2018-05-18

Vulnerability in Pretty Good Privacy (PGP) and Secure MIME email encryption services

PGP is a public key encryption-based program that is used often to secure emails. S/mime is a standard defining the encryption of the email ensuring confidentiality, integrity and originality. Now experts have found a vulnerability that may allow outsiders to read even the earlier encrypted emails.

Münster University of Applied Sciences signalled on 14th May that PGP and S/MIME have both vulnerabilities enabling the third party to reveal the plain-text of ongoing encrypted email traffic and even access the earlier sent secure emails.
"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus ex-filtrating the plain-text to the attacker."

The following general advice may apply:

  • Remove the installed and automatic PGP and S/MIME services from your email-service until the vulnerability has been patched
  • Use other end-to-end email encryption services like Signal
  • Wait for detailed analysis and guidance to remedy the services.
  • Consider what has been sent earlier using the above encryption and assess the risks if they are revealed.


References

  1. https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now 
  2. https://www.forbes.com/sites/thomasbrewster/2018/05/14/pgp-encrypted-email-vulnerability-exposes-private-messages/#61cbede13e2a
  3. https://ssd.eff.org/en/module/how-use-signal-ios
  4. https://efail.de/efail-attack-paper.pdf


2018-05-09

Wi-Fi air interface will have a new encryption protocol, WPA3

Situation

The current Wi-Fi encryption protocol WPA2 has a weakness when joining a new node into network. A man-in-the-middle within the wireless coverage can manipulate, KRACK, the handshake procedure and reset the WPA2 encryption using all-zero keys. The assumed encryption is then substituted by a simple coding. Thea weakness is in the standards itself and affects all modern Wi-Fi networks. 

The Wi-Fi Alliance has announced a new standard, WPA3, will include “robust protection” when passwords are weak, and will also simplify security configurations for devices that have limited or no display interface. It will also include individualised data encryption when using public access network.

Solution

The Wi-Fi Protected Access 3 (WPA3) standard will be published later this year, but currently it seems to include:
  • 192-bit key aligned with the Commercial National Security Algorithm
  • Opportunistic Wireless Encryption which establishes encryption without authentication
  • Protection against weak passwords and brute-force dictionary -based attacks
  • Individualised data encryption when accessing open networks.
Once the standard is published, it will take months for device manufacturers to support it in their devices. First compliant devices may be shipped in the end of this year.

What to do

The following general advice may apply:
  • The WPA2 vulnerability can be exploited only within the range of the Wi-Fi transceiver so all sensitive Wi-Fi should be positioned and effective radiated power configured so that outsiders find it hard to tap.
  • A second layer of encryption should be established end-to-end (e.g., https, IPSEC, SSH) to protect the actual communication (COMSEC) and keep user identities and passwords safe together with the content.
  • All sensitive Wi-Fi devices should be planned to be renewed within next two years.

References

  1. https://www.helpnetsecurity.com/2017/10/16/wpa2-weakness/
  2. https://www.theverge.com/2018/1/9/16867940/wi-fi-alliance-new-wpa3-security-protections-wpa2-announced
  3. https://latesthackingnews.com/2018/01/12/wpa3-new-wi-fi-standard-improve-security/
  4. https://thehackernews.com/2018/01/wpa3-wifi-security.html