IETF Logo Mail Archive

Re: [ietf-dkim] DKIM Key Sizes

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 28 October 2016 10:07 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE977129A31 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Fri, 28 Oct 2016 03:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5A8y9B1ZLCZ for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Fri, 28 Oct 2016 03:07:53 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A59D2129A28 for <ietf-dkim-archive@ietf.org>; Fri, 28 Oct 2016 03:07:53 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9SA7TRO028674; Fri, 28 Oct 2016 03:07:30 -0700
Authentication-Results: simon.songbird.com; dkim=fail reason="verification failed; unprotected key" header.d=cs.tcd.ie header.i=@cs.tcd.ie header.b=WLzgD+Xs; dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u9SA7Ojx028670 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <ietf-dkim@mipassoc.org>; Fri, 28 Oct 2016 03:07:26 -0700
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id DC051BE38; Fri, 28 Oct 2016 11:06:35 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZ9-kvw-H-uL; Fri, 28 Oct 2016 11:06:35 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 43831BE2C; Fri, 28 Oct 2016 11:06:35 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1477649195; bh=IEktN4u4BaMRwOi+Ia4SIDJh3BdXB5mEPL+A2dgoSvk=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=WLzgD+XsNpWL2YugfzEywsAYQrmOdNKRVxi3zeDadAXedsTZU+7M3a6fo3ijKvXUS X5J9dNqL93phMeRdxcE/W/Pj8/hWFU6yNId8yEc7xW3FogeP/1+QZSp/99f7ES7AV6 lL8zNyfS+2YoRPKNwdH+3K9vfznaAElYPTyLwOII=
To: Jon Callas <jon@callas.org>, Peter Goldstein <peter@valimail.com>
References: <CAOj=BA3TFzxnHHZ+-tpoMCWxhaGvOg0RREbcYbpzS9g3g8i=Qg@mail.gmail.com> <33093A9D-5406-4BEF-AE65-66696B664593@callas.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <fc07cb56-ed9b-273d-54c1-0c6e67a7fe16@cs.tcd.ie>
Date: Fri, 28 Oct 2016 11:06:34 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <33093A9D-5406-4BEF-AE65-66696B664593@callas.org>
Cc: ietf-dkim@mipassoc.org
Subject: Re: [ietf-dkim] DKIM Key Sizes
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1793343462896561013=="
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>

Hi Jon,

On 27/10/16 23:29, Jon Callas wrote:
> 
>> On Oct 27, 2016, at 1:29 AM, Peter Goldstein <peter@valimail.com>
>> wrote:
> 
>> Those guidelines ... specify that receivers MUST validate
>> signatures of 512 to 2048 bits, but are not required to validate
>> signatures with longer keys - may be worth revisiting given
>> advances in computing power, the increasing importance of DKIM as
>> an element of email authentication, and the reuse of these
>> guidelines in other proposals (i.e. ARC).
> 
> 
> [...]
> 
>> I'd like to suggest that it may be a good idea to increase the
>> upper value to 4096 or even 8192, to ensure that the standard is
>> compatible with best practices going forward.
> 
> I don't object to increasing it in the standard, but operationally I
> don't think it's a good idea. Per-message processing cost is one
> reason, but the larger one is the semantic value of a DKIM signature,
> and what it is trying to do.
> 
> DKIM is a conversation between two administrative domains, and a
> signature only states that an administrative domain is taking
> responsibility for placing the message in the message stream. Nothing
> more.
> 
> That assurance comes at a cost of whatever integrity that assigns to
> a message that might have been unintended. That message integrity is
> a privacy loss by the users.
> 
> The real-world case in point is the leaked Podesta emails, where some
> people have asserted that authenticity can be checked via the DKIM
> signatures. I've raised an eyebrow on that, and the bottom line is
> that you're presuming that attackers were sophisticated enough to
> steal the email, yet unsophisticated enough that stealing the DKIM
> key from an MTA is out of the question.
> 
> The full discussion is pretty nuanced, and I think the relevant part
> here is that if an administrative domain wants to protect the privacy
> of its users, it should be using *smaller* DKIM keys, not larger
> ones. I think I could convincingly argue that a privacy-friendly
> email provider is better off using 512 bit keys (where there's a
> chance of spam forgery) than 4K keys (where there's a chance of
> ruining the privacy of the customers). Now actually, I think the
> sweet spot for key size is above 512, but it's lower than 768. For
> maximum balance, you want the key to take longer than a week to
> crack, but less than a year, and change it every month. Or something
> like that. You get the idea.

Ick.

I think the property you're aiming for is to not damage
deniability? If not, then can you explain.

I don't think a just-about-dodgy-rsa-length is a good
way to try get that because:

- it's extremely algorithm specific - other algs don't
have similar properties (and it'd be a horribly bad idea
to define 'em)

- it'd be vulnerable to an actual factorisation during
the operational lifetime of a key pair, which is not a
thing we can easily evaluate (more or less damage to
whom overall?)

- no matter that the semantics of a DKIM signature are
well defined to (try to) not damage deniability, we
can't stop people from associating other semantics with
signatures, of any length - IOW, so long as the factorisation
of a modulus isn't known, deniability is damaged

The only up-side of your suggestion I can see is that
it would keep some bad actors busy.

Instead, I'd point out that this can be handled, even now,
by simply rolling to a new key and then shortly publishing
the private key used to sign the messages. That way Podesta
could deny the content once more, at least at the crypto
level.

Whether or not publishing private keys would be something
that the community would do is a fine question, but it'd be
a better approach. (I forget, and didn't look back to see,
if someone suggested this before for DKIM, I think I recall
that someone may have though.)

Releasing the private key when you're done with it, is also
nicely algorithm independent so if we wanted to take that
route that would not prevent us moving DKIM to eddsa to get
the nice benefits that offers over RSA.

I could imagine us writing an RFC about why and how to do
DKIM signature key rollover and private key publication and
would be happy to help if there were a chance it'd get some
traction.

Cheers,
S.


> 
> In any event, I don't object to changing it, but I do think that if
> someone's going to implement long keys, they're going to get
> criticism about enabling surveillance of their users.
> 
> Jon
> 
> 
> 
> _______________________________________________ NOTE WELL: This list
> operates according to http://mipassoc.org/dkim/ietf-list-rules.html
> 


_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email