Hanno,
thank you for corrections.
Dne 16. 08. 24 v 22:32 Hanno Böck napsal(a):
Hello,
On Fri, 16 Aug 2024 21:21:34 +0200
Jan Dušátko<[email protected]> wrote:
- uses the PKCS#1 v1.5 padding, but thanks to the architecture I do
not know about the possibility of applying Bleichenbacher attack
('98).
Bleichenbacher's 98 attack does not apply to signatures.
There's another Bleichenbacher attack from 2004 that does apply to
signatures, but requires essentially a faulty RSA implementation. It
also only works on very small e (like e=3), and typically, RSA keys
have e=65537. That completely prevents this attack.
You are right, this is reason why I wrote that I do not know about
possibility of applying Bleichenbacher. That require private key
activity over signature, DKIM is not able to work as oracle.
- I do not know about the possibility of using PKCS#1 v2.2 aka
RSA-OAEP
OAEP is for encryption, the corresponding signature standard is called
PSS.
My fault.
Given the difficulty of deploying new algorithms in DKIM, I find it
unlikely that deploying PSS - or any other new algorithm - has much
benefit as long as there's no serious breakage.
I already believe the support of Ed25519 is of limited usefulness.
Given DKIM has no algorithm negotiation mechanism, you have no way of
knowing what the receiving mail server supports. So you kinda cannot
really use Ed25519 alone. You'll always have to support RSA, and can
only support RSA+Ed25519, adding additional complexity for no real
security advantage.
As for post-quantum: There really isn't a big risk for a signature-only
system like DKIM any time soon. For encryption systems, you have the
"store-now-encrypt-later" scenario, so you are potentially at risk
before scalable quantum computers exist. Therefore, it makes sense to
adopt post-quantum encryption early. But for signatures, this doesn't
apply. As long as scalable quantum computers don't exist, you don't
need post-quantum signatures. Given DKIM signatures are short-lived,
there's really no problem to be adressed unless we see massive
breakthroughs in quantum computing.
One of protection layers are use of timestamp and expiration time in
DKIM signature. But expiration time cannot be shorter than maximu resend
time, this mean something about five days (432000).
Second layer of protection are administrative work related to DKIM key
rotation. Depends on system configuration, but mostly about one year.
Factorization complexity should be on appropriate machine matter of
weeks to months (depends on key size, noise and other, nowadays unknown
issues)
Because of limited lifetime, there are really low probability of risk, I
raised that question because of my curiosity and possibility to do
preventive tasks. I much more concerns now about security equivalent and
key size.
Post-quantum signature mechanisms come with the challenge that they
have relatively large keys and signatures. This is challenging with
DKIM's principle of storing keys in DNS.
Generally key size are one of my point, because most of national
security agencies trying to enforce at the least 128b security
equivalent (complexity 2^128). Community curves has some advantages,
beside they are vulnerable like RSA by quantum computing.
But given there's no immediate risk, I believe the DKIM community has
plenty of time to wait and see how post quantum signatures develop.
Maybe there will be better / more compact signature systems in the
future, maybe we'll learn things from early-adopters that will figure
out how to work with post-quantum signatures.
Regards
Jan
--
--
-- --- ----- -
Jan Dušátko
Tracker number: +420 602 427 840
e-mail:[email protected]
GPG:https://keys.dusatko.org/2E7D58B90FC2867C.asc
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
