While we were at M3AAWG, Wired published an article talking about how simple it was to crack DKIM keys. I didn’t post about it at the time because it didn’t really seem like news. DKIM keys smaller than 1024 are vulnerable and not secure and the DKIM spec does not recommend using keys smaller than 1024. When I asked the DKIM-people-who-would-know they did tell me that the news was that the keys had been cracked and used in the wild to spoof email.
Fair enough.
If you are signing with DKIM, use a key 1024 or longer. Anything shorter and your risk having the key cracked and your mail fraudulently signed.
This morning M3AAWG published recommendations on keeping DKIM keys secure.
- Updating to a minimum 1024-bit key length. Shorter keys can be cracked in 72 hours using inexpensive cloud services
- Rotating keys quarterly
- Setting signatures to expire after the current key rotation period and revoking old keys in the DNS
- Using the key test mode only for a short time period and revoking the test key after the ramp-up
- Implementing DMARC in monitoring mode and using DNS to monitor how frequently keys are queried. DMARC (Domain-based Message Authentication, Reporting and Conformance) is another standard often used in conjunction with DKIM
- Using DKIM rather than Domain Keys, which is a depreciated protocol
- Working with any third parties hired to send a company’s email to ensure they are adhering to these best practices
Google took a good step in encouraging folks to upgrade to more secure keys. According to Return Path Gmail is currently failing DKIM for any key 512 and shorter. Keys between 512 and 1024 are still validating, but Gmail will start failing any keys smaller than 1024 in the near future.
RSS - Posts
I think it’s good to mention here that, assuming Google does things the proper way, “failing DKIM” means they will pretend there is no DKIM key. They will not “fail” (i.e. block or bounce) the messages themselves. So if you’re reading this and your key length is 512 bits, you don’t have to fix it tonight, you can fix it first thing in the morning.
After that vulnerability was reported I wrote tool to check DKIM TXT records and determine their key length so you can see if you are using a short key (less than 1024 bits):
http://www.protodave.com/tools/dkim-key-checker/
protodave, that’s a great little tool for checking DKIM keys….thanks.
you mean this article?
http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/
Yup. I even linked to it in my blog post.
When will the “big guys” (Google, MS, Yahoo) in their eternal wisdom decide that 1024 is too short as well? What I’m seeing in the field is 2048 keys being used forever. Big third party mailers telling their customers to put their generic public key as a TXT-record in their DNS. For starters they compromise their customer’s goal to have control over their domain as now all their other customers can mail as another customer. When that strong key is somehow compromised they can’t really refresh the key as they have no close relationship with their customers to make sure their TXT-record gets updated in DNS.
I myself use 2 selectors and tell my customers to create 2 cnames which point to 2 TXT-records that contain a 1024-bit public key. Those keys will be used for 3 days and will have a lifetime of 6 days.
I strongly believe that shortlived short keys are much better than longlived long keys.