Hello,
On Fri, 16 Aug 2024 21:21:34 +0200
Jan Dušátko <[email protected]> wrote:
> - uses the PKCS#1 v1.5 padding, but thanks to the architecture I do
> not know about the possibility of applying Bleichenbacher attack
> ('98).
Bleichenbacher's 98 attack does not apply to signatures.
There's another Bleichenbacher attack from 2004 that does apply to
signatures, but requires essentially a faulty RSA implementation. It
also only works on very small e (like e=3), and typically, RSA keys
have e=65537. That completely prevents this attack.
> - I do not know about the possibility of using PKCS#1 v2.2 aka
> RSA-OAEP
OAEP is for encryption, the corresponding signature standard is called
PSS.
Given the difficulty of deploying new algorithms in DKIM, I find it
unlikely that deploying PSS - or any other new algorithm - has much
benefit as long as there's no serious breakage.
I already believe the support of Ed25519 is of limited usefulness.
Given DKIM has no algorithm negotiation mechanism, you have no way of
knowing what the receiving mail server supports. So you kinda cannot
really use Ed25519 alone. You'll always have to support RSA, and can
only support RSA+Ed25519, adding additional complexity for no real
security advantage.
As for post-quantum: There really isn't a big risk for a signature-only
system like DKIM any time soon. For encryption systems, you have the
"store-now-encrypt-later" scenario, so you are potentially at risk
before scalable quantum computers exist. Therefore, it makes sense to
adopt post-quantum encryption early. But for signatures, this doesn't
apply. As long as scalable quantum computers don't exist, you don't
need post-quantum signatures. Given DKIM signatures are short-lived,
there's really no problem to be adressed unless we see massive
breakthroughs in quantum computing.
Post-quantum signature mechanisms come with the challenge that they
have relatively large keys and signatures. This is challenging with
DKIM's principle of storing keys in DNS.
But given there's no immediate risk, I believe the DKIM community has
plenty of time to wait and see how post quantum signatures develop.
Maybe there will be better / more compact signature systems in the
future, maybe we'll learn things from early-adopters that will figure
out how to work with post-quantum signatures.
--
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
