ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks

2006-01-30 12:54:20
from [Hector Santos] [Permanent Link] 
Suggested correction to TA:

Add a new attack item:

   Inconsistent Signature vs. Policy Attacks
         Impact: High
         Likelihood: High

If a new column "Detection/recovery" is added as suggested in a previous
TA review comment, then this would change to:

   Inconsistent Policy Attacks
         Impact: Low
         Likelihood: High
         Detection/Recovery: High

Background reasoning:

Currently the SSP draft intent is to only apply SSP against messages
lacking a signature.  If a valid signature is found, then SSP is not
necessary.  [Note: if this understanding is incorrect, please correct
it.]

Ironically, this SSP draft specification would present the highest and
more probable threats or occurrence of the DKIM/SSP proposal.  By
following the draft specification, there will be many loopholes.

Example loopholes:

1) A message is signed, but the SSP indicated a "o=." (No mail expected
   from domain).

2) A message is signed, but the first party domain has no declaration of
   a signing policy.  Currently, the SSP draft has no specification to
   expose a "No signature expected" policy.  Instead, the NXDOMAIN DNS
   result for a SSP will result with a default o=~ policy (optional
   signing by any party).

3) A message is signed by a 3rd party, but the SSP indicated a o=!
   policy where the original domain signature is required, and a 3rd
   party signature is not expected but allowed to be present.

   Note: The o=! policy can be a defined a "near exclusive" policy, but
   it is not an absolute exclusive policy consideration.

4) Although there is no current SSP specified in the draft to declare an
   optional original domain signature and no 3rd party signing expected
   the policy exist for this scenario to occur.

These signed mail "NO need for SSP" attacks should be consider to have a
high potential occurrence with direct attacks and indirect attacks.

Direct attacks would be bad actor attempts to exploit compliant DKIM/SSP
systems. Indirect attacks would be bad actors attempts to exploit
non-compliant DKIM/SSP and rely in "social engineering" exploits.  With
indirect attacks, bad actors will not emphasize on protocol correctness.

These attacks can be detected if the SSP is checked against the domain
whether the message is signed or not.  This will lower the risk, the
uncertainty of bad attack exploits and hence, lower the impact of these
high probably attacks

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com




_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Attempted summary, SSP again, Hector Santos
Next by Date:  Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks, Tony Hansen
Previous by Thread:  [ietf-dkim] New issue: Threat-00 Eavesdropping may permit man-in-the-middle as well., Douglas Otis
Next by Thread:  Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: Inconsistent Signature vs Policy Attacks, Tony Hansen
Indexes:  [Date] [Thread] [Top] [All Lists]