3

I recently noticed that opendkim on my mail server is objecting to DKIM signatures from a client, saying their key is insecure. It may be that that's due to lack of secure DNS (confirmation?) but I also noticed that the signing algorithm is shown as a=rsa-sha1, and with the move to Deprecate SHA-1 in other contexts, I'm wondering how urgent this is for DKIM?

It is now feasible to brute-force SHA-1 hashes. Am I correct in thinking that this would need to be done for each message an attacker wished to forge the signature for, without being able to re-use that work for the next message?

mc0e
  • 5,786
  • 17
  • 31
  • There is an answer in mc0e's crosspost on http://crypto.stackexchange.com/questions/19278/deprecation-of-rsa-sha-1-in-dkim-keys – Mitja Jun 20 '15 at 11:10
  • @Mitja It's interesting that that identical cross-post doesn't get picked up and displayed in the 'related' posts down the side of this page (at least not for me). I wonder how that algorithm works. – mc0e Jun 21 '15 at 19:08
  • The problem here is that 'Related' only shows questions from serverfault. Sadly, there is no 'Related Network Questions' category on the side at this time. – Mitja Jun 22 '15 at 09:22

1 Answers1

1

Yes, as of January 2018, SHA-1 is deprecated as per RFC 8301. From the perspective of server administration of DKIM signing keys, the RFC will take precedence because the receiving server will fail the authentication test when signed with SHA-1, and is expected do so regardless of actual computational threat level.

Paul
  • 2,755
  • 6
  • 24
  • 35
  • I'm not sure whether this counts as a correct answer given that it's based on stuff that didn't exist till years after the question was asked, but perhaps it's useful for posterity. Change it to reflect that and I'll mark it as correct. – mc0e Dec 14 '21 at 11:44
  • IIRC, I was going through [tag:dkim] and noticed this question with zero answers, so I answered without respect to any dates. – Paul Dec 14 '21 at 12:32