Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defending DKIM IETF 65 Threats and Strategies Douglas Otis

Published byJonas Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "Defending DKIM IETF 65 Threats and Strategies Douglas Otis"— Presentation transcript:

1 Defending DKIM IETF 65 Threats and Strategies Douglas Otis Doug_Otis@trendmicro.com http://www.ietf.org/internet-drafts/draft-otis-dkim-options-00.txt

2 2 Trust Still at Risk with Base DKIM Resource Intensive Assessments! Not all Users are Secure and Trustworthy! Message Replay Abuse! Denial of Service Attack! Weak Visible Recognition of Email-Address!

3 3 Ascribing Bad Signers Limited to Message Content –Malware –Misleading Links –Misleading Information –Invalid Encompassed Header Fields Evaluation is Resource Intensive Undesired Messages Ignored

4 4 Reducing Resource Expenditures Use of Sub-Domains Adds Confusion Any Message Source Might Impact Trust Key Group Tags Can: –Indicate Unvetted Sources –Reduce Evaluation Costs –Retain Signing Domain Trust –Condition Message Level Precautions

5 5 Safe Recipient Assurances Message Annotation Can Overcome: –RFC 2047, 3490-3492 Unicode Repertoires –Unverified Display-Names –Confusing DNS Hierarchy –Visually Similar Characters or Ideograms –Non-Allied Email-Addresses –Lack of Email-Policy Annotation May Note Allied Email-Addresses

6 6 The Battle of the Zombies Zombies are a Primary Delivery Vehicle Rate Restrictions Countered with Replay Key Revocation is Not Practical Opaque-ID Convention for Reporting Self Opaque-ID Block-Listing for Scaling

7 7 DKIM Denial Of Service Attack EHLO Verification for Immediate Acceptance Signer Association with EHLO via PTR _oa._smtp. PTR isp.net. *. _dkim._smtp. PTR isp.net. ads.com. _dkim._smtp. PTR. “*.” Open-ended, “.” Empty & Closed-ended

8 8 Third-Party Signature Association Not describing the EHLO path has less value but... Does email-address domain permit Third-Party Signers?(Rather than SSP yes/no assertion.) _tps._smtp.. PTR.. “*.”

9 9 Limited Signature Roles Limit DoS Attack Signature field w= b:(Role+Binding) Key field w= Cached binding checked before conflict rejection:._dkim-group. A 127.0.0.2 (binding) ✓ Group name conventions: admin: (restricted access) user: (general access) guest: (unrestricted access) list: (list) auto: (auto-response) info: (promotional or general status information) test: (for test only) void: (no longer a valid group)

10 10 Signing Roles & Exclusivity Assertions Signature Parameter 'w=' Source of Signatures using two characters For example, Sig Header: w=Sb SsMmDd/bn –(S) MSA Primary (Default) –(s) MSA Secondary –(M) Mediator Primary –(m) Mediator Secondary –(D) MDA Primary –(d) MDA Secondary Exclusivity Assertions (binding): –(b) Domain Always Signed (broad) –(n) Email-Address Always Signed (narrow)

11 11 Opaque-ID Opaque-Identifier (persistent/sequential) Signature field u= - -._dkim-revoke. A 127.0.0.2

12 12 Checks to Avoid DoS Attack If EHLO does not verify → Delay Acceptance (wl) If EHLO != DKIM-Domain → Check EHLO Association _dkim._smtp. PTR for EHLO parent If No EHLO Association → Delay Acceptance (wl) If Delayed Acceptance Check for OID Revocation._dkim-revoke. for record If OID Revocation Record → Reject Message

Download ppt "Defending DKIM IETF 65 Threats and Strategies Douglas Otis"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.

How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis
D. CrockerIntroduction to BATV 1 MIPA Bounce Address Tag Validation (BATV) “Was use of the bounce address authorized?” D. Crocker Brandenburg InternetWorking.

D. CrockerIntroduction to BATV 1 MIPA Bounce Address Tag Validation (BATV) “Was use of the bounce address authorized?” D. Crocker Brandenburg InternetWorking.
DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis

DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis
STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.

STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

Similar presentations

Ads by Google