Ok Google, publish your private DKIM keys





The internet was a dangerous place even in its best years. Sometimes the architects of the Internet found ways to mitigate threats, sometimes they failed. However, the situation is constantly repeated when a large Internet company finds a solution that actually makes the situation worse for almost everyone. Today I want to talk about one such case, and also how a big company like Google could find a way to fix it.



This post covers Domain Keys Identified Mail (DKIM), a harmless tiny anti-spam protocol that has somehow turned into a monster. My request is simple, it can be summarized as follows:



Dear Google: Please implement periodic rotation and publication of your DKIM private keys. This will make the entire Internet much safer, as criminals will lose a strong incentive to steal emails and orchestrate their leaks. The fix will cost you almost nothing and will knock a powerful tool out of the hands of thieves.



This is the short version. More detailed information is presented below.



What is this DKIM and how does it protect my email?



Email was created in the days when the Internet was still called ARPANET . These were much quieter days, when modern security measures, and to be honest, the very notion that the Internet would need security, remained a distant, sci-fi future.



The first e-mail protocols (such as SMTP) worked on the basis of a trust system. Emails may have come to your mail server directly from the sender's mail server or transmitted through intermediaries. Be that as it may, if the letter states that it came from your friend Alice, then you believe that it is indeed from Alice. Why would anyone ever lie about this?



The widespread adoption of e-mail has shown that this attitude has failed badly. In just a few years, netizens have learned that there are many people who are willing to lie about who they are. Most of them were email spammers who were delighted that SMTP allowed them to impersonate almost any sender - your friend Alice, your boss, the tax office, the friendly Nigerian prince. Without a reliable mechanism to prevent such spam from being sent, email has proven to be terribly vulnerable to spoofing.



To the email providers' credit, they quickly realized that email without sender authentication is inherently unusable. To properly filter emails, they neededat least check which server the email came from. This property has a technical name and is called source authorization .



The solution to the source authorization problem, like almost the rest of the fixes to the basic Internet protocols, resembled repairing with duct tape. Mail service providers have been asked to plug in a (optional) new cryptographic extension called Domain Keys Identified Mail , or DKIM. DKIM bakes digital signatures into every email sent by the mail server . When the recipient's mail server accepts a DKIM signed letter stating that it, for example, came from Google, it first uses the Domain Name System(DNS) finds Google's public key. The recipient can now verify the signature to ensure that the message is authentic and unmodified, since the signature is associated with the content and most of the headers. This knowledge can then be used as input to filter spam. (Such guarantees are provided by a similar protocol called ARC.)



Of course, such a solution is not ideal. Since DKIM is optional, malicious intermediaries can strip DKIM signatures from a letter to convince recipients that it was never DKIM signed. A similar protocol, called DMARC , uses DNS to allow mail senders to communicate their preferences, which forceverify the signatures of their emails. Using these two protocols together, in essence, should completely eliminate spoofing from the Internet.





An example of a DKIM signature for one of the automated emails I received today.



What is the problem with DKIM / ARC / DMARC and what is “challenge”?



As an anti-spam measure, DKIM, ARC and DMARC have no particular problem. The tricky part is that DKIM signing has an unexpected side effect that extends further than the original spam filtering task. In short:



DKIM provides a lifetime guarantee of the authenticity of emails, which anyone can use to cryptographically authenticate stolen emails even years after they were sent.



This new non-revocation feature was not originally intended as a DKIM goal. The designers didn't plan it, no one discussed whether it would be a good idea, and most were taken by surprise. Even worse, this unexpected feature has had very serious consequences: it makes us more vulnerable to extortion and blackmail.



To understand what the problem is, it's worth considering the goals of DKIM.



The main purpose of DKIM was to prevent the falsification of letters by spammers during transmission . This means that recipient servers should actually be able to verify that the email was sent from the claimed source mail server, even if the email goes through many untrusted servers along the way.



However, after the mail transfer completes, the DKIM target is complete. That is, the guarantee of authenticity should only be maintained for a short period of time. Since letters usually take only a few minutes to receive (in rare cases, hours), the guarantee of authenticity should notlast for years, and these signatures should not be exposed to users. However, this is how it happens.



Until recently, no one thought about it. In fact, the early DKIM configurations sounded like a bad joke: mail service providers chose DKIM signing keys that were very easy to hack for a motivated attacker. In 2012, security researcher Zachary Harris discovered that Google and many other companies were using 512-bit RSA to sign DKIM. He showed that such keys on rented cloud equipment can be cracked in a matter of hours, and then used to falsify letters from Larry and Sergey.



Google and other email providers' reactions to this “Larry and Sergey” embarrassment are not hard to predict. Without thinking carefully about the implications, they quickly fortified the keys, upscaling them to either 1024-bit or 2048-bit RSA. This prevented tampering, but inadvertently turned the innocuous antispam protocol into a lifetime cryptographic authenticity stamp that can be used to validate any email dump, no matter how it ended up in the hands of the verifier.



You're crazy, nobody uses DKIM to authenticate emails.



However, the DKIM authentication stamp has been widely used by the press, mainly in the context of hacking politicians' emails. It is real, important and meaningful.



The most famous example, which caused serious controversy at the same time: in 2016, Wikileaks published a set of letters stolen from John Podest's Google account . Since the source of these letters was murky , WikiLeaks faced the daunting task of verifying the authenticity of these messages. DKIM has become an elegant solution: every letter posted on Wikileaks pages publicly indicates the confirmation status of the attached DKIM signatures . The site also provides a useful resource page for journalists explaining how DKIM proves the reality of letters.



However, the DKIM story did not end with Podestà's letters. In 2017, ProPublica used DKIM to verify the authenticity of letters allegedly sent to critic by President Trump's personal lawyer, Mark Kasovitz. In 2018, the Associated Press again used it to authenticate leaked emails linking a Russian lawyer to Donald Trump Jr. And it happened again this year, when the recipients of the alleged "Hunter Biden laptop" handed one 2015 letter to Rob Graham for DKIM verification to overcome the skepticism of journalists about their sources.



Someone might say that DKIM verification is not important, and that you can believe or not believe in leaked letters only on the basis of their content. However, the fact that numerous news organizations have chosen to rely on DKIM clearly demonstrates how wrong this assumption is. News organizations, including Wikileaks, implicitly admit that the controversial sources of receiving letters lead to doubts - probably so strong that it makes a convincing publication in a national news organization impossible. DKIM allows you to work around this problem and eliminate such interference.



The Associated Press even posted a DKIM verification tool .



In short, the antispam protocol, originally designed to provide short-term identification of letters moving between mail servers, has changed its purpose (without the slightest discussion or consent of commercial mail users), becoming a tool that provides cryptographically undeniable authentication of each of your incoming or outgoing letters. This is a terrific resource for journalists, hackers and blackmailers.



But he does not give any advantage to you .



What can you do about it?



DKIM was never intended for long-term email authentication. The security guarantees it provides are important, but should only exist for a few hours (possibly days) from the time the letter is sent by the mail server. The very fact that DKIM can still be used to prove the authenticity of a stolen email, written back in 2015 , is essentially a failure: the result of misuse and misconfiguration by email providers who had to think with their heads.



Fortunately, there is a simple solution.



DKIM allows vendors to periodically "rotate", or replace, keys used to sign outgoing emails. The frequency of this rotation is slightly limited by cachingDNS infrastructure, but these restrictions are not very strict. Even a large vendor like Google can easily change signing keys at least every few weeks without interfering with mail flow. Changing keys like this is good practice anyway, and is part of the solution.



Of course, simply replacing the DKIM key pairs alone will not solve anything: the dodgers on the Internet are constantly archiving the public DKIM keys. In fact, this is exactly what was confirmed in 2020 by a letter to a Google mailbox from 2015: the key that Google used to sign DKIM emails in that long-ago period (from 2012 to 2016 the same key was used - seriously, Google, what a mess!) is no longer used, but has been cached in many places on the Internet.



The solution to this problem requires just one small additional element: Google has to publish a subset of the key pairs with a private key after rotation and retirement. The company must publish this secret key in an easily accessible public place so that anyone can use it to fake suspicious old emails from any Google user. The public availability of the Google Signature Key would make any new email leak cryptographically moot. Since any outsider can falsify DKIM signatures, they become almost useless as evidence of authenticity.



(For those with their own mail servers, this can be done automatically with this great script .)



Google can kick-start this process right now by releasing its ancient 2016 private keys. Since their secrecy today literally serves no security purpose other than third-party confirmation of email leaks, there is no reason to keep these values ​​secret. Just lay them out.



(A paranoid reader might also consider the possibility that motivated attackers may have already stolen old DKIM private keys from Google.... Ultimately, DKIM signing keys are not the "royal jewels" of the Google ecosystem, so Google hardly goes out of their way to keep them secure. In this case, keeping the keys secret by Google simply creates a situation in which certain actors can falsify letters with impunity.)



But DKIM authentication is a great thing! Don't we want to be able to check leaked mail from politicians?



Modern DKIM implementations cause problems because they encourage a specific type of offense: theft of private letters for use in public campaigns of blackmail and extortion. Over the past few years, it has turned out that this feature has mostly been used in a way that many people find acceptable, either because it suits the preferences of their followers, or because the "caught" politicians deserve it.



But bad things happen to good people too. If you create a mechanism that stimulates crime, then sooner or later a crime will be committed against you.



Email service providers like Google have made a decision (often without asking their customers) that anyone who picks up a customer's email password or phishing it from a company employee can provide cryptographically undeniable proof that can be shown to anyone to confirm the authenticity of the results. crimes. Perhaps such proof will be unnecessary for the tasks of the criminal. But it definitely has value. Eliminating such a possibility is a blessing in its purest form.



The fact that I have to argue about this makes me very sad.



Timestamps, improved cryptography, and other formal objections



Every time I mention the idea of ​​publishing old secret keys, I get a bunch of formal objections from people with very good comments . But they are thinking about a more serious threat model than the one we usually face.



The most common objection is that publishing private keys will only work if signed letters were received after the private keys were published. By this logic, which is correct, any letters stolen and published prior to the publication of the private DKIM key are undeniable. For example, if someone hacks into your account and immediately starts publishing the emails you receive in real time, then their cryptographic verifiability is still possible.



Someone even suggested the possibility of a clever attack in which recipients (or hackers who have constant access to your email account) use a public timestamping service, such as the blockchain, to securely "stamp" any email they receive with the time of receipt. This allows such recipients to prove that they signed the letter before publishing the secret DKIM key - check and checkmate.



This is a great clever theoretical hack, but it is essentially irrelevant to our topic in the sense that it addresses a stronger threat model. The most critical issue with DKIM today is that DKIM signatures reside inside your archived mailbox. This means that a hacker who hacked into my Gmail account today will be able to demonstrate DKIM signatures on emails I have sent / received.years ago . Publishing old private DKIMs will instantly solve this problem. The solution to the theoretical problem of a "real-time hacker" can wait for its turn.



Another objection I sometimes hear is that cryptographic authentication is a useful feature . And under certain conditions, I agree with that. The problem with DKIM is that no customer has been asked if they want this feature by default in their commercial mail account . If people want to cryptographically confirm their letters, then a convenient set of tools can be used for this purpose .



In addition, there is the question of whether it will be possible to solve the problem of DKIM challenge with the help of new cryptography. As a cryptographer, I am very enthusiastic about this. In fact, my co-authors Mike Specter and Sanu Park and I recently wrote an article on how a long-term solution to the DKIM problem might work. (Mike wrote a great post about this .) I won't claim that our solution is necessarily the best, but I hope it inspires someone to do more research.



However, sometimes the simplest is the best solution. And right now, Google, as the largest commercial email provider, can make a huge impact (and protect its customers from future leaks) by doing a very simple act. And it's a mystery to me why the company hasn't done this until now.






Advertising



A virtual server from VDSina with protection against DDoS attacks will allow you to host any project - everything will work smoothly and with high uptime! You can choose the server parameters yourself using a convenient configurator.






All Articles