[Ietf-dkim] Another Message-Instance question

Tue, 16 Dec 2025 04:26:29 -0800 

Hi!
May c: instructions in body recipies (r=) overlap? This would allow attempts to have verifiers use excessive memory/CPU like this: 

Message-Instance: v=1; ... (Referring to a one-line body)
Message-Instance: v=2; r=c:1-,c:1-,c:1-,c:1-; ...
Message-Instance: v=3; r=c:1-,c:1-,c:1-,c:1-; ...
(and up to 96 more of those)


Yes, the malicious signer has to generate valid hashes at least for the 
last few of those so the verifier will walk up the chain (and use 
resources much), but in my example, the verifier will use at least 4* as 
much resources as the attacker (one more "explosion" until noticing that 
the signer didn't bother anymore to make that hash valid). With more c:, 
the factor is higher, and of course the attacker can use such message 
body/Message-Instance combinations multiple times with the CPU spent 
only once.


Hannah.
--
Hannah Stern

Software Developer
Mail Transfer Development

1&1 Mail & Media Development & Technology GmbH |  |   |
Phone: +49 721 91374-4519

E-Mail: [email protected] | Web: www.mail-and-media.com www.gmx.net 
www.web.de www.mail.com www.united-internet-media.de


Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 5452


Geschäftsführer: Alexander Charles, Dr. Michael Hagenau, Thomas Ludwig, 
Dr. Verena Patzelt



Member of United Internet


Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte 
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat 
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte 
den Absender und vernichten Sie diese E-Mail. Anderen als dem 
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, 
weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden.



This e-mail may contain confidential and/or privileged information. If 
you are not the intended recipient of this e-mail, you are hereby 
notified that saving, distribution or use of the content of this e-mail 
in any way is prohibited. If you have received this e-mail in error, 
please notify the sender and delete the e-mail.


_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to