Internet-Draft DKIM Hash Algorithm Adaptivity October 2024
Nurpmeso Expires 7 April 2025 [Page]
Workgroup:
Internet Engineering Task Force
Internet-Draft:
draft-nurpmeso-dkim-hash-adaptivity-00
Updates:
6376 (if approved)
Published:
Intended Status:
Informational
Expires:
Author:
S. Nurpmeso, Ed.

DKIM Hash Algorithm Adaptivity

Abstract

DKIM (RFC 6376, section 3.7) defines how "data-hash" is generated as input to a RSA (RFC 8017) "sig-alg". Modern signature algorithms (for example EdDSA, RFC 8032) include extensive data hashing as part of the signing process. This memo allows DKIM signing algorithm "data-hash" adaptivity, taking advantage of algorithm progress and digital signature API reality.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 April 2025.

Table of Contents

1. Introduction

In section 3.7 DKIM[RFC6376] specifies the algorithm how "Computing the Message Hashes" for IMF[RFC5322] messages has to be performed, and notes that real life digital signature APIs often combine hashing and signing into a single call that performs both, "hash-alg" and "sig-alg". Different to the RSA[RFC8017] algorithm solely supported by DKIM at the time of creation, modern algorithms like for example EdDSA[RFC8032] include extensive data hashing as part of digital signature creation.

INFORMATIVE NOTE: EdDSA was adapted to DKIM as Ed25519-SHA256[RFC8463] in 2018, but has not gained much traction in the six years since its introduction. A survey of DKIM implementations revealed necessity for error prone extra code paths to implement it with existing APIs.

In its current form DKIM defines the generated "data-hash" as the sole input of "sig-alg". But modern signing algorithms then perform "prehashing", applying hashing to the "data-hash". With the mentioned Ed25519-SHA256, for example, a 64-byte SHA-256 input is prehashed with SHA-512 to a 128-byte output. The conclusion is that currently the standard complicates implementations, fosters data processing redundancy, and potentially weakens security attributes of algorithms by feeding in only data subsets, prefiltered by potentially weak(er) algorithms.

2. Algorithm Adaptivity

The computation described in DKIM[RFC6376] section 3.7 is modified so that the described input to "sig-alg", the "data-hash", can adapt to standardized algorithms as appropriate. If an algorithm chooses adaption, "hash-alg" is only used to produce the "body-hash", whereas the input formerly used to create the "data-hash" is fed into "sig-alg" instead of to "hash-alg". More formally, the new pseudo-code for the signature algorithm is:

body-hash = hash-alg (canon-body, l-param)
data-hash = hash-alg (h-headers, D-SIG, body-hash)
signature = sig-alg (d-domain, selector,
                     data-hash / (h-headers, D-SIG, body-hash))

3. IANA Considerations

This memo includes no request to IANA.

4. Security Considerations

This specification should reduce implementation burden and complexity, aids hash hardening of affected algorithms to a certain extend, and potentially increases, dependent upon algorithm, data volume and API optimization efforts, processing performance.

5. References

5.1. Informative References

[RFC5322]
Resnick, P., Ed., "Internet Message Format", RFC 5322, DOI 10.17487/RFC5322, , <https://www.rfc-editor.org/info/rfc5322>.
[RFC6376]
Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed., "DomainKeys Identified Mail (DKIM) Signatures", STD 76, RFC 6376, DOI 10.17487/RFC6376, , <https://www.rfc-editor.org/info/rfc6376>.
[RFC8017]
Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, , <https://www.rfc-editor.org/info/rfc8017>.
[RFC8032]
Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, , <https://www.rfc-editor.org/info/rfc8032>.
[RFC8463]
Levine, J., "A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM)", RFC 8463, DOI 10.17487/RFC8463, , <https://www.rfc-editor.org/info/rfc8463>.

Author's Address

Steffen Nurpmeso (editor)