In his dissertation, Dr. Fabian Ising dealt with edge cases of modern applied cryptography. A special focus was on transport encryption for email protocols (STARTTLS) and so-called oracle attacks against end-to-end encryption. The dissertation uncovered vulnerabilities in OpenPGP and S/MIME encryption that allow decryption in various scenarios using passive traffic analysis or by sending a single self-exfiltrating email. Extending these attacks to PDFs and Office documents reveals strengths and weaknesses of the developed techniques.
Fabian Ising’s research results show that attackers can often trick applications into revealing sensitive data despite encryption. He attributes this to the fact that the complexity of the systems leads to many difficult decisions and borderline cases during implementation.
Part of the dissertation was published in advance at top IT security conferences:
- USENIX Security 2018 – “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels”
- ACM CCS 2019 – “Practical Decryption ex-Filtration: Breaking PDF Encryption”
- USENIX Securtiy 2021 – “Why TLS is better without STARTTLS: A Security Analysis of STARTTLS in the Email Context”
- USENIX Security 2023 – “Content-Type: multipart/oracle: Tapping into Format Oracles in Email End-to-End Encryption”