Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Industry Group Offers Advice On DKIM Verification Keys

After several major organizations were found to be using shorter-than-recommended encryption keys to authenticate their messages, an industry group recommended organizations replace keys immediately.

After several major organizations were found to be using shorter-than-recommended encryption keys to authenticate their messages, an industry group recommended organizations replace keys immediately.

DKIM Best PracticesThe Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG ) has recommended that organizations using DomainKeys Identified Mail verification (DKIM) keys switch 512-bit and 718-bit encryption keys with keys 1024-bits or higher to make it harder for attackers to crack. Organizations who use DKIM verification keys were urged to replace all keys shorter than the recommended 1024-bits, M3WAAG wrote in “Best Practices for Implementing DKIM To Avoid Key Length Vulnerability.”

As SecurityWeek reported last month, a researcher discovered that Google, Yahoo, Twitter, Amazon, eBay, Microsoft, and other tech giants were using keys shorter than the recommended 1024-bits. Some, such as Yahoo, Twitter, and Amazon, were using 512-bits and HSBC, LinkedIn, and PayPal were using 768-bits.

The finding prompted US-CERT to issue a warning to organizations using DKIM to harden their keys and configure production servers to not use, or allow, testing mode, to prevent domain name spoofing.

“Technology is advancing, and to keep pace with hackers, the industry needs to revisit its practices in light of their expanding capabilities,” Chris Roosenraad, co-chairman of M3AAWG, said in a statement.

DKIM was originally developed as a mechanism for domains to sign messages sent from authorized servers so receiving domains could verify the messages were sent legitimately. The signature associated with the message takes a cryptographic hash of the message using the SHA-256 hash and RSA public key encryption scheme, and cannot be altered while going from one server to another. This means criminals have a harder time crafting messages that look as if they were sent by a legitimate company.

Organizations are at risk with short keys because the cheap availability of high-speed computing resources means attackers increasingly have the means to crack sensitive encryption keys. These shorter keys can be cracked using dedicated servers available through Amazon Web Services fairly cheaply, for example. Shorter keys can be cracked in 72 hours using “inexpensive” cloud services, according to M3WAAG.

Organizations should also rotate keys quarterly, and set signatures to expire after the key rotation period and revoke old keys in the Domain Name System records, M3WAAG wrote in the paper. Even if the company issues new keys, if the older, shorter, more vulnerable DKIM key is still listed in the domain’s DNS record, an attacker can still exploit that weaker key to send email. Organizations have to remove the weaker key entirely from DNS to fight domain spoofing.

This is a big problem for organizations that outsource some, if not all, their email communications to third-party email service providers. Organizations have to ensure the providers are also revoking the too-short keys and removing the older keys from DNS to prevent spoofing attempts.

Advertisement. Scroll to continue reading.

Organizations who are still using Domain Keys should switch to the newer DKIM protocol. The test mode should be used only for a short time period, and revoke the test key only during the initial ramp-up to using DKIM, M3WAAG said.

The paper “explains the relatively simple and immediate steps large-scale senders can take to safeguard their brands in response to recent concerns about some levels of key encryption and usage,” Roosenraad said.

M3WAAG also recommended implementing Domain-based Message Authentication, Reporting and Conformance in monitoring mode and use DNS to monitor how frequently the keys are being queried. The DMARC standard provides organizations with policy management reporting capabilities for DKIM. Mail recipients don’t currently have a reliable way to know how the mail sender is using SPF and DKIM to authenticate their servers. DMARC addresses that gap so that organizations can distinguish legitimate unauthenticated messages from fraudulent or malicious ones. Domain owners can also request all illegitimate messages be rejected outright under DMARC.

Related: Lessons From the Recent DKIM Mail Verification Vulnerability

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.