ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Deployment Scenario 7: Cryptographic Upgrade and Downgrade Attacks

2007-02-23 13:12:51
from [Dave Crocker] [Permanent Link] 


Deployment Scenario 7: Cryptographic Upgrade and Downgrade Attacks
In the case that a signer advertises key records for multiple signature algorithms this may allow an attacker to circumvent an insufficiently expressive signature policy. 

Example:
Legitimate sender advertises key records A, B. Record A describes a signature key for a widely supported signature algorithm. Record B describes a signature key for a signature algorithm that is not generally supported. The senders signature policy says 'I always sign every message'. The sender always signs messages with algorithm A (whether algorithm B is used by the legitimate sender as an additional algorithm or not does not affect the success of the attack).
Color me confused. I thought we agreed long ago that downgrade attacks were not an issue for the problem DKIM addresses.
In general, there are myriad ways to break a signed message, to render the signature invalid. We have chosen not to attempt to prevent breakage.
More basically, we are moving quickly into the morass of requiring SSP lookups for signed messages, rather than limiting SSP for use with unsigned messages.
Besides the technical hassle of adding overhead, this also means that current potential adopters of DKIM will see DKIM -base use as remaining unstable. And I hope folks do not understimate the danger from this, because it has already been a point of discussion in industry meetings among potential adopters. 

There is a very simple distinction we can make:
If a message is signed, then the signature (and associated key information) speaks for itself. If the organization has constraints on who is allowed to sign a message or what message they are allowed to sign, or what algorithms they are supposed to use, then that is a matter for internal management within the organization. It is not the job of a public standard to recruit a recipient into enforcing sender-side internal administrative policies. If an organization chooses to publish support for a weak algorithm, again, that is their problem, not the recipient's.
Hence, SSP should be used for receipt of unsigned messages. Statements like "I sign everything" and "I send no mail" are examples. 

d/



--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [ietf-dkim] Deployment Scenario 7: Cryptographic Upgrade and Downgrade Attacks, Hallam-Baker, Phillip
Next by Date:  Re: [ietf-dkim] Deployment Scenario 7: Cryptographic Upgrade and Downgrade Attacks, Hector Santos
Previous by Thread:  Re: [ietf-dkim] Deployment Scenario 7: Cryptographic Upgrade and Downgrade Attacks, Paul Hoffman
Next by Thread:  Re: [ietf-dkim] Deployment Scenario 7: Cryptographic Upgrade and Downgrade Attacks, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]