Email Security Blog

Strengthen DKIM Signatures with DCRUP

Jacob Rideout February 20, 2018 How Email Works
Fallback Featured Image

In this final post of the DMARC series we’ll discuss the latest crypto updates to DKIM known as the DKIM Crypto Update (DCRUP) to strengthen DKIM.  

Picking the Lock

While DKIM has been around for many years as one of the foundations of DMARC, weaknesses in the security of its signatures have limited its effectiveness.  The DCRUP Working Group was created to update DKIM to handle more modern cryptographic algorithms and key sizes.  

Currently DKIM signatures include a tag that identifies the hash algorithm and signing algorithm used in the signature. The only current algorithm is RSA and most signing keys are 1024 bits.  While the RSA algorithm supports longer signatures of 2048 bits, they are generally not used because bugs in DNS provisioning software prevent publishing longer keys as DNS TXT records.

While DKIM currently supports use of SHA1 coupled with RSA, SHA1 has been formally deprecated due to weakness in numerous contexts.  As the working group states explicitly “the community wishes to discourage its continued use in the DKIM context.”

The DCRUP working group will consider four types of changes to DKIM:

  1. Additional signing algorithms such as those based on elliptic curves
  2. Changes to key strength advice and requirements
  3. Deprecating the use of SHA1
  4. New public key forms, such as putting the public key in the signature and a hash of the key in the DNS to bypass bugs in DNS provisioning software that prevent publishing
    longer keys as DNS TXT records.

Changes will be limited to existing, implemented algorithms and key forms. Other changes to DKIM, such as new message canonicalization schemes, are out of scope. The Working Group will, as far as possible, avoid changes incompatible with deployed DKIM signers and verifiers.

We hope you’ve found this three part blog series on DMARC updates interesting and informative.  As always, your comments are appreciated and we’d love to hear from you.

[button link=”” color=”orange”] Get the Guide to Implementing DMARC [/button]

Leave a Reply

Your email will not be published. All fields are required.

February 15, 2018 Markus Jakobsson

How SMS 2FA Might Leave You Vulnerable to Email Account Takeover

February 13, 2018 Jacob Rideout

The Arrival of ARC

July 24, 2017 Markus Jakobsson

The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

September 28, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 2

August 31, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 1

mobile image