A 512-bit RSA key can be cracked in a few hours for a cost of about 1000 yen.
'DKIM' is a mechanism to prevent email spoofing and prove that an email was sent from the correct person, but engineer Andreas Wolf explains that if the RSA key used for DKIM signature is short, it can be easily decrypted.
How We Cracked a 512-Bit DKIM Key for Less Than $8 in the Cloud
https://dmarcchecker.app/articles/crack-512-bit-dkim-rsa-key
The following article explains mechanisms for preventing email spoofing and tampering, such as DKIM.
What are 'SPF', 'DKIM' and 'DMARC' necessary to send email correctly? - GIGAZINE
Wolf surveyed the top 1 million websites and found that over 1,700 sites were using RSA keys shorter than 1024 bits. He decided to crack the key of one of them, redfin.com. redfin.com had a 512-bit RSA key, as shown below:
The key is encoded in Base64, so Wolf decodes it to obtain the public key coefficient and exponent. In RSA cryptography, the coefficient represented by '1070958 ... 98119' can be decomposed into two prime factors to obtain the private key.
Wolf used a cloud service to perform prime factorization using an open source prime factorization tool called '
CADO-NFS
'. The factorization took about 86 hours on an AMD EPYC 7003 machine with 8 vCPUs. Wolf said that it is possible to factorize in a shorter time by using a more powerful PC or dividing the task into multiple PCs.
Wolf created a private key based on two prime factors, and thus a 512-bit RSA key was cracked in just a few dozen hours.
When we actually signed an email with the above private key and sent it to various email services, the signature passed verification as a 'legitimate signature' in three services,
Yahoo! Mail
, Mailfence , and Tuta . On the other hand, services such as Gmail , Outlook , Zoho , Fastmail , Proton Mail , GMX , and OnMail are configured to reject DKIM signatures generated with RSA keys less than 1024 bits, and it was confirmed that the verification failed.'Thirty years ago, breaking a 512-bit RSA key would have been a feat that required a supercomputer, but now it can be done quickly and cheaply. Email services should automatically reject any signatures made with RSA keys less than 1024 bits,' Wolf said.
Gmail recommends a 2048-bit RSA key length for DKIM signing.
Related Posts:
