[dispatch] Updating DKIM for stronger crypto
"John Levine" <johnl@taugh.com> Mon, 06 February 2017 02:08 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1520F129565 for <dispatch@ietfa.amsl.com>; Sun, 5 Feb 2017 18:08:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDESLHzjwDS1 for <dispatch@ietfa.amsl.com>; Sun, 5 Feb 2017 18:08:50 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C291B129502 for <dispatch@ietf.org>; Sun, 5 Feb 2017 18:08:49 -0800 (PST)
Received: (qmail 45420 invoked from network); 6 Feb 2017 02:08:48 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 6 Feb 2017 02:08:48 -0000
Date: Mon, 06 Feb 2017 02:08:26 -0000
Message-ID: <20170206020826.1108.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dispatch@ietf.org
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/rWkxXUtYiAlUuuu95KkFpwMnaOI>
Subject: [dispatch] Updating DKIM for stronger crypto
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 02:08:51 -0000
The DKIM spec RFC 6376 specifies the hash algorithm to use to make hashes of e-mail message bodies and headers, and the signing algorithm to use to sign them, with the results placed in a header in the message. To check signatures, the recipient looks up the verification keys in the DNS, where it's stored in TXT records. Every signature includes a tag saying what hash and signature algorithms it used, and every key record includes a tag saying what signature algorithm the key is for. The plan was always that we'd be able to move to newer algorithms when needed. Early versions of DKIM used SHA1 hashes, but by the time the original spec was published in 2007, we'd added SHA256 and the spec says that everyone should use SHA256 hashes but also has to verify SHA1 hashes. In practice everyone uses SHA256. The only signature algorithm is RSA, and the spec says that verifiers must handle signatures from 512 to 2K bits and strongly suggests at least 1K bits. So far, that has not changed. Needless to say, 512 bits is now way too weak, and 1K is iffy, so it would be a good idea to update the advice. Over in DMARC land, there is an anti-DMARC design called ARC which uses DKIM's signing algorithms, and it would be nice to launch ARC with up to date crypto too. The obvious change would be a one sentence update to the DMARC spec saying to sign with at least 2K keys and verifiers must handle at least 4K keys. The code changes to DKIM signers and verifiers would be trivial, and it is my impression that most verifiers handle larger keys now, since they just pass them to OpenSSL or the like. Unfortunately, we have a stupid but significant problem. DKIM keys are published in DNS TXT records, the strings in TXT records are limited to 256 characters, and keys longer than 1K bits don't fit in 256 characters. No problem you might think, since the DKIM spec says that verifiers catenate multiple strings together, so you just break the key into two or three strings. A lot of people manage their DNS using web based crudware at their registrar or DNS provider, and most of the crudware only handles TXT records with one string. You don't have to tell me how broken that is, but the cruddy state of DNS provisioning has been a problem for many years, and nothing we say is going to fix it in any finite amount of time. I note RFCs 7748 and 8032 which remind us that ed25519 has excellent performance with much smaller keys. So I would like to publish a small update to the DKIM spec to add ed25519 as a signature algorithm, require that ed25519 signatures use at least 256 bits, and provide some advice for migration, e.g., publish both keys in separate TXT records and sign with both algorithms for a while. 256-bit keys fit in a single TXT string with ease. Does this seem reasonable? R's, John
- Re: [dispatch] Updating DKIM for stronger crypto Cullen Jennings
- [dispatch] Updating DKIM for stronger crypto John Levine
- Re: [dispatch] Updating DKIM for stronger crypto Stephen Farrell
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Eric Rescorla
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Eric Rescorla
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Eric Rescorla
- Re: [dispatch] Updating DKIM for stronger crypto Cullen Jennings
- Re: [dispatch] Updating DKIM for stronger crypto Martin Thomson
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Martin Thomson
- Re: [dispatch] Updating DKIM for stronger crypto Stephen Farrell
- Re: [dispatch] Updating DKIM for stronger crypto Eric Rescorla
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Stephen Farrell
- Re: [dispatch] Updating DKIM for stronger crypto Martin Thomson
- Re: [dispatch] Updating DKIM for stronger crypto John Levine
- Re: [dispatch] Updating DKIM for stronger crypto Martin Thomson
- Re: [dispatch] Updating DKIM for stronger crypto John R Levine
- Re: [dispatch] Updating DKIM for stronger crypto Wei Chuang