[Ietf-dkim] DKIM replay mitigations
Wei Chuang <weihaw@google.com> Mon, 22 August 2022 21:54 UTC
Return-Path: <weihaw@google.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4DBC157902 for <ietf-dkim@ietfa.amsl.com>; Mon, 22 Aug 2022 14:54:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJH70lw_bHTa for <ietf-dkim@ietfa.amsl.com>; Mon, 22 Aug 2022 14:54:25 -0700 (PDT)
Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A5DDC157901 for <Ietf-dkim@ietf.org>; Mon, 22 Aug 2022 14:53:29 -0700 (PDT)
Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-324ec5a9e97so331251857b3.7 for <Ietf-dkim@ietf.org>; Mon, 22 Aug 2022 14:53:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date; bh=noZLGXPjXaI4YkuOEdJtjKJC9JCFjD14kPm0KZI/4lE=; b=V0QOmaAoerpX9BxINid+sqq5QOCJvalu6tEPIYi4VABn4jIQE8weJGwW53GMGmoYt0 5qY70Ad6ma1v91tpKKb6mz1J22DlbjbA2V+jvv5bJ5NElVMJ39wRMDEt+BRXp4jts+0m 1g+A3zx3YM74rLlvUxWGN4btRUn0BbU1V9pWsYVdWsxEgD0YyqjHvXV8EaiLlaWEGIas eDdz5GF9zrJxAF5XueqPaVABeLBEdi7dgScs0aGzrV/BcLrlkfTTyCYP4F+VSfW0CfaO dczL9wwPUuXymkgl0G8ds+N/hHKHdCd2XJOrpLNC51zZUAjxVaKte+XI5japWNHibI9K 2/JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date; bh=noZLGXPjXaI4YkuOEdJtjKJC9JCFjD14kPm0KZI/4lE=; b=XUAn6p9PjuTaOO7SFFN7T1Bxs6Ln5XC6xYHn0ZgpNQl7g0rMUvM1yiKFJyMFBQN722 wBoJmjc0KVQWlxsVKpEzcH33nfPC27pml/PlxGUSenVRm9g6H3LdQ1G1rQI7+U0uc3uS XFfK3hnhgylSPUHWlXO5q1vRtM7dXhx1xIFSNBA9y759wBKzz1eagIBc4zYjHs+Yw2zQ XHk0sGCoPOzZQRi/fQl5j0KvqmiqGNcEYW/8EGTfr8jK1zAV1lLwSX7di8JL+1bjhgwL hht1E6D9uh5n4jpTFEx/md1ut1C00IqBRg0TT3d0KMZx6Fwhi79NjbZ4knNYL0hCL9i9 8dhw==
X-Gm-Message-State: ACgBeo3hxXwDO8f73I36QDkO0Z4W3kx5RUAc4iSZq+VfT1PgbB2WGVrp 6UXgJandirgwfXQoBAQyTtOI3iJh1HeAUJjv8SSHUPJPVUc3Jw==
X-Google-Smtp-Source: AA6agR4hmKfhAaD6p0jMB8I08L6t22h2DvIHtNAXgJr2myCJGv9wHj85JSjryDG8PEgDL5KW4F0fQRemhM3KMlaNth8=
X-Received: by 2002:a5b:d09:0:b0:695:f25c:fa14 with SMTP id y9-20020a5b0d09000000b00695f25cfa14mr159053ybp.163.1661205207358; Mon, 22 Aug 2022 14:53:27 -0700 (PDT)
MIME-Version: 1.0
From: Wei Chuang <weihaw@google.com>
Date: Mon, 22 Aug 2022 14:53:16 -0700
Message-ID: <CAAFsWK2pXVK4xbNT=u2RkUr5_53GYFavh-be1pDWYviLx6KOrw@mail.gmail.com>
To: Ietf-dkim@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000051974505e6db7a5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/F06-r4OUlYSVcpF6_-3s1vH7XoQ>
Subject: [Ietf-dkim] DKIM replay mitigations
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2022 21:54:25 -0000
Hi, One of the known security challenges in DKIM is its vulnerability to replay attacks as already mentioned in Security Considerations section 8.6 <https://datatracker.ietf.org/doc/html/draft-ietf-dkim-rfc4871bis#section-8.6>, and has been raised at recent M3AAWGs as a significant challenge. I'd like to propose a couple of concepts for dealing with DKIM replay. Depending on where the conversation goes, I can get into proposals for technical specification level proposals. DKIM replay typically takes advantage of capturing a DKIM signed message from the inbox and then rebroadcasting it out to many users. Taking that observation there are a couple of directions for mitigations. 1. We can try to detect and prevent the recipient amplification. One way may be to specify that the sender must always DKIM sign for the who the intended recipient is including through mailing lists and forwarding scenarios, in such a way that the receiver can check for this. If the intended recipient verification fails, then it may be an indication of replay. This must work for multiple forwarding hops and enterprise scenarios, and when forwarders don't participate. 2. Distinguish signed messages in the inbox versus those in transit. If we see messages that were signed messages meant to be in the inbox, suddenly in transit again, this likely indicates a replayed message. 3. Strengthen message digital signing to be replay resistant. Currently DKIM signature's identity just says it is associated with a particular sender. Perhaps we ought to tie the signature back to a particular SMTP transaction by signing for both the sender, receiver and timestamp. We could add more specification around the timestamp to make it more workable in the email distributed forwarding system for replay detection. Put this signature in a framework such as ARC that describes forwarding hops better, so that receivers can make use of those identities with forwarding. Using ARC as the signing framework also helps proposal 1). Again consider when receivers don't participate. (This is a highly complex scenario and likely I'm missing important details in trying to summarize) All the while, using ARC as a framework may allow future support for another long standing issue, which is working on message modification while forwarding, in particular for mailing lists. The proposal draft-kucherawy-dkim-list-canon-01 <https://datatracker.ietf.org/doc/html/draft-kucherawy-dkim-list-canon-01> provides a framework for handling common mailing list modifications by identifying those modifications. Putting it into ARC, may generalize this by identifying who made the modifications and be able to tolerate multiple such modifications such multiple mailing list expansions. Looking forward to your initial thoughts about feasibility and interest. -Wei
- [Ietf-dkim] DKIM replay mitigations Wei Chuang
- Re: [Ietf-dkim] DKIM replay mitigations Alessandro Vesely
- Re: [Ietf-dkim] DKIM replay mitigations Wei Chuang
- Re: [Ietf-dkim] DKIM replay mitigations Alessandro Vesely
- Re: [Ietf-dkim] DKIM replay mitigations Wei Chuang
- Re: [Ietf-dkim] DKIM replay mitigations Scott Kitterman
- Re: [Ietf-dkim] DKIM replay mitigations Alessandro Vesely
- Re: [Ietf-dkim] DKIM replay mitigations Wei Chuang