IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 usage

Jim Fenton <fenton@bluepopcorn.net> Tue, 13 June 2017 14:50 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71B9813194B for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 07:50:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSO525yUrC1T for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 07:50:50 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AEA913194F for <dcrup@ietf.org>; Tue, 13 Jun 2017 07:41:50 -0700 (PDT)
Received: from splunge.local ([IPv6:2601:205:8302:79b1:dcef:c2d0:5748:b88a]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v5DEfm6L014146 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dcrup@ietf.org>; Tue, 13 Jun 2017 07:41:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1497364910; bh=ImdGLSJ9WHMmmv0QYr2CzUpycGwEz9Qtj/n7B3Ku/8U=; h=Subject:To:References:From:Date:In-Reply-To; b=ATh7GQBUBM5J3BPuSCUy+fZw4N9QxEj7y6HRLzJEHPdK8bSFpdjlqykNQO7I9L2LO Bf2LTYN722OlQ91OwB/7unjMnv22FnFXckEipUxe0T2janXAbHQGi/4Q/YmPwvz10H /hZczZw0r79Y8mBVPxGT88kB/eCMp/Q+kt5svGmY=
To: dcrup@ietf.org
References: <m38tkw53bd.fsf@carbon.jhcloos.org> <CABa8R6s6rzc+Ky8sLWcK7NtforSksEhNRkWVeF=k1v8GC80knw@mail.gmail.com> <m3wp8gpx20.fsf@carbon.jhcloos.org> <CAOj=BA2O+Hf2VGOtbmnqY2M5J9u8uJ7wm7SxEW551SXBwDdanw@mail.gmail.com> <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com>
From: Jim Fenton <fenton@bluepopcorn.net>
Message-ID: <aa52134a-ac20-bd70-8834-1598a8eaa536@bluepopcorn.net>
Date: Tue, 13 Jun 2017 07:41:42 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: multipart/alternative; boundary="------------04FE1894F6A0F5978E32D881"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/gdEw6oX4V2hpJm7_SZddT47lgSE>
Subject: Re: [Dcrup] rsa-sha1 usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 14:50:52 -0000

On 6/13/17 5:05 AM, Salz, Rich wrote:
>
> As a newcomer to DKIM (I come from the crypto side of things) I am a
> bit confused.
>
>  
>
> Certificates last for a couple of years, and so there was a strong
> motivation to move off MD5 and then SHA1, because of the concern that
> someone would find a collision and create a bogus certificate during
> the original cert’s lifetime.
>
>  
>
> But I’ve heard that DKIM “trust lifetime” is much shorter.  Is it? 
> What is the expected lifetime for relying on a DKIM signature?
>

The expected lifetime is on the order of a week (message delivery
timeout). But the signature doesn't have an expiration time, so if
someone can construct a second message with the same hash, they could
replay the signature, potentially much later if the public key is still
in DNS.

IMO it seems very unlikely, even with the known weaknesses in SHA-1,
that in the near future someone would be able to construct such a
message that would be exploitable by an attacker (e.g., spam or a
phishing attack). That will likely change in the future, so we should
tell signers to stop using SHA-1 ASAP and tell verifiers to stop
accepting those signatures sometime later.

If anyone knows something yet more serious about exploitability of
rsa-sha1, please set me straight.

-Jim

v2.30.2 | Report a Bug | By Email | System Status