Return-Path: X-Original-To: dcrup@ietfa.amsl.com Delivered-To: dcrup@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71B9813194B for ; Tue, 13 Jun 2017 07:50:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSO525yUrC1T for ; Tue, 13 Jun 2017 07:50:50 -0700 (PDT) Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AEA913194F for ; Tue, 13 Jun 2017 07:41:50 -0700 (PDT) Received: from splunge.local ([IPv6:2601:205:8302:79b1:dcef:c2d0:5748:b88a]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v5DEfm6L014146 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 13 Jun 2017 07:41:50 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1497364910; bh=ImdGLSJ9WHMmmv0QYr2CzUpycGwEz9Qtj/n7B3Ku/8U=; h=Subject:To:References:From:Date:In-Reply-To; b=ATh7GQBUBM5J3BPuSCUy+fZw4N9QxEj7y6HRLzJEHPdK8bSFpdjlqykNQO7I9L2LO Bf2LTYN722OlQ91OwB/7unjMnv22FnFXckEipUxe0T2janXAbHQGi/4Q/YmPwvz10H /hZczZw0r79Y8mBVPxGT88kB/eCMp/Q+kt5svGmY= To: dcrup@ietf.org References: <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com> From: Jim Fenton Message-ID: Date: Tue, 13 Jun 2017 07:41:42 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com> Content-Type: multipart/alternative; boundary="------------04FE1894F6A0F5978E32D881" Content-Language: en-US Archived-At: Subject: Re: [Dcrup] rsa-sha1 usage X-BeenThere: dcrup@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DKIM Crypto Update List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jun 2017 14:50:52 -0000 This is a multi-part message in MIME format. --------------04FE1894F6A0F5978E32D881 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 6/13/17 5:05 AM, Salz, Rich wrote: > > As a newcomer to DKIM (I come from the crypto side of things) I am a > bit confused. > > =20 > > Certificates last for a couple of years, and so there was a strong > motivation to move off MD5 and then SHA1, because of the concern that > someone would find a collision and create a bogus certificate during > the original cert=E2=80=99s lifetime. > > =20 > > But I=E2=80=99ve heard that DKIM =E2=80=9Ctrust lifetime=E2=80=9D is mu= ch shorter. Is it?=20 > What is the expected lifetime for relying on a DKIM signature? > The expected lifetime is on the order of a week (message delivery timeout). But the signature doesn't have an expiration time, so if someone can construct a second message with the same hash, they could replay the signature, potentially much later if the public key is still in DNS. IMO it seems very unlikely, even with the known weaknesses in SHA-1, that in the near future someone would be able to construct such a message that would be exploitable by an attacker (e.g., spam or a phishing attack). That will likely change in the future, so we should tell signers to stop using SHA-1 ASAP and tell verifiers to stop accepting those signatures sometime later. If anyone knows something yet more serious about exploitability of rsa-sha1, please set me straight. -Jim --------------04FE1894F6A0F5978E32D881 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
On 6/13/17 5:05 AM, Salz, Rich wrote:

As a newcomer to DKIM (I come from the crypto side of things) I am a bit confused.

 

Certificates last for a couple of years, and so there was a strong motivation to move off MD5 and then SHA1, because of the concern that someone would find a collision and create a bogus certificate during the original cert’s lifetime.

 

But I’ve heard that DKIM “trust lifetime” is much shorter.  Is it?  What is the expected lifetime for relying on a DKIM signature?


The expected lifetime is on the order of a week (message delivery timeout). But the signature doesn't have an expiration time, so if someone can construct a second message with the same hash, they could replay the signature, potentially much later if the public key is still in DNS.

IMO it seems very unlikely, even with the known weaknesses in SHA-1, that in the near future someone would be able to construct such a message that would be exploitable by an attacker (e.g., spam or a phishing attack). That will likely change in the future, so we should tell signers to stop using SHA-1 ASAP and tell verifiers to stop accepting those signatures sometime later.

If anyone knows something yet more serious about exploitability of rsa-sha1, please set me straight.

-Jim
--------------04FE1894F6A0F5978E32D881--