Efail: Breaking S/MIME and OpenPGP Encryption using Exfiltration Channels
Münster 应用科学大学计算机科学教授 Sebastian Schinzel 发出警告 (https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/)，两大最流行的电子邮件加密方法——PGP 和 S/MIME——都易于受攻击，能暴露加密消息的明文。他声称目前没有可靠的修复之法，建议使用者立即卸载。他声称漏洞也能用于暴露用户过去发送的加密邮件。电子前哨基金会（EFF）也在博客 (https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now)上表示他们已经确认这些漏洞对使用者构成了紧迫的危险，它建议立即停用或卸载自动加密电子邮件的工具。他们的建议只涉及在电子邮件中整合 PGP 加密的插件，而不是独立应用如 Gpg4win 和 GNU Privacy Guard。目前漏洞细节没有披露。
然后查了一下事件起末，在推里发现了个 GnuPG 的声明（我贴了完整版）：
GnuPG has an official statement out. (ObDisclosure: I was the principal author.)
(This statement is only about the susceptibility of OpenPGP, GnuPG, andGpg4Win. It does not cover S/MIME.)
Recently some security researchers published a paper named “Efail:
Breaking S/MIME and OpenPGP Encryption using Exfiltration Channels”. The EFF has gone so far as to recommend immediately uninstalling Enigmail. We have three things to say, and then we’re going to show you why we’re right.
This paper is misnamed.
This attack targets buggy email clients.
The authors made a list of buggy email clients.
In 1999 we realized OpenPGP’s symmetric cipher mode (a variant of cipher feedback) had a weakness: in some cases an attacker could modify text. As Werner Koch, the founder of GnuPG, put it:"[Phil Zimmermann] and Jon Callas asked me to attend the AES conference in Rome to discuss problems with the CFB mode which were on the horizon. That discussion was in March 1999 and PGP and GnuPG implemented a first version [of our countermeasure] about a month later. According to GnuPG’s NEWS file, [our countermeasure] went live in Summer 2000."
The countermeasure Werner mentions is called a Modification Detection Code, or MDC. It’s been a standard part of GnuPG for almost eighteen years. For almost all that time, any message which does not have an MDC attached has caused GnuPG to throw up big, clear, and obvious warning messages. They look something like this:
[long GnuPG output snipped for brevity – see my prior tweet for a sample screenshot]
GnuPG also throws large warning messages if an MDC indicates a message has been modified. In both cases, if your email client respects this warning and does the right thing – namely, not showing you the email – then you are completely protected from the Efail attack, as it’s just a modern spin on something we started defending against almost twenty years ago.
If you’re worried about the Efail attack, upgrade to the latest version of GnuPG and check with your email plugin vendor to see if they handle MDC errors correctly. Most do.
You might be vulnerable if you’re running an ancient version of GnuPG (the 1.0 series; the current is 2.2), or if your email plugin doesn’t handle GnuPG’s warning correctly. You might also have had some exposure in the past if back then you used a pre-2000 version of GnuPG, and/or an email plugin which didn’t handle the warning correctly. We made three statements about the Efail attack at the beginning. We’re going to repeat them here and give a little explanation. Now that we’ve explained the situation, we’re confident you’ll concur in our judgment.
This paper is misnamed. It’s not an attack on OpenPGP. It’s an attack on broken email clients that ignore GnuPG’s warnings and do silly things after being warned.
This attack targets buggy email clients. Correct use of the MDC completely prevents this attack. GnuPG has had MDC support since the summer of 2000.
The authors made a list of buggy email clients. It’s worth looking over their list of email clients (found at the very end) to see if yours is vulnerable. But be careful, because it may not be accurate – for example, Mailpile says they’re not vulnerable, but the paper indicates Mailpile has some susceptibility.
The authors have done the community a good service by cataloguing buggy email email clients. We’re grateful to them for that.
We do wish, though, this thing had been handled with a little less hype. A whole lot of people got scared, and over very little.
说到底是个 KPA 攻击。
看了下各方面的报告，总结了一下发现这其实是 CFB 模式的固有缺陷问题。用 E&M 或者 EtM 都能解决，近代有个很著名的方式叫 AEAD。
当你使用加密的时候，经常会不同时叠加签署在加密上，而当攻击者又恰好知道明文，你又使用了 CFB 模式的时候，攻击者可以构造一个修改后的明文，和原始明文等长，然后对原始明文和新修改后的明文做异或(XOR)，再作用于密文上，这样就能修改发送出去的数据。
这个手段在 CFB 中只能修改最后一个 Block，因为循环之后会使得下一个 Block 的数据变的无法预测，OFB 模式中，这个方法可以实现任意攻击