Abstract
MUA (Mail User Agent) programs support email encryption functionality for providing confidentiality of the email contents. They encrypt email contents using email encryption standards such as OpenPGP or S/MIME, mostly implemented by GnuPG, or GPG in practice. In order to understand security implication of the structures and analyze any possible vulnerabilities of MUA programs, in this paper, we investigated practical MUAs supporting e-mail encryption. As a result, we found severe vulnerabilities in a list of MUAs that allow cache side-channel attacks in virtualized desktop environments. Our analysis reveals that the root cause originates from the lack of verification and control over third-party cryptographic libraries they adopt. In order to substantiate the importance of the vulnerability we found, we delivered FLUSH+RELOAD attack on those MUA programs and demonstrated that the attack restores 92% of the RSA private keys when recipients read a single encrypted email.
Original language | English |
---|---|
Title of host publication | 34th International Conference on Information Networking, ICOIN 2020 |
Publisher | IEEE Computer Society |
Pages | 236-238 |
Number of pages | 3 |
ISBN (Electronic) | 9781728141985 |
DOIs | |
Publication status | Published - 2020 Jan |
Event | 34th International Conference on Information Networking, ICOIN 2020 - Barcelona, Spain Duration: 2020 Jan 7 → 2020 Jan 10 |
Publication series
Name | International Conference on Information Networking |
---|---|
Volume | 2020-January |
ISSN (Print) | 1976-7684 |
Conference
Conference | 34th International Conference on Information Networking, ICOIN 2020 |
---|---|
Country/Territory | Spain |
City | Barcelona |
Period | 20/1/7 → 20/1/10 |
Bibliographical note
Funding Information:ACKNOWLEDGMENT This work was supported by Institute of Information communications Technology Planning Evaluation (IITP) grant funded by the Korea government(MSIT) (No.2019-0-00533, Research on CPU vulnerability detection and validation)
Publisher Copyright:
© 2020 IEEE.
Keywords
- Cache side-channel attack
- SW vulnerability
- mail user agent
ASJC Scopus subject areas
- Computer Networks and Communications
- Information Systems