IETF Logo Mail Archive

Re: [ietf-dkim] DKIM Key Sizes

Jim Fenton <fenton@bluepopcorn.net> Thu, 03 November 2016 21:23 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B1421296E0 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Thu, 3 Nov 2016 14:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.99
X-Spam-Level:
X-Spam-Status: No, score=-0.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, LOTS_OF_MONEY=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REPy5zBJ7bXm for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Thu, 3 Nov 2016 14:23:55 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDAA41298D9 for <ietf-dkim-archive@ietf.org>; Thu, 3 Nov 2016 14:23:55 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id uA3LNMSB031872; Thu, 3 Nov 2016 14:23:24 -0700
Authentication-Results: simon.songbird.com; dkim=fail reason="verification failed; unprotected key" header.d=bluepopcorn.net header.i=@bluepopcorn.net header.b=DPlsaTSt; dkim-adsp=fail (unprotected policy); dkim-atps=neutral
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [174.136.102.250]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id uA3LNJ3R031860 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <ietf-dkim@mipassoc.org>; Thu, 3 Nov 2016 14:23:21 -0700
Received: from splunge.local ([IPv6:2601:647:4001:a0c0:f013:87b1:86d2:25be]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id uA3LMR2Z006409 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <ietf-dkim@mipassoc.org>; Thu, 3 Nov 2016 14:22:31 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1478208151; bh=pXZNt/GZ5GbsCLCT9N+S551fJiQsBGOYDXLdbFdfp3M=; h=Subject:To:References:From:Date:In-Reply-To; b=DPlsaTStOeoaY1Ty5A4EzShkyowa0Ya8+kg4Mrp1yJuNN5o+twto//drbpAn3z7mx 1zjtM7LIlcMIvf0Sl438KEK0LObJw7sVwnkbaTKU1RAfn8Y4iPwCaSO24NdO0QmQN4 2afMo26wtRnrW0Vi+HI6atDSZSiDLF05sLZnaXs8=
To: ietf-dkim@mipassoc.org
References: <CAOj=BA3TFzxnHHZ+-tpoMCWxhaGvOg0RREbcYbpzS9g3g8i=Qg@mail.gmail.com> <33093A9D-5406-4BEF-AE65-66696B664593@callas.org> <041f61a9-df5a-5c67-6640-6b1c05bf6c9f@cisco.com> <7AEC818C-3413-4DDC-8FA9-12711EAD7814@callas.org>
From: Jim Fenton <fenton@bluepopcorn.net>
Message-ID: <6c5dc663-e6bd-6550-53d9-397a294cca06@bluepopcorn.net>
Date: Thu, 03 Nov 2016 14:22:21 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <7AEC818C-3413-4DDC-8FA9-12711EAD7814@callas.org>
X-MIME-Autoconverted: from quoted-printable to 8bit by simon.songbird.com id uA3LNJ3R031860
Subject: Re: [ietf-dkim] DKIM Key Sizes
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>

On 10/30/16 4:05 PM, Jon Callas wrote:
>
> > On Oct 28, 2016, at 5:02 AM, Eliot Lear <lear@cisco.com> wrote:
>
> > If it’s the same conversation I was engaged in, I think the person was
> > just confused.  A simpler approach to plausible deniability is simply
> > not to sign.  And further, just because a person can hack someone’s
> > personal message store, as seems to have happened to Podesta, doesn’t
> > mean that they can hack the private key out of Google.  Furthermore,
> > using the example above, the key would actually have to be around for a
> > while (e.g., not rotate out of DNS).  In fact, if the key really is
> > intended to verify the source over a longer period of time than, say,
> > delivery, certainly 512 is not enough.
>
> Yup! I agree completely. If the key is intended to verify the source
> longer than delivery, then 512 is not enough.
>
> And -- the key is *PRECISELY* intended to verify the source *NO*
> *LONGER* than delivery. 512 probably still isn't quite enough, since
> you can break a 512-bit key too easily. If I lick my finger and stick
> it into the wind, 600-700 bits is about where they should be.

I recall no discussion (prior to this leak) about non-repudiation
characteristics of DKIM. We were concerned about making sure the
signatures are verifiable for long enough for the recipient MTA to
verify them (~1 week, accounting for delivery delays) and that there is
no requirement that they be verifiable longer than that. But there was
no effort to constrain the validity beyond that. We were concerned that
requiring large DKIM keys would be a barrier to deployment, largely
because of the computational burden it might impose on bulk senders. But
nothing other than DNS concerns about discouraging large keys.

It was perhaps an oversight not to mention it somewhere, in a similar
manner to the brief mention of information leakage (RFC 6376 section 8.10).

> I think it was Mark Delaney's words in his mission statement for the
> DK part of DKIM that it lets Alice's ISP know that a message from her
> from her bank actually came from her bank, even when forwarded through
> her alumni association. DKIM gives source attribution that travels
> with the message.
>
> However, that source attribution has another side to it. That other
> side is that at its core, one might say a DKIM signature is in a
> similar moral space as the "super cookies" that some providers put
> into web connections (like Verizon, who the FTC fined $1.3M). It is a
> tracking thing that is put without the user's consent into their email
> that can be used for identification later without their knowledge.
> Worse, it's not merely a cookie that's a constant, it's a
> content-specific digital signature. Shock horror.

Ouch. I really don't get the analogy between an identifier that is
placed on a user's computer and, without their knowledge, permits
tracking their browsing, and this signature (that doesn't even represent
an individual) that travels with a message.
>
> Now of course, the counter-argument is about the semantic layer. Yeah,
> syntactically, there's a resemblance, but the reason they're different
> is many-fold and has to do with purpose, use, and so on.
>
> For one, the "super cookies" are a conversation between the network
> provider and an ad network that does not benefit the user in any way.
> They are an *exploitation* of the user. A DKIM signature benefits us
> all through that initial use case. They add to the public health of
> the Internet as a whole and the email infrastructure at large. I can
> mount a vigorous defense of DKIM, but I could also use DKIM in a
> defense of tracking cookies. I believe I could also shoot down that
> analogy.

Wandering off topic, but I'm positive the purveyors of super cookies
will cite "getting more relevant ads" as a benefit to the user. But what
does DKIM track?
>
> I also think that we can improve DKIM in a lot of ways operationally
> that further breaks whatever improper analogy there is. We also ought
> to re-examine a lot of the email infrastructure with a post-Snowden
> eye, and that eye should include a post-Yahoo-scanning scandal as
> well. We really should look at how much the email ecosystem as a whole
> has become part of the broader surveillance structure of the Internet.
>
> These include:
>
> - MDAs should strip out DKIM signatures. If they did, my whole silly
> comments about key sizes are moot. It means that they aren't part of
> the whole permanent record of email stores and their insecurity
> because of the peculiar legal status of email.
>
> - MDAs should also be stripping Received headers and a bunch of
> others. Received headers write in stone the geoposition someone was at
> when they pressed send. It's a 4-space pin in the map. You can track
> people in their business travels by looking through old mailing list
> archives. You can see what type of computer they run, what MUA they
> are using, and their upgrade patterns. All the better to spearphish
> them with.
>
> - That goes double for you, Mailman. And any other list archiver.

This reminds me of the discussion on the Shutup mailing list late last
year and earlier this year. AFAIK, that didn't end up going anywhere,
but there is much more exploitable information in Received header fields
(like IP address of the sender) than there is in DKIM signatures.
>
> These and more are part of why email is so broken these days. It was
> made for an environment when we all used terminals on timesharing
> systems and things that made sense then (putting logging and debug
> information into a message) do not make sense in a world of mass
> surveillance. Cleaning up old messes is always hard, and this is
> another one.
>
> But anyway, back to DKIM --
>
> The problem here -- DKIM being a super cookie -- can be handled any
> number of ways. One of those is to rotate keys frequently. Really, big
> ISPs like Google and Yahoo and Apple and Microsoft ought to be putting
> out keys with one week of use and two weeks of life. That doesn't
> solve the whole problem because there's no reason why The Internet
> Archive or other entities can't just start archiving the DKIM public
> keys. Moreover, even if you rotate the keys, that merely downgrades
> the DKIM information from being a cryptographically authenticated
> super cookie to an unauthenticated super cookie (like the ones Verizon
> was using).

I don't agree. If someone is concerned about deniability of their
messages, they should be concerned about deniability of "fresh" messages
sent within the past day as well.

This isn't is a problem for DKIM to try to solve. Few enough people care
about non-repudiation of their messages to drive deployment of any
change. For the few that do, perhaps some of the more privacy-focused
email providers will provide an option not to DKIM-sign your messages.
Or they can run their own mail server :)

The real problem here is that the messages leaked in the first place,
not that we had evidence that they were genuine.

-Jim



_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email