Me writing over 14 years ago: https://blog.jgc.org/2010/06/facebooks-dkim-rsa-key-should-b... This was doable 14 years ago for 512-bit keys.

If you want to try something fun:

Provision a 4096-bit DKIM key.

Every online DKIM/SPF checker will say all is good when looking at your DNS.

They will also fail any test email you send, with more or less excellent descriptions such as:

STATUS: Fail

DKIM: Pass

SPF: Pass

There's this fun thing that, apparently:

It's permitted and valid to use keys larger than 2048 bits in your DKIM entry.

It is not, however, required to process keys larger than 2048 bits.

This cost me some hair to learn the hard way.

Could someone help me understand why we're not dramatically ramping up key sizes across the board on all encryption? Not as a solution, but as a buy-some-time measure.

Compute is rapidly increasing, there is continuous chatter about quantum and yet everyone seems to be just staring at their belly buttons. Obviously bigger keys are more expensive in compute, but we've got more too...why only use it on the cracking side, but not on defense?

Even simple things like forcing TLS 1.3 instead of 1.2 from client side breaks things...including hn site.

What a misleading title

CADO-NFS makes this surprisingly easy to do. A few weeks back I factored a 512bit RSA DKIM key for work using my desktop computer in only 28 hours. Specifically, an AMD Zen 5 9900X.

Unfortunately 1024 bit keys are still out of reach of a hobbyist effort but could be pulled off by academics roughly of the same scale as the 2010 effort to factor a 768 bit key (https://eprint.iacr.org/2010/006.pdf)

Some DNS providers suck and only let you set 1024 bit long keys. For example wordpress.com.

This is the reason I had to stop using Hover for DNS management. They don't support TXT records longer than 255 characters, and I've not found any instance of someone getting split records to work with Hover. Ended up using Digital Ocean for it. I would love for elliptic curve crypto to become the status quo if this is going to continue to be an issue for yet another decade.

Breaking a 512-bit key for a good demonstration is very valuable security research, even if it's been done before. It's also legit to call out "Hey, here's a list of folks still using 512 bit, they should move off." ... but for me, actually cracking a real-world in-use key crosses an ethical line that makes me uncomfortable. IANAL but it might even be criminal. Just seems a bit unnecessary.

> Although most providers correctly identified the 512-bit key as insecure and rejected our DKIM signature, three major providers — Yahoo Mail, Mailfence, and Tuta — reported a dkim=pass result.

Did google really FAIL because of DKIM signature being insecure or because SPF failed?

Reminds me of factoring 512-bit RSA signing keys used on Ti calculators in 2009: https://en.wikipedia.org/wiki/Texas_Instruments_signing_key_...

This is a little bit of a layman's question but maybe someone is interested:

When people go searching for prime numbers / bitcoin with massive compute, I assume that there are huge libraries of "shortcuts" to reduce the searching space, like prime numbers only appear with certain patterns, or there are large "holes" in the number space that do not need to be searched, etc. (see videos e.g. about how prime numbers make spirals on the polar coord. system, etc). I.e. if you know these you can accelerate/reduce your search cost by orders of magnitude.

For whatever various encryption algorithm that people choose to test or attack (like this story), is there somewhere such libraries of "shortcuts" are kept and well known? To reduce the brute force search need?

And is the state of sharing these to the point that the encryption services are designed to avoid the shortcut vulnerabilities?

Was always wondering this.

In case anybody is wondering about whether the 512bit number is big or small it depends on whether it is symmetric or asymmetric encryption technique. Always presume asymmetric encryption is 8x weaker than symmetric encryption.

DKIM is asymmetric. So a 512bit DKIM equivalent symmetric hash would be 64bits, which is long broken. Even 160bit SHA1 is considered broken. A DKIM of roughly equivalent strength to a 512bit SHA3 would be at least 4096bits and still does not include SHA3's techniques for mitigating replay attacks.

Love the practicality demonstrated here. It is unclear how old this article is. Based on the poster's previous submissions, I assume today?

Anyone know or have experience how well supported ECDSA is for DKIM?

I think the cynic in me says "so what" mostly because dkim as an ancient technology is hardly secure. I don't think we're any less prone to email fakery and spam. I'd be interested to see a possible new solution or a revamping of email as a protocol but that's unlikely. We're more likely to keep it like snail mail as we prioritise different forms of communication. Unfortunately nothing has beat the universal email address on the internet. Here's hoping we come up with a chat standard that sticks and people run a user@server.com chat server where you can communicate from anywhere. Sorry xmpp, you don't count.

Don't know how Apple's iCloud Email will handle it, after all, Apple has always prided itself on being extremely attentive to user privacy and data security.

How common are such small DKIM keys?

I'm pretty sure mine are 2048-bit, though I'd have to check as they were last set a fair while ago.

Any tips on how to easily fetch the key length of DKIM-Keys from DNS? Just by looking at the DNS entries I can't easily determine the key length ;)

While the DKIM passes, the SPF fails (per the Yahoo screenshot), so if I have this right a bad actor would still need to hack the legitimate senders DNS records (assuming DMARC rules are set up somewhat strictly). Do I have this right?

Of course, if you can modify the SPF records, you can make the DMARC record say whatever you want.

I don't understand why didn't Yahoo fail due to SPF check failure.

why aren't people just defaulting to 2048?

"as RSA keys shorter than 1,024 bits are considered insecure, and their use in DKIM has been deprecated since the introduction of RFC 8301 in 2018."

LOL. One of my favourite internet flame wars was circa 2007 (in and around discussing the incoming financial crises) and we got talking about encryption and how none of it actually "works".

Particularly vile troll, and iirc also owner of the site bet me $50,000 I couldn't reverse the 512 RSA key he posted (created by openssl).

He got the factorisation less than an hour after he made the post.

Strangely, the entire site disappeared pretty quickly after that (and it's not on wayback machine).

given where the math guys are now with GNFS I'm not sure I would trust 8192 bit RSA in 2024, 2018 for dropping 512 bit was already more than a decade late.

Thanks for this

I got an email from Bank of America yesterday about a problem setting up my account. I had set up a new account, and this email knew that, and knew the name of the company, etc. There were no links in the email, just a note to call the BofA business number. I verified the number on the BofA website -- it was the same number -- and I called them.

They couldn't tell me why I got the email, and what the problem was with my account. The representative couldn't see a record of this email set.

I'm 100% certain this email came from Bank Of America. There was nothing in the email that was phishing -- no links, no bad phone numbers.

The SPF, DKIM, and DMARC all passed googles's ARC-Authentication-Results. The DKIM key is 2048 bits long.

I asked Bank of America to investigate, and they said "it must have been a phishing message" and sent me a link on how to look out for phishing.

I'm pretty sure this was just a glitch; some system that does some consistancy check ran too early while the account was being set up and generated that email.

However, because they told me it was "phishing" I just sent a FedEx to the CTO with the complete paper trail advising them that EITHER their DKIM keys were compromised and they need to issue a public warning immediately OR their incompetent staff and IT system gave me the runaround and wasted an hour of my time. Either way, I want a complete investigation and resolution.

That can be done locally on a laptop, no need for the cloud.

Thanks for sharing this article, I think people have been doing this for some time!

I’ve gotten a lot of spear phishing attacks, as far back of 2018, with emails that passed many verification checks. Getting representation to this issue is notoriously difficult because people assume an undiscerning victim and end user. They also rely on the false idea that scammers can’t spell or don’t spell correctly, specifically to weed out discerning people. When there is a subset that makes everything as legit and impersonating as possible.

Technically, this is very nice work.

But as a security generality - email is vastly less secure* than human nature wants to assume that it is. Human nature usually wins.

*Outside of a carefully run org's own network, and a few other edge cases

Slight change of title. The leading "How" was dropped. Original: "How We Cracked a 512-Bit DKIM Key for Less Than $8 in the Cloud"

Because we need that compute for our React frameworks.

[dead]

[flagged]