What you will learn from this chapter excerpt: How DomainKeys authenticate e-mail and can help your organization avoid phishing.
In 2004, Yahoo! started signing all its outgoing e-mail with DomainKeys headers, and EarthLink is testing DomainKeys prior to deployment. DomainKeys is a Yahoo!-proposed system for verifying the domain of an e-mail sender. DomainKeys prevents forged e-mails from claiming to be from a domain it's not.
DomainKeys is an attempt to give e-mail providers a mechanism for verifying both the domain of the e-mail sender and the integrity of the messages sent. Once the domain can be verified, it can be compared to the domain used by the sender in the From: field of the message, to detect forgeries.
DomainKeys uses public key encryption technology at the domain level to verify the sender of e-mail messages. If it's a forgery, it can be dropped without impact to the user. If it's valid, the domain is known, so a persistent reputation profile can be established for that sending domain that can be tied into antispam policy systems, shared between service providers, and even exposed to the user.
Sending Domain-key e-mail: DomainKeys begins by performing a secure hash of the contents of a mail message using the SHA-1 algorithm, encrypting
the result using a private key with the RSA algorithm and then encoding the encrypted data using Base 64.
The resulting string is then added to the e-mail as the first SMTP header field with the key Domain-keys:, thereby adding a digital signature to the e-mail. It doesn't encrypt the actual message; it just adds a digital signature to the header.
Asymmetric (public) key encryption
Asymmetric (public) key encryption is a cryptographic system that employs two keys: a public key and a private key. The public key is made available to anyone wishing to send an encrypted message to an individual holding the corresponding private key of the public/private key pair. Any message encrypted with one of these keys can be decrypted with the other. The private key is always kept private. It should not be possible to derive the private key from the public key.
The sending process is as follows:
- Setup: The owner of the e-mail-sending domain first generates a public/ private key pair to digitally sign all outbound e-mail. The private key is distributed to outbound e-mail servers and the public key is made available.
- Signing: After an e-mail is created, the server uses the stored private key to generate the digital signature, which is attached as an e-mail header and sent.
Receiving Domain-Key e-mail: The receiving server uses the name of the domain from which the mail originated to perform a DNS lookup, getting that domain's public key. The receiver then decrypts the hash value in the header field and recalculates the hash value for the mail body that was received. If the two values match, this proves to a very high degree of confidence that the mail did in fact originate at the purported domain and has not been tampered with in transit.
One advantage of using DomainKeys is that it doesn't require the cumbersome signing of the public key by a certificate authority (CA). DomainKeys allows for multiple public keys to be published in DNS at the same time, thereby allowing companies to use different key pairs for the various mail servers they run. It's also easy to revoke, replace or expire keys at a company's convenience, permitting the domain owner to revoke a public key and shift to a new key pair at any time.
Yahoo hopes that DomainKeys will help stop spam by:
- Allowing receiving companies to drop or quarantine unsigned e-mail that comes from domains known to always sign their e-mails with DomainKeys.
- Allowing e-mail service providers to begin to build reputation databases that can be shared with the community and applied to spam policy.
- Allowing server-level traceability by eliminating forged From: addresses.
- Allowing abusive domain owners to be tracked more easily. Spammers will be forced to only spam companies that aren't using verification solutions.
The absence of a verifiable digital signature header in an e-mail claiming to be from a domain that has a DomainKeys DNS record is likely to be seen as proof that the e-mail is a forgery.
DomainKeys is expected to help fight phishing by positively identifying the e-mail's originating domain and identifying forged e-mails more quickly. In addition, the DomainKeys domain owner may realize a big reduction in e-mail abuse complaints. DomainKeys has been designed to be compatible with most of the proposed extensions to e-mail.
The following issues may crop up with DomainKeys, however:
- Spoofing: If the key-pair authentication is somehow spoofed, the e-mail easily bypasses the filters. A second level of filtering is still required.
- Forwarding: Mail is often forwarded by various servers outside the control of the sending party. If the message is modified by a server in transit, the digital signature will no longer be valid and the e-mail will be rejected.
- Overhead: Older, slower mail servers may have a problem with the computational overhead added by generating the cryptographic checksums. This really isn't much of a problem, though, because it's probably only around 10%.
The Sender Policy Framework (SPF)
Cisco Identified Internet Mail
| PHISHING: CUTTING THE
IDENTITY THEFT LINE
By Rachael Lininger and Russel Dean Vines
334 pages; $29.99
John Wiley & Sons
Read Chapter 6, Helping your organization avoid phishing
This was first published in May 2005