Earlier this month, Microsoft pushed a Windows update to its users that modified the operating system so it would no longer accept RSA keys smaller than 1024 bits. Now two of the largest webmail providers on the Internet have joined Redmond in pumping up the size of their cryptographic keys.
Yahoo and Google decided to make the change after a Florida-based mathematician cracked the security of an email he received from a Google recruiter.
The email was protected by a security system used by several webmail providers called DomainKeys Identified Mail (DKIM). To prevent the origin of an email from being spoofed, the system wraps a cryptographic signature around the message. That signature is supposed to verify the origin of the missive.
According to Wired Magazine, the mathematician, Zach Harris, discovered that the cryptographic key used to sign the message he received from the Google recruiter with only 512 bits in length, even though the DKIM standard calls for a key of 1024 bits or more. So Harris decided to have some fun with Google.
He cracked the cryptographic key for the Gmail message he received from Google — a task he says took about 72 hours and $75 for the use of Amazon Web Services. Then he spoofed a message from Larry Page to Sergey Brin, both cofounders of Google, in which Harris plugged his personal website.
If Google ever figured out that the spoofed message came from Harris, they never let him know about it. Two days after he set the message, though, he did notice that Google had changed the length of the DKIM cryptographic key to 2048 bits.
Harris’s Google experiment piqued his curiosity. He began to poke around the cryptographic keys for other websites such as PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SPCGlobal, US Bank, HP, Match.com and HSBC. He found those sites used either 512-bit or 768-bit keys.
Harris’s impromptu fieldwork was noticed by the US Computer Emergency Readiness Team (CERT) which published a vulnerability note on DKIM keys on Oct. 24. In the note CERT stated that DKIM signing keys with fewer than 1024 bits were weak and that keys of 512 and 768 bits had been “factored,” or cracked.
The DKIM standard doesn’t require verifiers to reject signatures made by keys with fewer than 1024 bits, but they may want to make distinctions between signatures made with keys made above or below 1024 bits. At least that way, they know that some messages have a greater possibility of being spoofed than others.
CERT recommended that system administrators replace all RSA signing keys that were less than 1024 bits in length.
It also advised users of OpenDKIM to upgrade to versions 2.6.8 or 2.7.0 or above because in those releases key sizes for signatures can be configured so that they will be restricted automatically if below a certain size. The default limit is 1024 bits.
Harris also discovered another flaw in the DKIM scheme. Domains receiving DKIM messages were accept keys marked as tests. While the keys were clearly marked as tests, the recipient domains accepted the messages as verified instead of considering them unsigned and rejecting them.
CERT addressed that issue, too, in its vulnerability note:
“A DKIM-compliant email client, including web-based clients, should not convey any DKIM-related trust to the user about messages and testing mode,” it said.
System administrators, it added, should configure their systems to not use or allow testing mode of production servers.