ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Deployment Non-Scenario 7: Cryptographic Upgrade and Downgrade Attacks

2007-02-28 07:33:46
John doesn't seem to have sent this to the list (maybe because a sent separate copies to him and to the list).

On Tue, 27 Feb 2007 07:30:03 -0000, John L <johnl(_at_)iecc(_dot_)com> wrote:

So you consult the SSP for the signing domain to see whether the combination of dkim-2, rsa, sha-foo, complicated, strained and dns/funny could have come from that domain, and if so whether there should have been a further signature which you ought to check. And then you have sufficient information to decide whether it had failed because your Magic software was inadequate, or because it was a bogus signature from a spammer.

You know, spammers can fetch SSP records just like you can and can use them to concoct bogus signatures.

Could you do me a favor and sketch out in pseudocode the algorithm to distinguish an actual signature made with a signature algorithm you can't check from a fake signature applied by a spammer who looked at the SSP and made up a signature identical in all regards to a real one except that the unverifiable signature bits are random?

You can't tell that, but you don't need to.

If the SSP says "I always sign with A and B", and the spammer reads that, then he knows he has to produce fake signatures for both A and B. So if he only provides a fake B, then you know he is spamming.

OTOH, if he provides a fake A and a fake B, then even though you can't check B, you can still detect that the fake A does not verify (because you DO know how to check A).

While you're at it, how about the same thing to distinguish a real message signed with a body hash you can't check from a spam that took the headers and signature from a real message and a new spam body.

In exactly the same way. If the signer only uses an algorithm (including its hash) that you cannot verify, then you are stuck (and the signer was stupid for signing only with a not-widely-known hash). But if the signer went to the trouble of signing twice (using both older and new hashes), and published that fact in his SSP, then you are safe if you manage to verify using one of them.

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>