The Messaging, Malware and Mobile Anti-Abuse Working Group on Tuesday recommended businesses replace 512- and 768-bit verification keys with 1024-bit or higher encryption to counter a current vulnerability that allows the shorter keys to be cracked within 72 hours using cheap cloud-based services.
A Florida mathematician earlier this year discovered well known companies were using weak encryption keys as part of their DomainKeys Indentified Mail (DKIM) implementation, thus making it easier for someone to spoof e-mail messages when they were signed using test or small-bit signing keys. The vulnerability turned out to be present at Google, Microsoft, PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC, among others.
The discovery led to a US-CERT vulnerability alert on Oct. 23.
In a brief paper titled “Best Practices for Implementing DKIM To Avoid Key Length Vulnerability,” the M3WAAG group urged enterprises to adopt the aforementioned higher encryption standards as well as the following:
–Rotate keys quarterly
–Set signatures to expire after the current key rotation period and revoke old keys in the DNS
–Use the key test mode only for a short time period and revoke the test key only during the initial DKIM ramp-up
–Implement DMARC (Domain-based Message Authentication, Reporting and Conformance) in monitoring mode and use DNS to monitor how frequently keys are queried.
–Use DKIM rather than Domain Keys, which is a depreciated protocol
–Ensure any business partners’ third-party email service providers adhere to these same best practices
“Technology is advancing, and to keep pace with hackers, the industry needs to revisit its practices in light of their expanding capabilities,” Chris Roosenraad, M3AAWG co-chairman, said in a prepared statement. “We want to get the word out on the quick changes companies can make to protect consumers and their brands against this issue.”