Weak Links in Authentication Chains
Transcript of Weak Links in Authentication Chains
![Page 1: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/1.jpg)
Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks
Kaiwen Shen1, Chuhan Wang1, Minglei Guo, Xiaofeng Zheng, Chaoyi Lu, Baojun Liu, Yuxuan Zhao, Shuang Hao, Haixin Duan, Qingfeng Pan, Min Yang
Email: [email protected]
![Page 2: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/2.jpg)
Email Spoofing Attacksv How Email Spoofing Attacks Happen:
1. Sending spoofing emails
2. Clicking the malicious link
Attacker Victim
3. Leaking financial data
v Impact of Email Spoofing Attack Today
$5.3B $12.5BFBI reports business have lost over $12.5B. More than double in just over two years.
600%Increase over 600% due to coronavirus pandemic (COVID-19).
![Page 3: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/3.jpg)
It’s so hard to spot spoofing email !
HELO sender.comMAIL FROM: <[email protected]>RCPT TO : <[email protected]>
From: <[email protected]>To: <[email protected]>Subject: Adminstrator’s warning From Paypal.
Hello Dear Customer,…..
Check It Now
SMTP DATA
An Example of Our Email Spoofing Attack
Displayed Email
IDN homograph attack (A12): from paypal.com to iCloud
![Page 4: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/4.jpg)
Email Spoofing ProtectionsEmail Security Extension Protocol
v Sender Policy Framework (SPF)Ø Verifying sender IP based on Mail From/Helo
v DomainKeys Identified Mail (DKIM)Ø Verifying email based on DKIM-Signature
v Domain-based Message Authentication, Reporting and Conformance (DMARC) v Offering a policy suggesting solution to handle unverified emailsv Associating the identity in MIME From with SPF/DKIM
![Page 5: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/5.jpg)
Email Spoofing ProtectionsHow Three Email Security Protocols Work:
Verifying sender IP based on Mail From/Helo
DKIM
Verifying email based on DKIM-Signature
Associating the identity in MIME From with SPF/DKIM
![Page 6: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/6.jpg)
Email Spoofing ProtectionsUI-level Spoofing Protection
v Sender Inconsistency Checks (SIC)
A spoofing email that fails the Sender Inconsistency Checks.
![Page 7: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/7.jpg)
With these anti-spoofing protections,
Why email spoofing attack is still possible
![Page 8: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/8.jpg)
Our Worksv Goal: Analyze four critical stages of authentication chain.v Finds: 14 email spoofing attacks, including 9 new attacks.
1 Sending AuthenticationA1, A2
2 Receiving VerificationA3, A4, A5, A6, A7, A8
3 Forwarding VerificationA9, A10, A11
4 UI RenderingA12, A13, A14
![Page 9: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/9.jpg)
Measurement and Evaluation in the Wild❖ A large-scale experiment on 30 popular email services and 23 email clients.
![Page 10: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/10.jpg)
Measurement and Evaluation in the Wild
All of tested email services are vulnerable to certain types of attacks.
![Page 11: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/11.jpg)
Attacks
![Page 12: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/12.jpg)
Three Types of Attack Modelsa. Shared MTA Attack
[email protected] sends spoofing email as [email protected] with the a.com MTA
Alice’s MUA Bob’s MUA
Oscar
Alice’s MTA Bob’s MTA
b.comD�FRP
![Page 13: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/13.jpg)
Three Types of Attack Modelsb. Direct MTA Attack
Oscar sends spoofing email through his own email server.
Alice’s MUA
b.comD�FRP
Bob’s MUA
OscarOscar’s Server
Alice’s MTA Bob’s MTA
![Page 14: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/14.jpg)
Three Types of Attack Modelsc. Forward MTA Attack
Oscar abuses email forwarding service to send spoofing emails.
Alice’s MUA
b.comD�FRP
Bob’s MUA
Automatic Email Forwarding
Oscar
Alice’s MTA Bob’s MTA
![Page 15: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/15.jpg)
Attacks in Email Sending Authenticationv Successful Attack: modifying Auth Username, Mail From, From arbitrarily.
v Benefit: abusing IP reputation of well-known email services.
![Page 16: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/16.jpg)
Attacks in Email Sending Authenticationv Auth Username ≠ Mail From (A1)
v Mail From ≠ From (A2)
![Page 17: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/17.jpg)
Attacks in Email Receiving Verificationv Successful Attack: bypassing SPF, DKIM and DMARC.v Benefit: hard to spot spoofing email passing three security protocols.
![Page 18: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/18.jpg)
Attacks in Email Receiving VerificationEmpty Mail From (A3)v RFC 5321: Empty mail from is allowed to prevent bounce loop-back
v RFC 7208: Use helo field as an alternative, if mail from is empty
Empty Mail From attack bypassing the SPF verification
![Page 19: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/19.jpg)
Attacks in Email Receiving VerificationInconsistent Parsing of Ambiguous Emails
v Multiple from headers(A4)
Ordinary multiple From attack Multiple From attack with spaces
![Page 20: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/20.jpg)
Attacks in Email Forwarding VerificationSuccessful Attack:v Freely configure without authentication verificationv A higher security endorsement
![Page 21: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/21.jpg)
Attacks in Email Forwarding Verification
Unauthorized Forwarding Attack (A9)v Abusing trusted IP: Exploiting forwarding service to bypass SPF and DMARC
![Page 22: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/22.jpg)
Attacks in Email Forwarding Verification
DKIM-Signature Fraud Attack (A10)v A higher security endorsement : obtain a legal DKIM-Signature
![Page 23: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/23.jpg)
Attacks in Email UI Rendering Successful Attack:v The displayed address is inconsistent with the real one.v No any security alerts on the MUA.
![Page 24: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/24.jpg)
Attacks in Email UI Rendering
admin@[email protected] ==> [email protected]
Missing UI Rendering Attack (A13)
Right-to-left Override Attack (A14)
\u202emoc.a@\u202dalice ==> [email protected]
IDN homograph attack (A12)
New Challenge : International Emailv Internationalized domain names (IDN) + email address internationalization (EAI)v Allow Unicode characters in email address
![Page 25: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/25.jpg)
Combined Attack
Combined Attack: Ø More realistic emails (bypassing all
prevalent email security protocols).
A example to impersonate [email protected] on Gmail.
Ø Some attacks (e.g., A2, A3) do not bypass all protections.
Ø Most vendors have fixed the attacks (bypassing all SPF,DKIM,DMARC and SIC).
Limitations on a single attack:
![Page 26: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/26.jpg)
Combined Attacks❖ Numerous feasible combined attacks by combining 3 types of attack
models and 14 attack techniques in the 4 authentication stages.
Different Attack Models/Techniques Combined Spoofing Attacks
![Page 27: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/27.jpg)
Weak Links in
Authentication Chains
![Page 28: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/28.jpg)
Weak Links among Multi-protocols❖ Spoofing attacks still succeed due to the inconsistency of entities
protected by different protocols.
![Page 29: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/29.jpg)
Weak Links among Multi-roles❖ Four different roles: senders, receivers, forwarders and UI renderers.❖ The specifications do not state any clear responsibilities of four roles.❖ Any failed part can break the whole chain-based defense.
![Page 30: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/30.jpg)
Weak Links among Multi-services
The inconsistency among different services creates security threats.
v Different email services have different configurations and implementation procedures.
v Numerous email components deviate from RFC specifications while dealing with ambiguous header.
![Page 31: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/31.jpg)
Mitigation
![Page 32: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/32.jpg)
Responsible Disclosure❖ Helping Email vendors eliminate the detected threats.
➢ Vendors have 10 months to mitigate it before this paper is published.
Confirmed
11 Vendors
![Page 33: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/33.jpg)
Mitigation and Solution❖ UI Notification:
An example of UI notification against the combined attack
https://chrome.google.com/webstore/detail/nospoofing/ehidaopjcnapdglbbbjgeoagpophfjnp
NoSpoofing: a chrome extension for Gmail.
![Page 34: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/34.jpg)
Mitigation and Solution
❖ Evaluation Tools:
https://github.com/mo-xiaoxi/ESpoofing
An example of using this tool to evaluate the security of target email system.
Espoofing: helping email administrators to evaluate and strengthen their security.
![Page 35: Weak Links in Authentication Chains](https://reader034.fdocuments.net/reader034/viewer/2022042818/6269480ae7d58766fd449a57/html5/thumbnails/35.jpg)
Q & A
{skw17, wang-ch19}@mails.tsinghua.edu.cn
Thank you!