Home page logo

basics logo Security Basics mailing list archives

Re: Digital signature to e-mail.
From: Thom O'Connor <thom () communigate com>
Date: Fri, 03 Jun 2005 12:26:45 -0700

Roberto Alcantara <roberto () fortalnet com br>

How it works:

Setup: Each protected e-mail (user () domain) have one public and
private key are stored in server side. Public key is stored in
user.userkeys.domain in TXT DNS record (RFC1035). User names
with dot will have some extra characters to fix url. Private
key is stored in secure local database (User Key Database,
UKD), with username/mail from/private key. Each client have
one password to access your SMTP account (SMTP Authentication,

User-based DNS public keys have certainly been discussed previously.

One major flaw is that now you've placed a list of some/all of your valid users into a publicly available database. Spammers can simply query DNS records in a "dictionary" style attack in order get a list of your valid users.

In order to do this safely, your DNS server would have to provide a key for every user-type DNS TXT query, even if the user did not really exist. This "fake" response would allow for the DNS server to always respond positively to the request. In addition, your DNS server would then have to remember which fake users it had previously provided public keys for, so that it could again give the same response the next time (otherwise, you've again revealed information by providing a different key for successive queries for the same user). Lastly, you would then have to share this fake-user database across multiple DNS servers, again to be consistent in response.

So yes, while it would be convenient to have a publicly available key server for automatic signing and even encryption, there are risks (and those risks increase when the key server in use (DNS-based or otherwise) represents a relatively small and known set of domains).



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]