Emails: Experts smuggle in forgeries using cracked DKIM keys

The security criteria for cryptographic keys change from time to time. One example is DKIM keys for signing mail headers: A study tested the DKIM information of more than 400,000 of the most popular domains and found that many of these domains used insecure key sizes. The researchers then used a cracked DKIM key to inject fake emails.

DKIM (DomainKeys Identified Mail) is a technology that digitally signs the headers, i.e., meta information, of emails when they are sent. The sender's mail server signs the headers using a private key, while the recipient's counterpart checks the signatures using the corresponding public key. Public keys of a mail server are stored in the DNS (Domain Name System) and can therefore be easily retrieved. When implemented correctly, DKIM helps to detect forged emails, such as those used in phishing attacks.

However, this only works if attackers cannot guess the private key of a domain. If they could, they would be able to issue a DKIM signature for any email, including a forged email. The results of the test show that Incorrectly chosen keys can undermine DKIM security.

In mid-2024, the security researchers checked the email security of one million of the most popular domains on the internet. They were able to identify a DKIM entry for a good 475,000 domains; almost all of the keys were RSA keys. Almost half of the DKIM keys examined had a size of 1024 bits or less, as Andreas Wulf and his team discovered.

At the end of 2024, the researchers cracked a 512-bit RSA key on a rented cloud server (costing around 8 euros) and then used this key to send an email with a forged sender via major mail platforms. Although emails with DKIM signatures of such a short key length should no longer be accepted since 2018, three providers (Yahoo, Tuta and Mailfence) delivered the fake test email to the recipient.

Replace short DKIM keys quickly

The test shows that RSA keys with a length of 384, 512 or 768 bits can be cracked with little effort. But even 1024-bit DKIM keys are no longer “state of the art”, although they are often still accepted for reasons of compatibility.

All mail administrators had enough time for an update. For example, the new requirement for key lengths appeared back in 2018, the same year RFC8436 introduced the Ed25519 keys based on elliptic curves as an alternative to DKIM.

Even if we may not notice it as much as we did 20 years ago: Our computers are still getting faster. What new fields of application such as AI often make possible in the first place can be dangerous for outdated crypto configurations. Decisions that were still secure two decades ago are no longer so today. Key variables, algorithms, and configurations should be reviewed every one to two years and updated if necessary. Not only with DKIM.

(olb)