IETF Logo Mail Archive

[Ietf-dkim] DKIM replay mitigations

Wei Chuang <weihaw@google.com> Mon, 22 August 2022 21:54 UTC

Return-Path: <weihaw@google.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4DBC157902 for <ietf-dkim@ietfa.amsl.com>; Mon, 22 Aug 2022 14:54:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJH70lw_bHTa for <ietf-dkim@ietfa.amsl.com>; Mon, 22 Aug 2022 14:54:25 -0700 (PDT)
Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A5DDC157901 for <Ietf-dkim@ietf.org>; Mon, 22 Aug 2022 14:53:29 -0700 (PDT)
Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-324ec5a9e97so331251857b3.7 for <Ietf-dkim@ietf.org>; Mon, 22 Aug 2022 14:53:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date; bh=noZLGXPjXaI4YkuOEdJtjKJC9JCFjD14kPm0KZI/4lE=; b=V0QOmaAoerpX9BxINid+sqq5QOCJvalu6tEPIYi4VABn4jIQE8weJGwW53GMGmoYt0 5qY70Ad6ma1v91tpKKb6mz1J22DlbjbA2V+jvv5bJ5NElVMJ39wRMDEt+BRXp4jts+0m 1g+A3zx3YM74rLlvUxWGN4btRUn0BbU1V9pWsYVdWsxEgD0YyqjHvXV8EaiLlaWEGIas eDdz5GF9zrJxAF5XueqPaVABeLBEdi7dgScs0aGzrV/BcLrlkfTTyCYP4F+VSfW0CfaO dczL9wwPUuXymkgl0G8ds+N/hHKHdCd2XJOrpLNC51zZUAjxVaKte+XI5japWNHibI9K 2/JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date; bh=noZLGXPjXaI4YkuOEdJtjKJC9JCFjD14kPm0KZI/4lE=; b=XUAn6p9PjuTaOO7SFFN7T1Bxs6Ln5XC6xYHn0ZgpNQl7g0rMUvM1yiKFJyMFBQN722 wBoJmjc0KVQWlxsVKpEzcH33nfPC27pml/PlxGUSenVRm9g6H3LdQ1G1rQI7+U0uc3uS XFfK3hnhgylSPUHWlXO5q1vRtM7dXhx1xIFSNBA9y759wBKzz1eagIBc4zYjHs+Yw2zQ XHk0sGCoPOzZQRi/fQl5j0KvqmiqGNcEYW/8EGTfr8jK1zAV1lLwSX7di8JL+1bjhgwL hht1E6D9uh5n4jpTFEx/md1ut1C00IqBRg0TT3d0KMZx6Fwhi79NjbZ4knNYL0hCL9i9 8dhw==
X-Gm-Message-State: ACgBeo3hxXwDO8f73I36QDkO0Z4W3kx5RUAc4iSZq+VfT1PgbB2WGVrp 6UXgJandirgwfXQoBAQyTtOI3iJh1HeAUJjv8SSHUPJPVUc3Jw==
X-Google-Smtp-Source: AA6agR4hmKfhAaD6p0jMB8I08L6t22h2DvIHtNAXgJr2myCJGv9wHj85JSjryDG8PEgDL5KW4F0fQRemhM3KMlaNth8=
X-Received: by 2002:a5b:d09:0:b0:695:f25c:fa14 with SMTP id y9-20020a5b0d09000000b00695f25cfa14mr159053ybp.163.1661205207358; Mon, 22 Aug 2022 14:53:27 -0700 (PDT)
MIME-Version: 1.0
From: Wei Chuang <weihaw@google.com>
Date: Mon, 22 Aug 2022 14:53:16 -0700
Message-ID: <CAAFsWK2pXVK4xbNT=u2RkUr5_53GYFavh-be1pDWYviLx6KOrw@mail.gmail.com>
To: Ietf-dkim@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000051974505e6db7a5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/F06-r4OUlYSVcpF6_-3s1vH7XoQ>
Subject: [Ietf-dkim] DKIM replay mitigations
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2022 21:54:25 -0000

Hi,
One of the known security challenges in DKIM is its vulnerability to replay
attacks as already mentioned in Security Considerations section 8.6
<https://datatracker.ietf.org/doc/html/draft-ietf-dkim-rfc4871bis#section-8.6>,
and has been raised at recent M3AAWGs as a significant challenge.  I'd like
to propose a couple of concepts for dealing with DKIM replay.  Depending on
where the conversation goes, I can get into proposals for technical
specification level proposals.

DKIM replay typically takes advantage of capturing a DKIM signed message
from the inbox and then rebroadcasting it out to many users.  Taking that
observation there are a couple of directions for mitigations.
1. We can try to detect and prevent the recipient amplification.  One way
may be to specify that the sender must always DKIM sign for the who the
intended recipient is including through mailing lists and forwarding
scenarios, in such a way that the receiver can check for this.  If the
intended recipient verification fails, then it may be an indication of
replay.  This must work for multiple forwarding hops and enterprise
scenarios, and when forwarders don't participate.
2. Distinguish signed messages in the inbox versus those in transit.  If we
see messages that were signed messages meant to be in the inbox, suddenly
in transit again, this likely indicates a replayed message.
3. Strengthen message digital signing to be replay resistant.  Currently
DKIM signature's identity just says it is associated with a particular
sender.  Perhaps we ought to tie the signature back to a particular SMTP
transaction by signing for both the sender, receiver and timestamp.  We
could add more specification around the timestamp to make it more workable
in the email distributed forwarding system for replay detection.  Put this
signature in a framework such as ARC that describes forwarding hops
better, so that receivers can make use of those identities with
forwarding.  Using ARC as the signing framework also helps proposal 1).
Again consider when receivers don't participate.  (This is a highly complex
scenario and likely I'm missing important details in trying to summarize)

All the while, using ARC as a framework may allow future support for
another long standing issue, which is working on message modification while
forwarding, in particular for mailing lists.  The proposal
draft-kucherawy-dkim-list-canon-01
<https://datatracker.ietf.org/doc/html/draft-kucherawy-dkim-list-canon-01>
provides
a framework for handling common mailing list modifications by identifying
those modifications.  Putting it into ARC, may generalize this by
identifying who made the modifications and be able to tolerate multiple
such modifications such multiple mailing list expansions.

Looking forward to your initial thoughts about feasibility and interest.
-Wei

v2.23.0 | Report a Bug | By Email