Re: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04

Scott Kitterman <scott@kitterman.com> Wed, 13 September 2017 04:23 UTC

Return-Path: <scott@kitterman.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 372DF133529; Tue, 12 Sep 2017 21:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YO83c6aAlAO1; Tue, 12 Sep 2017 21:23:01 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C744E132964; Tue, 12 Sep 2017 21:23:01 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id B6025C4026D; Tue, 12 Sep 2017 23:23:00 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1505276580; bh=/Q3ZcBZ4tJ5guRIflAZw2OW4KbWxbVllRJsbGrRlcdQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YF2BpDKhYe/g2XxNn+yEv9mOav7RcnZpaMhwQRKei8jrKbTWp0Za2Gwd2rExSmk3M MSGw6kBxXavwLHoiik1SqUCVNloV37n/5f9NqVUFdWaOW2NsMsKvEWnOXv2fLpX2kW 7MhQZhzeH6zHCA66IOwEZHn6P1SAUgfC5cChW7CI=
From: Scott Kitterman <scott@kitterman.com>
To: Magnus =?ISO-8859-1?Q?Nystr=F6m?= <magnusn@gmail.com>
Cc: Russ Housley <housley@vigilsec.com>, IETF SecDir <secdir@ietf.org>, draft-ietf-dcrup-dkim-usage@ietf.org
Date: Wed, 13 Sep 2017 00:23 -0400
Message-ID: <2566282.xocsd9b6fN@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-125-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <CADajj4Z6Bo0pW-1ixjK+Eseq46wZB3rL4MbYv1nfj__32nPNBQ@mail.gmail.com>
References: <CADajj4aj4ndB-ohsvSRF_DjjpKkS0EMJbSV9kZFDe28e9e7HXg@mail.gmail.com> <9B7000BF-A3DA-4344-B12E-A0D678D76993@vigilsec.com> <CADajj4Z6Bo0pW-1ixjK+Eseq46wZB3rL4MbYv1nfj__32nPNBQ@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OJavZIJtLyjh_P47TdOegnX6h3w>
Subject: Re: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 04:23:03 -0000

We did consider a larger minimum in the working group.  The conclusion we 
reached was that, given the other text that is in a key record the longest key 
that would reliably fit in a single DNS TXT string is 1156 bits.

There are a surprisingly large number of DNS providers that do not allow 
multi-string DNS TXT records, so any requirement for larger that 1156 bits 
would create a large, new barrier to deployment.

The WG perspective was that the added security changing from 1024 bits (which 
is very commonly used today) to 1156 bits was not worth the friction it would 
cause.

There is another document coming that will add Ed25519 to DKIM.  Ed25519 keys 
do not have the same length issues that RSA keys do. The long-term path for 
DKIM to improve security in the face of the common shortfalls of DNS 
provisioning systems is Ed25519, but that will take time to deploy.

Is there enough value in 1156 bits over 1024 bits that we should change it to 
an unusual key size?

Scott K

P.S.  I am not subscribed to the secdir list, so please keep me in cc on 
replies.

On Tuesday, September 12, 2017 08:43:05 PM Magnus Nyström wrote:
> Yes, Russ. Perhaps "When using RSA, signers MUST use keys at least 2048
> bits long." (I could imagine that at some point DKIM would support ECC)
> Thanks,
> 
> On Tue, Sep 12, 2017 at 8:11 PM, Russ Housley <housley@vigilsec.com> wrote:
> > Magnus:
> > 
> > I agree with your recommendation, but I would like to make sure I
> > 
> > understand your suggestion.  The document says:
> >    ...  Since short RSA keys more easily succumb to
> >    off-line attacks, Signers MUST use RSA keys of at least 1024 bits for
> >    all keys.  Signers SHOULD use RSA keys of at least 2048 bits. ...
> > 
> > You want to change "1024" to "2048", and then drop the following sentence,
> > right?
> > 
> > Russ
> > 
> > 
> > On Sep 12, 2017, at 2:33 AM, Magnus Nyström <magnusn@gmail.com> wrote:
> > 
> > I have reviewed this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the IESG.
> > These comments were written primarily for the benefit of the security area
> > directors. Document editors and WG chairs should treat these comments just
> > like any other last call comments.
> > 
> > This document intends to update the DKIM specification with a new
> > mandatory hash algorithm (SHA-256) and new RSA key size requirements.
> > 
> > While I definitely agree with the stated direction, I do wonder about the
> > RSA 1024 bit key size recommendation. Conventionally, this corresponds to
> > about 80-bit security and to reach the equivalent of 128-bit security
> > (which is what SHA-256 gives), a 3072-bit RSA key size should be
> > recommended. In this day and age, mandating only 1024 bits seems a little
> > weak. I recognize there may be limitations in the DNS records storing
> > these
> > keys, but it should be possible to store at  least 2048-bit keys (256
> > bits)
> > (corresponding roughly to 112-bit security) or at least close to it and
> > thus why not require 2048 bit RSA keys as a minimum? 1024 bit keys are, as
> > is also commonly known, considered "legacy" by NIST SP 800-57 part 1 and
> > shouldn't be used for new signatures at this point.
> > 
> > 
> > -- Magnus