As you've probably read in the press, DKIM is broken and we're all going
to die. But that's OK, it usually happens twice a year.
DKIM is a signature algorithm used to authenticate the domain an email
claims to originate from.
- firstname.lastname@example.org sends an email to email@example.com
- the gmail MX server signs the body of the email using gmail's RSA private key, thus creating a dkim signature
- the email is sent to yahoo's MX server via SMTP
- yahoo retrieves gmail's RSA public key from gmail's TXT DNS record
- yahoo verifies the dkim signature and, if valid, stores the email in eugene's inbox.
Ideally, DKIM provides a way to authenticate the sender of an email.
All messages coming from Gmail must have a valid DKIM signature, and
because Gmail ensures that only authenticated users can send email,
the email sender is authenticated.
Therefore, DKIM's strength strongly relies on RSA's strength. And RSA's
strength relies on the complexity of factoring large number to reduce
them to their prime components: the bigger the RSA key, the stronger the
So, why would gmail use keys of 384 bits, when everybody knows that keys
below 1024 bits are easily factorizable ?
That's essentially because, in the real world, none of the ESPs are
using DKIM for authentication purposes. They use DKIM for protection
Yahoo will verify that an incoming email that has a Gmail From: address
has a valid DKIM signature. If it doesn't, it will deliver the email in
the user's Spam folder.
Gmail will do the same, as well as 90% of the ESPs out there.
For spam protection purpose, 384 bits keys are "good enough". RSA
operations are *really* expensive (see below), and increasing the size of
the key has non-trivial impacts on the DKIM signing/verification
infrastructures of these ESPs.
The vulnerability found is not a new one: we've been able to factorize
384 bits keys for years. Gmail is not broken. But a spammer who obtains
Gmail's DKIM private key could send spam with valid DKIM signatures
that would pass ESPs spam filters. Thanksfully, DKIM is only one of the
many criteria used in spam detection.
Nevertheless, Gmail thought the vulnerability was important enough to
increase the size of their RSA modulus to 2048 bits.
On RSA computational cost
sign verify sign/s verify/s
rsa 512 bits 0.000051s 0.000004s 19454.6 243901.9
rsa 1024 bits 0.000178s 0.000012s 5633.6 86925.1
rsa 2048 bits 0.001246s 0.000039s 802.5 25626.5
rsa 4096 bits 0.009033s 0.000145s 110.7 6903.2
(output of `openssl speed rsa` on my macbook)
The results above show that doubling the size of the key from 512 bits
to 1024 bits multiplies by ~3 the cost of the signature and verification
Worse: moving from 1024 to 2048 bits makes the signature operation
~7 times more expensive.
At the scale of an ESPs such as Gmail, increase the RSA key size from
384 to 2048 means making the DKIM signing operations ~25 times more
expensive. In practice, it means multiplying the number of signing
servers by 25. Not a trivial thing to do...
On retrieving RSA keys
Use `dig` to get the TXT record:
$ dig +short txt 20120113._domainkey.gmail.com @126.96.36.199
The part after `p=` is the public key. If the key is longer than 512
characters, it will be broken into 2 blocks (DNS limitation).
Put the key in a file:
-BEGIN PUBLIC KEY -
-END PUBLIC KEY -
And check it using openssl:
$ openssl rsa -noout -pubin -text < /tmp/gmail_dkim.pubkey
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
- How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/all/
- DKIM Signature and verification using DKIMproxy http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:postfix:dkimproxy