On the Security of Practical Mail User Agents against Cache Side-Channel Attacks
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Kim, Hodong | - |
dc.contributor.author | Yoon, Hyundo | - |
dc.contributor.author | Shin, Youngjoo | - |
dc.contributor.author | Hur, Junbeom | - |
dc.date.accessioned | 2021-08-30T22:09:47Z | - |
dc.date.available | 2021-08-30T22:09:47Z | - |
dc.date.created | 2021-06-19 | - |
dc.date.issued | 2020-06 | - |
dc.identifier.issn | 2076-3417 | - |
dc.identifier.uri | https://scholar.korea.ac.kr/handle/2021.sw.korea/55427 | - |
dc.description.abstract | Mail user agent (MUA) programs provide an integrated interface for email services. Many MUAs support email encryption functionality to ensure the confidentiality of emails. In practice, they encrypt the content of an email using email encryption standards such as OpenPGP or S/MIME, mostly implemented using GnuPG. Despite their widespread deployment, there has been insufficient research on their software structure and the security dependencies among the software components of MUA programs. In order to understand the security implications of the structures and analyze any possible vulnerabilities of MUA programs, we investigated a number of MUAs that support email encryption. As a result, we found severe vulnerabilities in a number of MUAs that allow cache side-channel attacks in virtualized desktop environments. Our analysis reveals that the root cause originates from the lack of verification and control over the third-party cryptographic libraries that they adopt. In order to demonstrate this, we implemented a cache side-channel attack on RSA in GnuPG and then conducted an evaluation of the vulnerability of 13 MUAs that support email encryption in Ubuntu 14.04, 16.04 and 18.04. Based on our experiment, we found that 10 of these MUA programs (representing approximately 77% of existing MUA programs) allow the installation of a vulnerable version of GnuPG, even when the latest version of GnuPG, which is secure against most cache side-channel attacks, is in use. In order to substantiate the importance of the vulnerability we discovered, we conducted a FLUSH+RELOAD attack on these MUA programs and demonstrated that the attack restored 92% of the bits of the 2048-bit RSA private key when the recipients read a single encrypted email. | - |
dc.language | English | - |
dc.language.iso | en | - |
dc.publisher | MDPI | - |
dc.title | On the Security of Practical Mail User Agents against Cache Side-Channel Attacks | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | Hur, Junbeom | - |
dc.identifier.doi | 10.3390/app10113770 | - |
dc.identifier.scopusid | 2-s2.0-85086107355 | - |
dc.identifier.wosid | 000543385900107 | - |
dc.identifier.bibliographicCitation | APPLIED SCIENCES-BASEL, v.10, no.11 | - |
dc.relation.isPartOf | APPLIED SCIENCES-BASEL | - |
dc.citation.title | APPLIED SCIENCES-BASEL | - |
dc.citation.volume | 10 | - |
dc.citation.number | 11 | - |
dc.type.rims | ART | - |
dc.type.docType | Article | - |
dc.description.journalClass | 1 | - |
dc.description.journalRegisteredClass | scie | - |
dc.description.journalRegisteredClass | scopus | - |
dc.relation.journalResearchArea | Chemistry | - |
dc.relation.journalResearchArea | Engineering | - |
dc.relation.journalResearchArea | Materials Science | - |
dc.relation.journalResearchArea | Physics | - |
dc.relation.journalWebOfScienceCategory | Chemistry, Multidisciplinary | - |
dc.relation.journalWebOfScienceCategory | Engineering, Multidisciplinary | - |
dc.relation.journalWebOfScienceCategory | Materials Science, Multidisciplinary | - |
dc.relation.journalWebOfScienceCategory | Physics, Applied | - |
dc.subject.keywordAuthor | cache side-channel attack | - |
dc.subject.keywordAuthor | encrypted email | - |
dc.subject.keywordAuthor | mail user agent | - |
dc.subject.keywordAuthor | GnuPG | - |
dc.subject.keywordAuthor | desktop virtualization | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
(02841) 서울특별시 성북구 안암로 14502-3290-1114
COPYRIGHT © 2021 Korea University. All Rights Reserved.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.