Internet Engineering Task Force                         S. Nurpmeso, Ed.
Internet-Draft                                            4 October 2024
Updates: 6376 (if approved)                                             
Intended status: Informational                                          
Expires: 7 April 2025


                     DKIM Hash Algorithm Adaptivity
                 draft-nurpmeso-dkim-hash-adaptivity-00

Abstract

   DKIM (RFC 6376, section 3.7) defines how "data-hash" is generated as
   input to a RSA (RFC 8017) "sig-alg".  Modern signature algorithms
   (for example EdDSA, RFC 8032) include extensive data hashing as part
   of the signing process.  This memo allows DKIM signing algorithm
   "data-hash" adaptivity, taking advantage of algorithm progress and
   digital signature API reality.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 7 April 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.











Nurpmeso                  Expires 7 April 2025                  [Page 1]

Internet-Draft       DKIM Hash Algorithm Adaptivity         October 2024


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Algorithm Adaptivity  . . . . . . . . . . . . . . . . . . . .   3
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     5.1.  Informative References  . . . . . . . . . . . . . . . . .   3
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   4

1.  Introduction

   In section 3.7 DKIM[RFC6376] specifies the algorithm how "Computing
   the Message Hashes" for IMF[RFC5322] messages has to be performed,
   and notes that real life digital signature APIs often combine hashing
   and signing into a single call that performs both, "hash-alg" and
   "sig-alg".  Different to the RSA[RFC8017] algorithm solely supported
   by DKIM at the time of creation, modern algorithms like for example
   EdDSA[RFC8032] include extensive data hashing as part of digital
   signature creation.

   |  INFORMATIVE NOTE: EdDSA was adapted to DKIM as
   |  Ed25519-SHA256[RFC8463] in 2018, but has not gained much traction
   |  in the six years since its introduction.  A survey of DKIM
   |  implementations revealed necessity for error prone extra code
   |  paths to implement it with existing APIs.

   In its current form DKIM defines the generated "data-hash" as the
   sole input of "sig-alg".  But modern signing algorithms then perform
   "prehashing", applying hashing to the "data-hash".  With the
   mentioned Ed25519-SHA256, for example, a 64-byte SHA-256 input is
   prehashed with SHA-512 to a 128-byte output.  The conclusion is that
   currently the standard complicates implementations, fosters data
   processing redundancy, and potentially weakens security attributes of
   algorithms by feeding in only data subsets, prefiltered by
   potentially weak(er) algorithms.






Nurpmeso                  Expires 7 April 2025                  [Page 2]

Internet-Draft       DKIM Hash Algorithm Adaptivity         October 2024


2.  Algorithm Adaptivity

   The computation described in DKIM[RFC6376] section 3.7 is modified so
   that the described input to "sig-alg", the "data-hash", can adapt to
   standardized algorithms as appropriate.  If an algorithm chooses
   adaption, "hash-alg" is only used to produce the "body-hash", whereas
   the input formerly used to create the "data-hash" is fed into "sig-
   alg" instead of to "hash-alg".  More formally, the new pseudo-code
   for the signature algorithm is:

   body-hash = hash-alg (canon-body, l-param)
   data-hash = hash-alg (h-headers, D-SIG, body-hash)
   signature = sig-alg (d-domain, selector,
                        data-hash / (h-headers, D-SIG, body-hash))

3.  IANA Considerations

   This memo includes no request to IANA.

4.  Security Considerations

   This specification should reduce implementation burden and
   complexity, aids hash hardening of affected algorithms to a certain
   extend, and potentially increases, dependent upon algorithm, data
   volume and API optimization efforts, processing performance.

5.  References

5.1.  Informative References

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <https://www.rfc-editor.org/info/rfc5322>.

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              <https://www.rfc-editor.org/info/rfc6376>.

   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
              "PKCS #1: RSA Cryptography Specifications Version 2.2",
              RFC 8017, DOI 10.17487/RFC8017, November 2016,
              <https://www.rfc-editor.org/info/rfc8017>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032,
              DOI 10.17487/RFC8032, January 2017,
              <https://www.rfc-editor.org/info/rfc8032>.



Nurpmeso                  Expires 7 April 2025                  [Page 3]

Internet-Draft       DKIM Hash Algorithm Adaptivity         October 2024


   [RFC8463]  Levine, J., "A New Cryptographic Signature Method for
              DomainKeys Identified Mail (DKIM)", RFC 8463,
              DOI 10.17487/RFC8463, September 2018,
              <https://www.rfc-editor.org/info/rfc8463>.

Author's Address

   Steffen Nurpmeso (editor)
   Email: steffen@sdaoden.eu










































Nurpmeso                  Expires 7 April 2025                  [Page 4]