur in our judgment," said Robert Hansen, also of the GnuPG team.

"This paper is misnamed. It's not an attack on OpenPGP. It's an attack on broken email clients that ignore GnuPG's warnings and do silly things after being warned.

"This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.

"The authors made a list of buggy email clients. It's worth looking over their list of email clients (found at the very end) to see if yours is vulnerable. But be careful, because it may not be accurate – for example, Mailpile says they're not vulnerable, but the paper indicates Mailpile has some susceptibility.

"The authors have done the community a good service by cataloguing buggy email email clients. We're grateful to them for that. We do wish, though, this thing had been handled with a little less hype. A whole lot of people got scared, and over very little."

The European team plans to present the full technical paper about the claimed flaws at the 27th USENIX Security Symposium which is scheduled to be held in Baltimore in August.

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

RECOVERING FROM RANSOMWARE

Ransomware is a type of malware that blocks access to your files and systems until you pay a ransom.

The first example of ransomware happened on September 5, 2013, when Cryptolocker was unleashed.

It quickly affected many systems with hackers requiring users to pay money for the decryption keys.

Find out how one company used backup and cloud storage software to protect their company’s PCs and recovered all of their systems after a ransomware strike.

DOWNLOAD THE REPORT!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications