Follow

DKIM signatures security risk! - New sets of 2048 bits keys will be sent to you for best protection

Recently, US-CERT published a note pertaining to a weakness about DKIM keys when those keys have a length of less than 1024 bits (reference).

This weakness allows a low-cost attach to deduce a private key with very little effort: as an example, Google’s private DKIM key has been discovered in only 72 hours using Amazon’s Cloud Computing services for a total cost of $75!

In response, it is now recommended to only use keys that are 1024 bits or stronger, and most DKIM validation services are rolling out updates that will ignore any DKIM signature made with a 512 or 768 bit key.

INTELLIGENT EMAILS, REP Solution, along with most entities like Google that has to sign a very high volume of messages, originally generated 512 bit keys for its customers while setting up accounts. If you use DKIM signatures and your keys have an insufficient length, you will be contacted shortly by our service team. A new set of 2048 bit keys will be generated and the public part of those keys will be sent to you, to be added to your DNS servers.

Once these keys are published, INTELLIGENT EMAILS and REP Solution’s server will start signing messages using the new keys.

 

As a complement, DNS official specs says that one TXT record can be as long as : 65535 characters!!

3 Comments

  • Avatar
    Vyacheslav KONOVALOV

    Can we have a reference, please.

    The link is not clickable.

    Thanks.

  • Avatar
    Ofsys Master

    “A mathematician recently cracked Google’s weak 512-bit DKIM key and impersonated founders Sergey Brin and Larry Page via email. A recent Wired.com article relating the story started a rush in the email industry to create new DKIM keys stronger than 512-bits. Google is taking this security issue seriously by requiring all senders to sign with a 1024-bit DKIM key. The first phase includes failing anything signed with a 512-bit key or less. A 768-bit key will be accepted for the next few weeks. Google also announced that they will begin emailing postmaster aliases of domains found using weak keys as early as this week.”

  • Avatar
    Vyacheslav KONOVALOV

    For further information, please see  http://www.kb.cert.org/vuls/id/268267

Please sign in to leave a comment.