eMail encryption PGP and S/MIME not secure anymore

The two encryption techniques PGP and S/Mime are no longer secure, according to a report by the Süddeutsche Zeitung.

As the newspaper writes, researcher from various universities, including the University of Applied Sciences Münster, the Ruhr University Bochum and the KU Löwen (Belgium), have managed to crack the mentioned encryption methods. Professor Sebastian Schinzel from the Münster University of Applied Sciences managed the project.

The fact that the techniques are no longer secure is a big surprise: they were considered secure and even praised by Snowden. In response to the hack, the Electronic Frontier Foundation (EFF) advises to be careful..

The cracking of eMails is quite simple and even almost elegant. Under the assumption that the ciphertext is present, that is the actually unreadable data, which is the result of the encryption of the email and that the recipient has activated the HTML capability of his email program, the researchers proceeded as follows: They send the encrypted text to be cracked hidden in a normal email to the recipient. Its email program not only recognizes the unencrypted but also the encrypted text and immediately starts to decrypt it with the existing private key. Corresponding code in the eMail now uses exactly this private key and sends it back to the attacker thanks to HTML. So the trick is to get the email program to decrypt encrypted emails automatically and then grab the private key via manipulated email.

The conclusion for all those who currently use one of the two methods: disable HTML in the email program, currently no longer read encrypted mail and especially turn off the automatic decryption. For the next time, the researchers also advise to completely different types of encryption to use. As you can see from the method above, the encryption itself seems to be still intact, “only” the implementation in mail programs seems to be the problem.

All details at https://efail.com .

Comments are closed.