IETF Logo Mail Archive

[dispatch] Updating DKIM for stronger crypto

"John Levine" <johnl@taugh.com> Mon, 06 February 2017 02:08 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1520F129565 for <dispatch@ietfa.amsl.com>; Sun, 5 Feb 2017 18:08:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDESLHzjwDS1 for <dispatch@ietfa.amsl.com>; Sun, 5 Feb 2017 18:08:50 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C291B129502 for <dispatch@ietf.org>; Sun, 5 Feb 2017 18:08:49 -0800 (PST)
Received: (qmail 45420 invoked from network); 6 Feb 2017 02:08:48 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 6 Feb 2017 02:08:48 -0000
Date: Mon, 06 Feb 2017 02:08:26 -0000
Message-ID: <20170206020826.1108.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dispatch@ietf.org
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/rWkxXUtYiAlUuuu95KkFpwMnaOI>
Subject: [dispatch] Updating DKIM for stronger crypto
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 02:08:51 -0000

The DKIM spec RFC 6376 specifies the hash algorithm to use to make
hashes of e-mail message bodies and headers, and the signing algorithm
to use to sign them, with the results placed in a header in the
message.  To check signatures, the recipient looks up the verification
keys in the DNS, where it's stored in TXT records.

Every signature includes a tag saying what hash and signature
algorithms it used, and every key record includes a tag saying what
signature algorithm the key is for.  The plan was always that we'd be
able to move to newer algorithms when needed.  Early versions of DKIM
used SHA1 hashes, but by the time the original spec was published in
2007, we'd added SHA256 and the spec says that everyone should use
SHA256 hashes but also has to verify SHA1 hashes.  In practice everyone
uses SHA256.  

The only signature algorithm is RSA, and the spec says that verifiers
must handle signatures from 512 to 2K bits and strongly suggests at
least 1K bits.  So far, that has not changed.

Needless to say, 512 bits is now way too weak, and 1K is iffy, so it
would be a good idea to update the advice.  Over in DMARC land, there
is an anti-DMARC design called ARC which uses DKIM's signing
algorithms, and it would be nice to launch ARC with up to date crypto
too.

The obvious change would be a one sentence update to the DMARC spec
saying to sign with at least 2K keys and verifiers must handle at
least 4K keys.  The code changes to DKIM signers and verifiers would
be trivial, and it is my impression that most verifiers handle larger
keys now, since they just pass them to OpenSSL or the like.

Unfortunately, we have a stupid but significant problem.  DKIM keys
are published in DNS TXT records, the strings in TXT records are
limited to 256 characters, and keys longer than 1K bits don't fit
in 256 characters.  No problem you might think, since the DKIM spec
says that verifiers catenate multiple strings together, so you just
break the key into two or three strings.

A lot of people manage their DNS using web based crudware at their
registrar or DNS provider, and most of the crudware only handles TXT
records with one string.  You don't have to tell me how broken that
is, but the cruddy state of DNS provisioning has been a problem for
many years, and nothing we say is going to fix it in any finite amount
of time.

I note RFCs 7748 and 8032 which remind us that ed25519 has excellent
performance with much smaller keys.  So I would like to publish a
small update to the DKIM spec to add ed25519 as a signature algorithm,
require that ed25519 signatures use at least 256 bits, and provide
some advice for migration, e.g., publish both keys in separate TXT
records and sign with both algorithms for a while.  256-bit keys fit
in a single TXT string with ease.

Does this seem reasonable?

R's,
John

v2.23.0 | Report a Bug | By Email