Defending DKIM IETF 65 Threats and Strategies Douglas Otis

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis
D. CrockerIntroduction to BATV 1 MIPA Bounce Address Tag Validation (BATV) “Was use of the bounce address authorized?” D. Crocker Brandenburg InternetWorking.
DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis
STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Quick-and-dirty.  Commands end in a semi-colon ◦ If you forget, another prompt line shows up  Either continue the command or…  End it with a semi-colon.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
PGP An example of Public Key Encryption software.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
DomainKeys Identified Mail (DKIM) D. Crocker ~ bbiw.net dkim.org  Consortium spec Derived from Yahoo DomainKeys and Cisco Identified Internet Mail  IETF.
DomainKeys Identified Mail (DKIM) D. Crocker Brandenburg InternetWorking mipassoc.org/mass  Derived from Yahoo DomainKeys and Cisco.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net
Applicability Statement v1.1 Feedback: DirectTrust May 5, 2015.
DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.
Erik Kangas -
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
A Trust Overlay for Operations: DKIM and Beyond Dave Crocker Brandenburg Internet Working bbiw.net Apricot / Perth 2006 Dave Crocker Brandenburg.
MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Bounce Address Tag Validation (BATV) D. Crocker IETF J. Levine San Diego Sam Silberman 2004 Tony Finch MASS BOF D. Crocker IETF J. Levine San Diego Sam.
1 Dr. David MacQuigg, President Open-mail.org Stopping Abuse – An Engineer’s Perspective University of Arizona ECE 596c August 2006.
IETF 65, Dallas, TX1 Introduction to SSP Jim Fenton 22 March 2006.
SPF/Sender-ID DNS & DDoS Threats Operations Analysis and Research Center for the Internet Douglas Otis November 3, 2007
Module 4 Network & Application Security: Kerberos – X509 Authentication service – IP security Architecture – Secure socket layer – Electronic mail security.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
SPF/Sender-ID DNS & DDoS Threats Internet Security Operations and Intelligence II Douglas Otis
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
MuGM IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Use of certificates as a base security level for securing PoS/MN multicast communication.
S/MIME (Secure/Multipurpose Internet Mail Extensions) security enhancement to MIME – original Internet RFC822 was text only – MIME provided.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
Sender policy framework. Note: is a good reference source for SPFhttp://
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Role Of Network IDS in Network Perimeter Defense.
DKIM Policy Proposals. 3 Proposals ‘A La Carte’ Discovery Mechanism RISC Policy Description –Its (almost) all in the Key Records RISC Policy Description.
Authentication Presenter Meteor Advisory Team Member Version 1.1.
Naming in Content-Oriented Architectures 1. select produce Data publishing RWINameKey Data own certify 2.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
ADDRESS INTERNATIONALIZATION ( EAI ) ICANN-55 Mar 06, 2016 TF-AIDN Member 35+ Min : 10- Min ( Q & A )
CONTENT MANAGEMENT SYSTEM CSIR-NISCAIR, New Delhi
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
RFC Verifier Behavior Step 4: Check the Freshness of Date
MASS BOF IETF63, Paris 4 August 2005
Presentation transcript:

Defending DKIM IETF 65 Threats and Strategies Douglas Otis

2 Trust Still at Risk with Base DKIM Resource Intensive Assessments! Not all Users are Secure and Trustworthy! Message Replay Abuse! Denial of Service Attack! Weak Visible Recognition of -Address!

3 Ascribing Bad Signers Limited to Message Content –Malware –Misleading Links –Misleading Information –Invalid Encompassed Header Fields Evaluation is Resource Intensive Undesired Messages Ignored

4 Reducing Resource Expenditures Use of Sub-Domains Adds Confusion Any Message Source Might Impact Trust Key Group Tags Can: –Indicate Unvetted Sources –Reduce Evaluation Costs –Retain Signing Domain Trust –Condition Message Level Precautions

5 Safe Recipient Assurances Message Annotation Can Overcome: –RFC 2047, Unicode Repertoires –Unverified Display-Names –Confusing DNS Hierarchy –Visually Similar Characters or Ideograms –Non-Allied -Addresses –Lack of -Policy Annotation May Note Allied -Addresses

6 The Battle of the Zombies Zombies are a Primary Delivery Vehicle Rate Restrictions Countered with Replay Key Revocation is Not Practical Opaque-ID Convention for Reporting Self Opaque-ID Block-Listing for Scaling

7 DKIM Denial Of Service Attack EHLO Verification for Immediate Acceptance Signer Association with EHLO via PTR _oa._smtp. PTR isp.net. *. _dkim._smtp. PTR isp.net. ads.com. _dkim._smtp. PTR. “*.” Open-ended, “.” Empty & Closed-ended

8 Third-Party Signature Association Not describing the EHLO path has less value but... Does -address domain permit Third-Party Signers?(Rather than SSP yes/no assertion.) _tps._smtp.. PTR.. “*.”

9 Limited Signature Roles Limit DoS Attack Signature field w= b:(Role+Binding) Key field w= Cached binding checked before conflict rejection:._dkim-group. A (binding) ✓ Group name conventions: admin: (restricted access) user: (general access) guest: (unrestricted access) list: (list) auto: (auto-response) info: (promotional or general status information) test: (for test only) void: (no longer a valid group)

10 Signing Roles & Exclusivity Assertions Signature Parameter 'w=' Source of Signatures using two characters For example, Sig Header: w=Sb SsMmDd/bn –(S) MSA Primary (Default) –(s) MSA Secondary –(M) Mediator Primary –(m) Mediator Secondary –(D) MDA Primary –(d) MDA Secondary Exclusivity Assertions (binding): –(b) Domain Always Signed (broad) –(n) -Address Always Signed (narrow)

11 Opaque-ID Opaque-Identifier (persistent/sequential) Signature field u= - -._dkim-revoke. A

12 Checks to Avoid DoS Attack If EHLO does not verify → Delay Acceptance (wl) If EHLO != DKIM-Domain → Check EHLO Association _dkim._smtp. PTR for EHLO parent If No EHLO Association → Delay Acceptance (wl) If Delayed Acceptance Check for OID Revocation._dkim-revoke. for record If OID Revocation Record → Reject Message

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.