Communications of the ACM
Email Encryption Standards Hacked
Researchers have hacked the popular Secure/Multipurpose Internet Mail Extensions (S/MIME) and OpenPGP email encryption standard.
Credit: Ruhr-University Bochum
A team of researchers from Germany’s University of Applied Sciences and the Horst Gortz Institute for IT at Ruhr University Bochum, and Belgium’s KU Leuven successfully hacked the popular Secure/Multipurpose Internet Mail Extensions (S/MIME) and OpenPGP email encryption standards via an "Efail" attack, which was effective in 25 out of 35 tested email programs using S/MIME and in 10 out of 28 tested programs using OpenPGP.
Neither standard's underlying cryptographic algorithms have been brought up to date in decades, and the team is urging that they be updated accordingly.
The Efail technique intercepts and manipulates an email to add the hacker's own encrypted commands, then relays the message to one of the recipients or the sender. Once the email is decrypted, the commands cause the victim's email to establish a link with the attacker the next time the email is opened.
The current S/MIME is not suitable for secure communication, although "OpenPGP can be configured and used securely; however, this is often not the case as we showed in our practical analyses and should therefore be considered insecure," says Ruhr University Bochum's Jorg Schwenk.
From Ruhr-University Bochum (Germany)
View Full Article
Abstracts Copyright © 2018 Information Inc., Bethesda, Maryland, USA
No entries found