There were several requests at the BOF for a DKIM 'threat model'. I
beleive that what people were really asking for however was a concrete
statement of what they beleive DKIM can achieve and how it can be
effective against specific types of Internet crime.
I beleive that such a vision does exist, at least I have written a book
setting out such a vision. While I am happy to send people a word or pdf
for review if they are interested in the full account I think we owe
people a somewhat shorter vision statement than 100,000 words.
Axiom: Ubiquitous Authentication is Good
The starting point for Domain Keys, Identified Internet Mail and our own
proposal Authenticated Sender is a belief that authenticating email is a
good thing to do in and of itself. As was pointed out at the BOF it is
unlikely that RFC 822 would pass today without some form of strong
authentication mechanism.
The ultimate goal of DKIM is to achieve a situation where email
authentication is ubiquitous and the unsigned email becomes the
exception rather than is the case today the rule. Only when the majority
of Internet email is authenticated is it possible to make interesting
conclusions about the lack of authentication.
This naturally raises an important privacy issue, anonymity and
pseudonymity are considered valuable qualities of the current email
system. The underlying belief of DKIM is that ubiquitous authentication
to a domain name is not beleived to be a privacy concern. Knowing that a
mail definitely came from yahoo.com does not threaten the anonymity of
the user if it is still possible to obtain effectively anonymous
accounts at yahoo.com and other web mail providers.
While S/MIME and PGP were designed to provide email authentication they
are designed to provide a very high degree of security to a technically
aqstute user who has identified a need for security. Both have an
intrusive impact on the message body. Discussions with major banks,
including banks that have deployed S/MIME for internal use strongly
indicates that neither S/MIME nor PGP will allow for ubiquitous use in
the near future.
A second problem with the existing protocols is that neither has
provided an adequate answer to the problem of key distribution. The PGP
Web of Trust model requires a considerable degree of maintenance that
increases in proportion to the size of the network. The S/MIME
certification authority model imposes a financial cost that is
prohibitive in certain applications.
Although the cryptographic authentication requires greater CPU time than
path based authentication mechanisms (SenderID/SPF) this is not
considered prohibitive and are generally outweighed by a reduction in
the cost of administration. A cryptographic private key is bound to the
signing server. An IP address is a result of the network configuration.
The cryptographic approach is much more robust in the face of real
network configuration issues such as forwarding. It also provides an
opportunity to make use of existing work on PKI based trust
infrastructures in those cases where they are appropriate and add real
value.
It follows then that a new message signature scheme is required to meet
the goal of ubiquitous authentication. It is important to note that all
three of the proposals designed to meet this need that I am able to cite
share the same design elements, namely:
* The signature is carried in the message header and does not affect
the message body
* The signature may include certain headers
* There is a policy mechanism that tells receivers when to expect a
signature
* Keys are stored in the DNS it is not necessary to by a certificate
or deploy a key server.
The remarkable similarity of these architectural proposals strongly
suggests that this architecture should be the basis for unbiquitous
authentication. The question is then what attacks ubiquitious
authentication protects against.
Spam
be understood as two separate problems. The first is the problem of the
clueless company that sends out unsolicited marketting email. That is
bad but accounts for less than 5% of the spam volume and is in any case
usually handled by existing spam filters. The second problem is criminal
spam, mostly sent from botnets and mostly promoting schemes that are
outright criminal. Serious crimes include advance fee frauds, 419
frauds, phishing, money mover, package reshipper and consumer fraud
schemes.
For the present spam control efforts are 100% concentrated on the
problem of criminal spam. We will need to return to the problem of
corporate spam once the criminal spammers are put out of business.
Without accreditation services DKIM allows large email providers and
spam filtering companies to distinguish mail that is legitimately from
an email provider from spoofed mail. This in turn allows the development
of 'whitelist' schemes whereby authenticated mail from a known source
with good reputation is allowed to bypass spam filters.
In effect the large email receiver is using their scale to generate
their own accreditation/reputation data. The disadvantage to this
approach is that it only works for an email receiver that has sufficient
scale. A small scale mail receiver can buy in reputation data from
external sources but this costs money and reputation data is inherently
retrospective.
The effectiveness of DKIM is significantly expanded by the ability to
add in accreditation. The Aspen Institute report The Accountable Net
describes a three part strategy for combatting spam. Spam is considered
to be the result of a lack of accountability in the Internet, to stop
spam we must restore accountability through authentication,
accreditation and consequences.
As anti-spam lawyer Jon Praed has observed, the biggest problem in
trying to sue a spammer is finding them first. An accreditation
mechanism that ensures that an email message can be linked to an address
where legal process can be served. An accreditation mechanism does not
need to be perfect, all it needs to do is to ensure that there is a high
probability that a repeat spammer can be held accountable for their
actions.
Viruses
The promary propagation mode for viruses and trojans is currently spam.
Stopping spam goes a long way to stop viruses.
Most viruses today use a spoofed sender address to avoid tipping off the
owner of the infected machine. This has two unpleasant consequences,
first the owner of the spoofed address is swamped by bounces, second the
virus is able to propagate.
Protocols such as SES and BATV can be used to prevent the first effect.
DKIM provides a mechanism for addressing the second:
"Reject all email that has an executable attachment if there
message is not in compliance with a DKIM authentication policy that
states the message should be signed"
Of course it is arguable that the following is more effective:
"Reject all email that has an executable attachment"
Phishing
Phishing is currently understood to be the use of a spoofed email to
pursuade the recipient to divulge access credentials.
While the majority of phishing attacks use the domain name of a trusted
brand itself to perform an attack (ebay.com) phishing gangs are already
moving to the use of look-alike or 'cousin' domains (security-ebay.com).
This is in part a response to the deployment of Sender-ID/SPF but is
mostly done to prevent the 'backwash effect' alerting the impersonated
brand to the start of an attack.
DKIM used in conjunction with some form of real time blacklist allows
phsing emails to be pre-emptively blocked. The value of a cousin domain
is significantly reduced if the number of emails that can be
successfully sent from it is small. DKIM allows a phishing response
service to determine that a domain name was registered for the purpose
of phishing with a very high degree of confidence. This substantially
reduces the legal risks associated with maintaining such a blacklist as
well as significantly improving effectiveness.
Phishing email is correctly understood an attack against the user
interface. The phishing gangs essentially attack the last few feet
between the user's screen and their brain. Current email interfaces do
not provide a good means of assuring end users that an email is
authentic, nor is the DNS a sufficient naming infrastructure to achieve
this as the problem of cousin domains demonstrates.
Ultimately the user interface must be changed so that recipients can
know with a very high degree of confidence that the message really is
from their bank or auction house. in the world of atoms brands are used
for this purpose. We therefore need a mechanism for binding a brand to a
DKIM key. Fortunately this already exists in the PKIX LOGOTYPE
extension.
Phishing attacks are typically made against trusted brands that invest
significant capital resources to establish and maintain their brand.
While the cost of a Certification Authority certificate is significant
for many email senders it is not an issue for the brands affected by
phishing attacks which typically invest six to eight figure sums in
their response. The cost of an exceptionally robust accreditation
process for logotype certs would not be prohibitive for this
constituency.
Other
When the phishing problem first became a major issue a crisis meeting
attended by major banks and technology providers was held to discuss
options. Several people at the table pointed out that our options for
deployment of new technoloogy to address phishing would be considerably
greater if we had succeeded in getting S/MIME deployed and used.
We do not know what the next Internet crime scam will be but we do know
that the criminals attack the infrastructure at the most profitable
link. Email is a mass medium that reaches a billion regular users. As
long as email does not provide for authentication there will be criminal
attacks.
For example the Adelyn Lee / Larry Ellison email forgery case has
already demonstrated one possible form of attack. Another probable line
of attack is demonstrated by the recent impersonation of the CEO of
Starbucks through the use of a cousin domain name starbucks-corp.com.
We do not know how criminals will exploit the lack of email
authentication in the future but we do know that they will continue to
invent new methods of exploiting the lack of authentication until the
vulnerability is closed. DKIM provides a mechanism for closing the
spoofed domain vulnerability in RFC 821/2.
If we can succeed in getting email senders to apply authentication to
every message, even if this is only to the domain name we are in an
excellent position to increase the strength of that authentication
through linkage to an accreditation scheme as the need becomes apparent.
For example if there is a sudden spate of stock frauds based on
impersonation of CEOs of public companies the companies targetted link
an accredited logotype certificate to their existing DKIM deployment.
Employees can then be told how to recognize a genuine email.