Deployment and analysis of DKIM with DNSSEC

(1)

SE-581 83 Linköping, Sweden 581 83 Linköping

Linköpings universitet Linköpings universitet

2008-11-20

LIU-IDA/LITH-EX-A--08/055--SE

Rickard Bondesson

by

Deployment and analysis of DKIM with DNSSEC

Final thesis

Department of Computer and Information Science

(2)

(3)

Linköping University

Department of Computer and Information Science

Final Thesis

Deployment and analysis of DKIM with DNSSEC

by

Rickard Bondesson

LIU-IDA/LITH-EX-A--08/055--SE

2008-11-20

Supervisor: Patrik Wallström .se

Examiner: Juha Takkinen

(4)

(5)

Avdelning, Institution Division, Department

Division for Database and Information Technique Department of Computer and Information Science Linköping University

SE-581 83 Linköping, Sweden

Datum Date 2008-11-20 Språk Language Svenska/Swedish Engelska/English Rapporttyp Report category Licentiatavhandling Examensarbete C-uppsats D-uppsats Övrig rapport

URL för elektronisk version

http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-15899

ISBN — ISRN

LIU-IDA/LITH-EX-A--08/055--SE Serietitel och serienummer

Title of series, numbering

ISSN —

Titel Title

Driftsättning och analys av DKIM med DNSSEC Deployment and analysis of DKIM with DNSSEC

Författare Author

Rickard Bondesson

Sammanfattning Abstract

As the email system is widely used as a communication channel, and often is crucial for the performance of organizations, it is important that users can trust the content of what is being delivered to them. A standard called DomainKeys Identified Mail (dkim) has been developed by the ietf to solve the problem with authentication and integrity, by using digital signatures.

This master’s thesis goal is to evaluate the solution where an implementation of dkim is extended with dnssec validation. dnssec is a solution which secures, among other, the mapping between ip addresses and domain names. The implementation of dkim is deployed and evaluated with function testing, domain testing, threat analysis, and interoperability testing.

dkim does not need any new public-key infrastructure, thus inflicting less cost on the deployment compared with other cryptographic solutions such as s/mime and pgp. We recommended to use dkim together with dnssec to secure the trans-portation of the dkim public key. The upcoming standard adsp can inform the recipient of whether a domain is signing its email or not and thereby a possibility to detect any unauthorized signature removal. A further problem is that mailing lists often manipulate the email, thus breaking the signature. We therefore recom-mend to send email directly to the recipient or active dkim signing on the mailing lists.

Nyckelord

(6)

(7)

Abstract

As the email system is widely used as a communication channel, and often is crucial for the performance of organizations, it is important that users can trust the content of what is being delivered to them. A standard called DomainKeys

Identified Mail (dkim) has been developed by the ietf to solve the problem with

authentication and integrity, by using digital signatures.

This master’s thesis goal is to evaluate the solution where an implementation of dkim is extended with dnssec validation. dnssec is a solution which secures, among other, the mapping between ip addresses and domain names. The im-plementation of dkim is deployed and evaluated with function testing, domain testing, threat analysis, and interoperability testing.

dkim does not need any new public-key infrastructure, thus inflicting less cost on the deployment compared with other cryptographic solutions such as s/mime and pgp. We recommended to use dkim together with dnssec to secure the trans-portation of the dkim public key. The upcoming standard adsp can inform the recipient of whether a domain is signing its email or not and thereby a possibility to detect any unauthorized signature removal. A further problem is that mailing lists often manipulate the email, thus breaking the signature. We therefore recom-mend to send email directly to the recipient or active dkim signing on the mailing lists.

(8)

(9)

Abbreviations

The following abbreviations will be used in this report.

.SE . . . The Internet Infrastructure Foundation ADSP . . . Author Domain Signing Practices AES . . . Advanced Encryption Standard CA . . . Certificate Authority

CIA . . . Confidentiality, Integrity, and Availability CNAME . . . Canonical Name

DES . . . Digital Encryption Standard DFD . . . Data-Flow Diagrams

DKIM . . . DomainKeys Identified Mail DNS . . . Domain Name System DNSSEC . . . DNS Security Extensions DoS . . . Denial of Service

DS . . . Delegation Signer Email . . . Electronic mail I-D . . . Internet Draft

IAB . . . Internet Architecture Board IETF . . . Internet Engineering Task Force IMAP . . . Internet Message Access Protocol IP . . . Internet Protocol

IPsec . . . Internet Protocol Security IRTF . . . Internet Research Task Force ISOC . . . Internet Society

ISP . . . Internet Service Provider KSK . . . Key Signing Key

LiU . . . Linköping University MD5 . . . Message Digest algorithm 5 MDA . . . Mail Delivery Agent Milter . . . Mail filter

MIME . . . Multipurpose Internet Mail Extensions MIPA . . . Mutual Internet Practices Association MSA . . . Mail Submission Agent

MTA . . . Mail Transfer Agent vii

(10)

MUA . . . Mail User Agent NIC . . . Network Interface Card NSEC . . . Next Secure

PGP . . . Pretty Good Privacy POP . . . Post Office Protocol

PRA . . . Purported Responsible Address RFC . . . Request for Comments

RIPEMD . . . RACE Integrity Primitives Evaluation Message Digest RR . . . Resource Record

S/MIME . . . Secure MIME

SASL . . . Simple Authentication and Security Layer SHA . . . Secure Hash Algorithm

SMTP . . . Simple Mail Transfer Protocol

SMTP-AUTH . . . . SMTP Service Extension for Authentication SPF . . . Sender Policy Framework

TCP . . . Transmission Control Protocol TLD . . . Top-level domain

TLS . . . Transport Layer Security TTL . . . Time to Live

UDP . . . User Datagram Protocol ZSK . . . Zone Signing Key

(11)

1 Introduction 1 1.1 Background . . . 1 1.2 Problem discussion . . . 2 1.3 Purpose . . . 2 1.4 Goals . . . 2 1.5 Delimitations . . . 3 1.6 Target audience . . . 3 1.7 Reference literature . . . 3 1.8 Outline . . . 3 1.9 Typographic conventions . . . 4 2 Background 5 2.1 History of the Internet . . . 5

2.1.1 Internet Protocol . . . 5

2.1.2 Applications . . . 6

2.2 About the Internet Society . . . 6

2.2.1 Organization . . . 6

2.2.2 Documents . . . 7

2.3 Domain name to IP address . . . 7

2.3.1 Architecture . . . 7

2.3.2 DNS security risks . . . 9

2.3.3 Domain Name System Security Extensions . . . 10

2.4 The email system and its protocols . . . 10

2.4.1 Internet Message Format . . . 11

2.4.2 Multipurpose Internet Mail Extensions . . . 12

2.4.3 Simple Mail Transfer Protocol . . . 12

2.4.4 Post Office Protocol . . . 12

2.4.5 Internet Message Access Protocol . . . 12

2.4.6 Architecture . . . 12

2.4.7 Security . . . 13

2.4.8 Spoofing . . . 13 ix

(12)

3 Analysis of email security 15

3.1 Email spoofing . . . 15

3.2 Computer security . . . 15

3.2.1 Cryptology . . . 17

3.2.2 Cryptographic hash functions . . . 17

3.2.3 Digital signatures . . . 17

3.3 Email technologies . . . 18

3.3.1 Sender Policy Framework . . . 18

3.3.2 Author Domain Signing Practices . . . 18

3.3.3 SenderID . . . 18

3.3.4 Black-/grey-/whitelisting . . . 19

3.3.5 Secure MIME . . . 19

3.3.6 Pretty Good Privacy . . . 20

3.3.7 DomainKeys Identified Mail . . . 20

3.3.8 DomainKeys . . . 20

3.4 More about DKIM . . . 20

3.4.1 Canocalization . . . 20

3.4.2 Signing . . . 21

3.4.3 DNS record . . . 22

3.4.4 Verification . . . 22

3.4.5 The need for DNSSEC . . . 23

4 Deployment and testing of DKIM 25 4.1 Server set-up . . . 25

4.1.1 The lab environment . . . 25

4.1.2 Supported mail servers . . . 26

4.1.3 Installation of necessary software . . . 26

4.2 Testing of DKIM Milter . . . 29

4.2.1 Function testing . . . 29 4.2.2 Domain testing . . . 30 4.2.3 Variables to test . . . 30 4.2.4 Test cases . . . 31 4.2.5 Test results . . . 35 5 Threat analysis 39 5.1 Threats . . . 39 5.2 Threat models . . . 40 5.2.1 Data-flow diagram . . . 40 5.2.2 Attack trees . . . 40 5.2.3 Misuse cases . . . 52 6 Interoperability testing 55 6.1 Basic email routing . . . 55

6.1.1 Test cases . . . 56

6.1.2 Test results . . . 61

(13)

Contents xi 6.2.1 Test cases . . . 68 6.2.2 Test results . . . 71 6.3 Other implementations . . . 75 6.3.1 Test cases . . . 75 6.3.2 Test results . . . 78

7 Statistics on DKIM usage 81 7.1 Measuring DKIM usage . . . 81

7.1.1 Email in transit . . . 81

7.1.2 DKIM DNS records . . . 82

7.2 Graphs on DKIM usage . . . 83

7.2.1 At an email server . . . 83

7.2.2 Among the Swedish domains . . . 83

8 Summary and Conclusions 87 8.1 DKIM installation and testing . . . 87

8.2 DKIM Milter . . . 88

8.3 Deployment of DKIM . . . 88

8.4 Interoperability tests . . . 89

8.5 Threats . . . 89

8.6 Statistics of current DKIM usage . . . 90

8.7 Demonstrations and presentations . . . 90

8.8 Recommendations . . . 91

9 Future work 93 Bibliography 95 A Installation of necessary software 99 A.1 IP aliasing . . . 99

A.2 OpenSSL . . . 100

A.3 Key generation . . . 100

A.3.1 DKIM . . . 101

A.3.2 DNSSEC . . . 101

A.4 Certificates . . . 102

A.5 DNS . . . 102

A.6 DKIM Milter . . . 104

A.7 IMAP . . . 108 A.8 SASL . . . 108 A.9 Postfix . . . 110 A.10 Sendmail . . . 111 A.11 Procmail . . . 114 A.12 Masquerade . . . 114 A.12.1 Sendmail . . . 114 A.12.2 Postfix . . . 114 A.13 Alias . . . 115 A.13.1 Sendmail . . . 115

(14)

A.13.2 Postfix . . . 115

A.14 Forward in the MTA . . . 116

A.15 Forward in the MDA . . . 116

List of Figures

2.1 The organization hierarchy of ISOC. . . 6

2.2 A typical lookup of a domain name. . . 9

2.3 The delivery of an email through the email system. . . 13

3.1 Receiver validating the origin of the email with SPF. . . 19

4.1 The test configuration. . . 27

5.1 Main DFD. . . 41

5.2 Signing DFD. . . 41

5.3 Verifying DFD. . . 41

5.4 Simple attack tree. . . 42

5.5 Attack tree 1. . . 43

5.8 Misuse of email signing. . . 53

5.9 Misuse of email verification. . . 54

6.1 Description of test scenario 1. . . 57

6.2 Description of test scenario 2. . . 58

7.1 DKIM statistics 1. . . 84

7.2 DKIM statistics 2. . . 85

(15)

Chapter 1

Introduction

This chapter will give an introduction to this thesis. The background and the purpose of this thesis define why this thesis exists and are the foundation of the main thesis goal. A clear view of what to expect of this thesis is given by defining the goals and the delimitations.

1.1 Background

The Internet Infrastructure Foundation (.se) is located in Stockholm and is

re-sponsible for the maintenance and administration of the Swedish national domain name registrar [50]. One of their main objectives is to actively contribute to the Internet’s development in Sweden. They are working at the frontier by looking at what technologies and practices are being developed and deployed on the market and thereby continually starting new projects. The projects are meant to raise the awareness of new technologies and practices or pushing the technologies and practices closer to the end-users and the Internet service providers.

As the email system is widely used as a communication channel, and often is crucial for the performance of organizations, it is important that users can trust the content of what is being delivered to them. This can be summarized into two questions: “Is the information correct?”, integrity, and “Who has written this information?”, authentication.

A standard called DomainKeys Identified Mail (dkim) has recently been de-veloped by the ietf to solve the problem with authentication and integrity [2]. It makes a cryptographic hash of the email header and body and signs it with a private key, thereby making it possible to detect any unauthorized modifications to the email. This signature is attached to the email header and then the message is delivered to the recipient. The recipient verifies the header and the body by comparing it with the hash value and the sender’s public key, which is stored in the sender’s domain as a Domain Name System (dns) record.

This solution has been implemented as different software by various organiza-tions and the open source community, like for instance a mail filter called dkim milter that can be plugged into the mail servers. The idea is to make this process

(16)

fully automated and transparent to the end-users. dkim relies on the security of the dns system, but there are known attacks that can create fake dns replies [7]. .se has responded to this weakness of the dns system by developing the dkim milter even further, by creating a patch to dkim milter that verifies the dns record by using the functionality of DNS Security Extension (dnssec) to protect the dkim public key. dnssec uses digital signatures to secure the dns responses, which for example including the mapping between ip addresses and domain names, from malicious manipulation by third parties.

1.2 Problem discussion

Before offering the solution with dkim and dnssec to the market, .se have to verify the functionality and compatibility of the extended dkim milter. The reason why a server implementation, and not an end-user implementation, of dkim was chosen to be extended with dnssec support is because not many home routers have support for dnssec [1]. Most of the end-user implementation would thus not gain anything by the dnssec extension. The second reason is the fairly low usage of dkim. Not many big operators are using dkim and they need to be involved before any end-users will have a gain of it.

1.3 Purpose

The purpose of this master’s thesis is to evaluate the solution where dnssec signs the keys that dkim uses to validate the sender of an email.

1.4 Goals

From the problem discussion and the purpose of this thesis has the following goals been drawn:

• A background study comparing relevant existing technologies. Examples of

relevant technologies are spf and s/mime. spf verifies that the sender of an email is allowed to use a specific email domain [57] and s/mime connects the content of an email with the author by using digital signatures [45].

• Deploy the dkim system and test it according to a list of test cases. • Review the dkim milter according to relevant threat models, for example

attack tree, and also look for any security risks.

• Do interoperability tests with, among others, spf and s/mime to see if they

can coexist with dkim without interrupting each other.

(17)

1.5 Delimitations 3

• Prepare a demonstration and presentation that will be held at three seminars

and at the conference Internetdagarna, which occurs on 21-22 October 2008 [49].

1.5 Delimitations

To define the area of interest, some limitation to the thesis has been done.

• The focus is on dkim and it is explained in more detail than other similar

technologies. The descriptions of the other technologies are used to put dkim in a context.

• dkim as a standard is not tested, but rather an implementation of the

stan-dard and its functionality.

• Only Mail Transfer Agents that support mail filters (milter) are used in the

laboratory equipment.

• dnssec as a system is not evaluated, but it is involved in the interoperability

testing with different set-ups.

1.6 Target audience

The intended readers of this report are mainly the Research and Development team at .se, students and teachers in computer science at Linköping University, and system administrators. Anyone not in this group may also read this report providing that they possess basic computer knowledge. This report is written so that the enumerated groups above can understand the content of this report even though they are not familiar with the topic.

1.7 Reference literature

The information written in this thesis is based on computer security books, com-puter networking books, documents published by the Internet Engineering Task Force, and technical articles. Some websites are used as reference and they are from well-known and trusted sites.

1.8 Outline

The background, chapter 2, and the analysis, chapter 3, provide a good intro-duction to the topic of this master’s thesis and are recommended for the reader interested in the email functionality of the Internet. They also serve as the foun-dation of knowledge to the chapters further in the report. Chapter 4 presents how the system is deployed and what the test results are. This is followed by a threat analysis of the patched dkim milter, chapter 5, and how interoperable it is

(18)

with other similar technologies, chapter 6. The current use of dkim is presented in chapter 7. The last chapters of the report contain the conclusions and future work.

1.9 Typographic conventions

All acronyms are spelled out when they are used for the first time. They can also be found under the chapter Abbreviations, page vii.

(19)

Chapter 2

Background

This chapter serves as the foundation of knowledge for the report. It is needed for the basic understanding of how the different systems interconnect with each other and what motivates the different solutions for email authentication. The journey is started with the birth of the Internet and the administration surrounding the maintenance and future development of the Internet and is finished with how its different components work.

2.1 History of the Internet

The Internet was beginning to see its birth when Vinton Cerf and Robert Kahn started to interconnect the different types of computer networks in 1972 [34]. In essence creating a network of networks and the term internetting was coined after their work. The three key protocols of the Internet, Transmission Control

Protocol (tcp), User Datagram Protocol (udp), and Internet Protocol (ip), were

in operation by the 1980s.

2.1.1 Internet Protocol

The transportation of information on the Internet relies on the Internet Protocol (ip). It delivers its packets on a best-effort practice [19]. Best-effort means that ip does not provide any error checking or tracking, meaning that the packets can arrive in an erroneous state and/or arrive in another order than they were sent. Thus relying on higher level protocols to take care of these problems, like udp and tcp.

Each host on the Internet needs a unique identifier so that the ip packet can be delivered from the source to its destination. This identifier is called the ip address. The current version of ip, ipv4, has an address space of 32 bits or roughly four billion different addresses [34]. However, this address space is soon depleted due to the enormous growth of the Internet. The next version of ip, ipv6, has an address space of 128 bits or approximately 3.4 ∗ 1038 _{different addresses.}

(20)

2.1.2 Applications

It was not difficult to keep track of the different hosts when the Internet only had a few of them connected to it, but with the rapidly expansion this soon became impossible. The need for practical applications and tools were needed to organize and make the environment more user friendly. Tools like the dns system, email, and World Wide Web evolved over the time to fill this gap.

2.2 About the Internet Society

A standard organization is needed to support the development of the Internet, because the Internet is a network of networks operated by different companies and organizations, which can make the interoperability slightly more complicated. The different standards organizations of the Internet were gathered under one umbrella organization called Internet Society (isoc) in 1992 [10]. isoc’s main objective is to provide support for the Internet standards process by acting as their legal umbrella and administrative home.

2.2.1 Organization

isoc is in the top of the organization and directly below it is the Internet

Architec-ture Board (iab) [10], see figure 2.1. iab is responsible for the overall architectural

advice and oversight to the different branches in the isoc. The branches consist of the Internet Research Task Force (irtf) and Internet Engineering Task Force (ietf). irtf focus mainly on long term problems in the Internet like spam, crypto, and other future technologies, while ietf focus on Internet standards.

IETF

IRTF

IAB

ISOC

(21)

2.3 Domain name to IP address 7

2.2.2 Documents

The work within the isoc and mainly ietf often results in a Request for Comments (rfc) [10]. The content of a rfc is a standard, but it can sometimes represent other types of documents like a requirement document, an experimental standard, a policy, a white paper, or a process document. These standards are not enforced by any law, but they are used as de facto standards.

Before a document is published as a rfc it has to be an Internet Draft (i-d) [10]. The i-ds are a series of working documents typically intended to become rfcs in the future. Any information from an i-d should be treated as work-in-progress since the documents are under constant reviewing and upgrading. Each i-d is valid for six months and will be removed if not replaced by a newer version of it.

The rfcs and the i-ds can be found at: www.rfc-editor.org

2.3 Domain name to IP address

An ip address can be represented as a domain name, like www.google.com, with the help of the Domain Name System (dns). This is useful for an ordinary user because the domain name is more mnemonic than the ip address. The main objective for the dns system is to translate the domain name into an ip address, but it can also do load balancing, host aliasing, mail server aliasing, and more [34]. The mail server aliasing is useful when a host want to know the address to the mail server of that specific domain. If a domain name is very long, it can be shortened by using the host aliasing.

2.3.1 Architecture

The domain names are created in a hierarchical fashion according to a specific scheme. The domain name in example 2.1 can be divided into three parts [55]:

• Top-level domain (tld) - se

The tld is typically a country-code tld like .se (Sweden), .uk (United King-dom), and .us (United States). There are also non country-code tlds like

.com (commercial), .edu (education), .org (organization), and .arpa (Address

and Routing Parameter Area).

• Second-level domain - tset.se

Next to the tld is the second-level domain. It is usually the name of the company, product, service, or a name suitable for that particular domain.

• Third-level domain - exempel1.tset.se

The hierarchy can extend to even lower level domains. It can be used to indicate the type of service provided by this domain name. Example

(22)

Example 2.1: Domain name

exempel1.tset.se

The dns system is a distributed and hierarchical database, designed to cope with the large scale of use. There are three types of dns servers.

• Root dns servers

There are 13 root dns servers in the Internet and they are the entry point to the dns system [6]. Each server is actually replicated into a cluster of servers and their job is to give the address to the correct tld server in question.

• tld servers

The tld servers are responsible for each of their own top-level domain. They give direction to the correct authoritative dns server.

• Authoritative dns servers

Each organization that have a publicly accessible host on the Internet can provide dns records that map their domain name to their ip address [34]. Most of the larger companies and organizations have their own dns servers, but it is possible to have a service provider that hosts the dns records. The host connect to their default dns resolver, usually provided by the Internet

Service Provider (isp), when doing a lookup of a domain name. See figure 2.2.

The resolver starts by asking the root server where it can find the specific top-level domain. A new question is directed to that top-level domain of where it can find the specific second-level domain. The final question is asked to the authoritative server of what ip address the host in question has.

It is not necessary that it works like this in the real world. Commonly used domain names are cashed for a limited time in the resolvers [34]. The address of the top-level domain could for example be cashed and then the resolver does not need to go via the root server.

The information in a dns is stored in Resource Records (rrs), see example 2.2. A rr can for example hold the translation from a domain name to an ip address (a record) or where the mail server is located (mx record).

Example 2.2: Resource Records

exempel1.tset.se. IN A 88.131.68.181

(23)

2.3 Domain name to IP address 9

Root

.se

tset.se

dns.ex.com

user.ex.com

1 2 3 4 5 6 7 8

Figure 2.2. A typical lookup of a domain name.

2.3.2 DNS security risks

The dns system is a service that has been around for many years and vulnerabilities are inevitably found in the system and its protocols. There are several know classes of threats to the dns system [7]. More detailed information can be found in Threat

Analysis of the Domain Name System ( dns),RFC3833.

• Packet Interception

Is a form of man-in-the-middle attack where a third party intercepts the communication between the resolver and the name server. Unencrypted udp traffic makes this easy and an attacker can change the response to what ever it wants.

• id Guessing and Query Prediction

The communication mostly uses udp/ip and for an attacker is it fairly easy to generate a spoofed answer without looking at the communication between the resolver and the name server. The thing that makes the traffic unique is the id field in the dns header and what port the answer should go to. There are techniques, for example phase space analysis [51], that can predict these random values with high percentage.

• Name Chaining

Is a subset of an attack that is called Cache Poisoning. Possible with the aid of the previous attacks. There are several combinations of this attack,

(24)

but they all involve dns records that do not contain an ip address but a regular domain name. If these types of records are returned to the resolver, an attacker could inject false information about that domain name.

• Betrayal By Trusted Server

The users trust its resolver to deliver the correct information, but this can be breached if the resolver decides to give faulty information.

• Denial of Service

The dns system is vulnerable to a type of attack called Denial of Service (dos), as with any networking service. The idea is to flood the server with traffic and exhaust its resources, making it crash or unable to provide its services. The dns system could also be used as an amplifier for this kind of attack, because the response packets are larger than the query packet. This is done by having the source address of the queering host spoofed so that the dns server thinks the query is from the target of attack.

2.3.3 Domain Name System Security Extensions

The dns system is vulnerable to protocol attacks as mentioned in the previous section. This problem was addressed at an ietf meeting in November 1993 where the first organized work started on the Domain Name System Security Extentions (dnssec) [7]. The resolver can, by the help of public-key cryptology and digital signatures, detect any modifications by third parties on the information from the dns system [20]. The dnssec is although vulnerable to the dos attacks.

With the dnssec each of the rrs (see example 2.2) are signed with the server’s private key and the public key is published in the dnskey record. The resolver then simple validates the answer with a local copy of the public key. It is not practical to have a copy of the public keys from all of the dnssec enables zones, but there is a rr called Delegation Signer (ds) which gives a trusted pointer from the parent to the child zone. The resolvers then only need one key from each island-of-trust if this technique is used, because within these zone are there secure pointers to the other public keys. The idea is to have the dns system signed all the way up to the root zone, but to date only a few tlds like .se, .bg and .br are signed.

2.4 The email system and its protocols

The need for electronic communication between human beings started to grow with the use of mainframes and expansion of the computer networks. The computer scientists and engineers needed a way to easily communicate and coordinate their work with each other. A response to this was the birth of electronic mail (email) [28]. In the beginning email could only be delivered locally on the computer since not many of the computers, in the 1960s, were connected with each other. But the increased usage of computer networks made the email system evolve into a crucial tool that provides an easy way of communication between users around the world.

(25)

2.4 The email system and its protocols 11

2.4.1 Internet Message Format

The email system is divided into two parts; the message itself [46] and the delivery of the message [32]. The format of a message is quite similar to the real world example of a letter and its envelope. When sending a real letter, the message is put in an envelope that has the recipient’s address and the sender’s return address. This is the information needed for the post office to be able to deliver the message from point a to point b. The difference with the email message is that it consists of headers and a body, where the headers holds information about the message and the body contains the actual content. The equivalent to an envelope is created by the delivery system.

The Internet Message Format, RFC2822, specifies how the email message must be formatted [46]. The email message consists of 7-bit ascii characters and the body can also include a structured message according to the Multipurpose Internet

Mail Extensions ( mime) standard.

The first five lines, in example 2.3, is the header. The message body are the lines after the header. Each header field is a line that consists of a field name, followed by a colon and a field body. The header fields represent different message properties and these are a selection of them [46]:

• Date: The date and time at which the message were sent to the recipient. • From: The address(es) from which the message originates.

• Reply-To: The address(es) where any replies should be sent. • To: The address(es) where the message should be delivered • Subject: A text field which indicate the topic of the message.

• Cc: The address(es) that should receive a carbon copy of the message. • Message-ID: A unique identifier for the current message. Used to

distin-guish messages from each other.

Example 2.3: RFC2822 formated email

Date: Mon, 23 Jun 2008 11:50:27 +0200 From: alice@exempel1.tset.se

Reply-To: alice@exempel1.tset.se To: bob@exempel2.tset.se

Subject: Meeting Hi again!

The meeting is cancelled due to sickness. Yours truly

(26)

2.4.2 Multipurpose Internet Mail Extensions

Only 7-bit ascii characters are allowed in the email message body [46]. This limits for example the language in use since many languages needs more than 7-bit to represent all their possible characters. This problem is addressed with the

Multipurpose Internet Mail Extensions (mime) [28]. mime gives the possibility to

encode arbitrary data in plain 7-bit ascii and allow multipart messages with the possibility to attach text, video, audio and other attachment to the message.

2.4.3 Simple Mail Transfer Protocol

The second part of the email system is the transportation system. It is defined by the Simple Mail Transfer Protocol (smtp) and its purpose is to transfer email to the correct destinations [32]. It is a simple text-based protocol which can only send messages from one host to another host, push, and not receive message from another host on demand, pull. To be able to retrieve a message from a server, a mail client needs to use protocols like pop or imap.

The way a smtp host determines the destination of an email is by looking at the email header [32]. The To: header of the email specifies the recipient and its domain. The ip address of the receiving smtp server is determined by doing a dns lookup of the recipient’s domain and the dns mx record of that domain. Thus creating a layer around the email similar to a real envelope.

2.4.4 Post Office Protocol

It is not often practical to deliver the email directly to the user since they might not be online or would like to access the mail box on different workstations. The mail is then stored on a server. There are several ways of accessing the mail box and the Post Office Protocol version 3 (pop) is one of them. The user connects and login to the server with the pop and retrieves the messages stored in the mail box [42]. Once an email is retrieved from the server it is permanently removed from the mail box and is only available on that workstation.

2.4.5 Internet Message Access Protocol

Another method of accessing the mail box is with Internet Message Access Protocol

version 4 (imap) [13]. The difference between imap and POP is that imap does

not remove the email from the mail box unless explicitly told so by the user. Only a copy of the message is sent to the user and thus making the server as the primary storage space of all the emails.

2.4.6 Architecture

The email system is built upon different servers and programs that interact with each other, see figure 2.3. The user uses a Mail User Agent (mua) to send and receive messages [24]. The mua is program accessible by the user. It could for example be an email client like Microsoft Outlook or a web based interface like

(27)

2.4 The email system and its protocols 13

GMail.com. When the user wants to send a message, the mua forwards it to a Mail Submission Agent (msa). The msa then connects to a Mail Transfer Agent

(mta) and delivers the message to it. The message is then forwarded to the correct mta and is stored in a Mail Delivery Agent (mda) until the receiver wants to read it.

Internet

MTA

MTA/MDA

MUA/MSA

MUA

Figure 2.3. The delivery of an email through the email system.

2.4.7 Security

It is not good to have an open mail server where anyone can send an email through it, because this will allow spammers to send spam with the mail server as the originating server [8]. One solution is to only forward mail that has its origin within the internal network, but this leaves the server fairly open for abuse. Another solution would to only let authenticated users to send email through the mail server. This can be done with the smtp-Service Extension for Authentication (smtp-auth) [53] and the Simple Authentication and Security Layer (sasl) [39]. The user can be authenticated by different mechanisms like Kerberos and plain-text logon.

An issue with the logon process to a server is how the password is treated. The passwords for pop, imap, and smtp-auth are usually sent in plain text [27]. An attacker could capture these passwords and replay them in his own session with the server. The protection is to encrypt the connection by using the Transport

Layer Security (tls) protocol [15].

2.4.8 Spoofing

The problem with the smtp standard is that it does not validate or authenticate the content of an email message when a message is received [8]. Normally does

(28)

the recipient and the sender addresses in the smtp header and the email header match each other. The recipient header in the smtp is needed to have the email delivered to the correct destination, but the email header can be spoofed by the sender without disturbing a simple email transaction. This makes it possible to craft an email that can make the recipient into believing that it is from someone else than the originating sender.

(29)

Chapter 3

Analysis of email security

There are several ways to fight spam and forged emails but the focus of this master’s thesis is on automated filters and add-ons to the email system. The technologies within this area handle and solve different parts of the problems.

3.1 Email spoofing

It is, as stated in the previous chapter, fairly easy to create an email that looks like it is from a source other than the originating one. A financial and personal integrity problem is the phishing attacks related to email spoofing [35]. Spammers can create a faked message telling the recipient to reveal personal information like credit card numbers, user names, and passwords. This is done by spoofing the origin of the email so that it looks like it is coming from the targeted site or company. The message often has some kind of bate telling the user that is must take some urgent actions or else something bad will happen. This pressure on the users will make them more likely to follow the instructions in the message.

A user must take some things in consideration when reviewing an email. The first task is to identify the author of the email and figure out if that is the correct identity. The second task is to validate the information in the message, to see if the text is written by the author and that nothing is missing from the original message. This can be done in two ways; either by doing some logical thinking or with the aid of extensions to the email system.

3.2 Computer security

Before the different extensions to the email system can be discussed, some defini-tions of computer security must first be explained. According to Dieter Gollmann [21] can computer security be defined as:

“The prevention and detection of unauthorized actions by users of a computer system.”

(30)

Or as:

“The measures we can take to deal with intentional actions by parties behaving in some unwelcome fashion.”

One of the core principals of computer security is the cia criteria [21]. cia is an abbreviation for confidentiality, integrity, and availability. There are also some other important keywords like authentication, non-repudiation, authorization, and

accountability. • Confidentiality

Confidentiality is the act of only revealing the information to authorized entities. This can be achieved by restricted access and/or encryption of the information.

• Integrity

Integrity is about making sure that the information is only modified by authorized entities. This often involves means of detecting any modifications by non-authorized entities.

• Availability

Availability is achieved when the information is accessible and usable when it is needed by an authorized entity.

• Authentication

Authentication is when an entity proves that it is who it says it is. The entity can do this by presenting something that only it have, knows, or are like driver license, password, or fingerprint.

• Non-repudiation

Non-repudiation can be provided when there is unforgeable evidence that an action must have been performed by a specific entity. A typical use of non-repudiation is to prove the integrity and origin of specific information and is often performed with the aid of digital certificates.

• Authorization

The act of giving privilege access to resources and information to those who are permitted to use them.

• Accountability

An entity can be accountable for its actions if it is proper identified and authenticated. By keeping audit trails for each event, any actions can be traced and associated with the correct entity. The presence of accountability is often used as deterrence for any perpetrators, since they do not want to be accountable for their actions.

(31)

3.2 Computer security 17

3.2.1 Cryptology

Cryptology is needed to be able to have confidentiality and integrity over a public communication channel. Confidentiality can be achieved by doing encryption of the information and there are two methods of encryption: symmetric-key

cryptol-ogy and public-key cryptolcryptol-ogy.

In symmetric-key cryptology, a single key is used for both encryption and decryption [54]. Thus must both the sender and the recipient have the secret key. The encryption and decryption of information can be performed very fast with this type of algorithms. Digital Encryption Standard (des) and Advanced Encryption

Standard (aes) are some examples of symmetric algorithms.

Public-key cryptology gives the possibility to secure communication between two parties without a shared key [54]. Each party has its own set of private and public key. When transmitting information, it is encrypted with the recipient’s public key and the only way to decrypt it is with the private key that is only known to the recipient. The down side with this type of algorithms is that it takes much computing resources to do the encryption and the decryption. rsa and Elgamal are some examples of asymmetric algorithms.

3.2.2 Cryptographic hash functions

Cryptographic hash functions are needed as part of the integrity check when using secure communication. Hash functions are used to calculate a message digest of a message. The calculated hash value is then sent together with the message. The recipient does a new message digest and compares it with the one delivered with the message. The message is intact if they match up.

There are some requirements for a cryptographic hash function. It should be able to take any length of message and produce a fixed length of output [54]. It should be a one-way function and collision resistant, meaning that it should not be possible to know what the original message looks like by just looking at the hash value and that it should be impossible to find two messages that gives the same hash value. Message Digest algorithm 5 (md5), Secure Hash Algorithm (sha), and race Integrity Primitives Evaluation Message Digest (ripemd) are examples of cryptographic algorithms.

3.2.3 Digital signatures

Cryptographic hash functions does not solve the integrity check entirely, since anyone, with the knowledge of what hash function is in use, could modify the message and replace the hash value with a new one [54]. This can be prevented by using public-key cryptology and encrypting the calculated hash value. The hash value is encrypted with the sender’s private key and the recipient decrypts it with the sender’s public key and compares it with the calculated hash of the message. Only the sender could have signed the hash value, since it is the only one who knows the private key. Anyone trying to modify the message can not produce a new digital signature and thus making that message invalid.

(32)

3.3 Email technologies

There are different types of technologies related to the email system that will miti-gate parts of the email spoofing problem. They can be divided into two categories:

sender authentication protocols and content authentication protocols.

The goal with sender authentication protocols is to protect the sending identity in various ways [44]. The sending identity of an email is placed in both the envelope and in the header of an email. The envelope is a part of the smtp transmission and the header is a part of the actual message.

Content authentication protocols is about protecting the author rather than the sender of an email [44]. The authentication is done with the help of content signing using public-key cryptology.

The following first four technologies works with sender authentication and the rest with content authentication.

3.3.1 Sender Policy Framework

Sender Policy Framework (spf) authenticates the helo and mail from

com-mands in the smtp communication between servers (the email envelope) [57]. The helo command is used to announce who the connecting server is and the mail from command is used to declare which email address the email is originating from. By publishing the spf information in the dns, can a domain tell others where email from its domain can have its origin.

When an email is going to be delivered to the mail server a tcp connection must be established. The actual ip address of the sending server can then be found from the tcp connection. By doing a dns lookup of the spf record of the email domain, given by the mail from command, can the server determine if the sending server is allowed to send email with that domain name [57]. See figure 3.1.

3.3.2 Author Domain Signing Practices

Author Domain Signing Practises (adsp) have a similar agenda to spf but with

the difference that it is an aid to determining if a domain signs all their email with DomainKeys Identified Mail (dkim) or not [17]. This will help the receiving part to know if an unsigned message can come from that particular domain and thus knowing if it is spoofed since only the owner of the private key can produce a correctly signed message. A domain can publish, in the dns, the recommended actions to be taken by the receiving server when an unsigned message is received, like if the email should be discarded. This system is currently only in the draft stage, but is expected to become a standard.

3.3.3 SenderID

sender_{id is a protocol derived from spf that aims at authenticating the mail from} and one of the addresses in the email header [38]. Which header to use in the authentication is decided by the Purported Responsible Address (pra) algorithm [37]. The domain publishes its sending policy in a similar fashion to spf.

(33)

3.3 Email technologies 19

host.bogus.com

dns.domain.com _{mta.domain.com}

mail.network.com

MAIL FROM: domain.com

domain.com. IN TXT “v=spf1 mx -all” domain.com. IN MX mta

mta IN A 1.2.3.4

Figure 3.1. Receiver validating the origin of the email with SPF.

3.3.4 Black-/grey-/whitelisting

The receiving mail server can have policies on how it treats different individual domains and email addresses. The information in the smtp and the email headers is validated against different lists. There are three types of listings: White-, black-, and greylisting. Addresses on the whitelist are automatically accepted to be delivered through the server, whilst the blacklist disallows the delivery. Greylisting is a combination of white- and blacklisting, where the delivery is delayed for a short time. There are different ways of implementing the graylisting, but the main goal is to temporarily reject the first delivery from an unknown hosts and accepting the email when the host tries resending the email [25]. Most legit mail servers will try to deliver the email until it is accepted, but most spammers do not try a second time and thus having less spam coming through the server.

3.3.5 Secure MIME

Secure mime (s/mime) is an extension to the mime standard and provides secure

transfer of mime data [45]. It can give content integrity, authentication, and non-repudiation with the help of digital signatures. Data confidentiality is obtained when encryption is activated. s/mime is an end-to-end solution working on the muas. The public keys are distributed with digital certificates attached to the email message. These digital certificates are called x.509 and are a part of the public-key infrastructure used for secure transmissions on the Internet.

(34)

3.3.6 Pretty Good Privacy

Pretty Good Privacy (pgp) is a family of software developed in 1991 by Philip

Zimmerman [11]. This implementation is standardized under the name open_pgp. It works in a similar way as s/mime, with exception to the key management. The public keys are distributed with the so called web-of-trust or trusted key servers. The web-of-trust can be summarized as: A key can be trusted if it is trusted by someone the user already trusts.

3.3.7 DomainKeys Identified Mail

DomainKeys Identified Mail (dkim) secures the email body and parts of the email

header [2]. It provides authentication and integrity with digital signatures and does not encrypt the content. The public key is published in the sending domain’s dns record and the private key is used to sign the email. The recipient of a signed message verifies the signature by comparing it with the hash value, of the headers and the body, and the sender’s public key.

3.3.8 DomainKeys

DomainKeys is the predecessor to dkim and was created by Yahoo [14]. It is a historical and obsoleted standard, but it is still in use by various entities on the Internet [2].

3.4 More about DKIM

The following part will explain dkim more in detail. It is selected because of its good properties with sender and content authentication which includes verification of some headers and the content of the email [2]. The system is also transparent to end-users compared to s/mime and pgp which manipulates the content of an email [24]. This is because the signature is part of the email header and not in the email body. This also results in a smoother transition since not everyone needs to activate dkim at the same time because of the transparency. The keys used for signing and verification are mainly connected to the domain rather than the user, thus preserving the user’s integrity. By using the dns system for the publication of the public keys, no new public-key infrastructure is needed to be maintained. If a signature in an email can not be verified due to inconsistencies, then the email should not be treated differently than an email without a signature. But if this would be combined with adsp, then the author’s domain could give a recommendation on how to treat an email with broken signature.

3.4.1 Canocalization

Every email delivered through the Internet is modified in some more or less intru-sive way. For example can headers be added or modified, lines be wrapped, and whitespaces be removed [2]. The email must go through a preprocessing method

(35)

3.4 More about DKIM 21

to eliminate some of these factors from breaking the signing and the verification process of an email. This process is called canocalization and has two modes of operation: simple and relaxed. A combination of these modes is applied to both the header and the body and is selected by the signing party. Canocalization only prepares the email for the signing and the verifying algorithms and does not modify the transmitted data.

• Simple header canocalization does not allow any modification during

transit to the headers used when the message was signed [2]. The signature of the email will become invalid if any of the signed headers are modified.

• Relaxed header canocalization converts all header names to lower case,

unfolds all header fields, merges a sequence of whitespace character into one whitespace character, removes all whitespace after the end of each header value, and removes any whitespace before and after the colon between the header name and value [2].

• Simple body canocalization only removes any empty lines at the end of

the body [2].

• Relaxed body canocalization removes all whitespace at the end of lines,

reduces sequences of whitespace characters into one whitespace character, and removes all empty lines at the end of the message body [2].

3.4.2 Signing

Signing is done at the mua, the msa, or the mta and only when it has the knowl-edge of the private key to the corresponding domain or user and if the entity wants to take responsibility for that message [2]. The signer must decide which headers to sign. The From: header is the only one required and the rest is up to the signer. It is although recommended not to sign headers that are likely to be modified or removed during transit. The signer may also sign nonexistent headers to prove the denial of existence. If there are several instances of one type of header, then the header closest to the body is used first.

The signer calculates two hashes, one over the message body and one over the selected header fields including the body hash, using either the sha1or the sha256 hash algorithm [2]. The header hash is then signed using the rsa algorithm and a private key. All the configuration parameters and signature is then placed in the

DKIM-Signature: header field.

Example 3.1 shows a typical dkim signature. This specific signature indicates which version of dkim is in use, currently only version one exists. The a= and c= indicates which hash algorithm and canocalization algorithms are in use. Then it shows which domain who signed this message, d= and the corresponding public key, the selector, s=. The time the message was signed and the body hash is indicated by the t= and bh=. Finally are the signed headers enumerated and placed in the h= and the signed header hash is placed in b=.

(36)

Example 3.1: A DKIM-Signature: header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=exempel1.tset.se; s=ex1; t=1216375318; bh=F49+TW8nMriWgjHxXsVGiPa+xLNWevC3bGAT+Zl8Qag=; h=Reply-To:From:To:Subject:Date:Message-ID:MIME-Version: Content-Type:Content-Transfer-Encoding; b=AsmD11IU0TwqQwK 9fGWIlV7TPtBRgEzcFwuhgbvaoipwcI9hA8M1TzE025rPzbLlJbEJKz8T 2WSfmg7BbmSQ4rklSaq5ou1BrwxGTQWn/I37sOPhzg+pRfAjq7IWo6Zys OOgDkbCcOjL46kECDFQBWSvgKD3oOID4FOj5huSdzw=

3.4.3 DNS record

The public key is stored in the dns related to the signing entity. The following is a typical example of a dns record for the public key [2].

Example 3.2: A DKIM DNS text record

ex1._domainkey.exempel1.tset.se. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6oekzH849jUK1EYJnfUM72 OlhpaTxqBhvNu3UTGsbRywFWBHCPfoeHAZKnYhN+pLAXuJ49oUNO1kybAqUfxPM OpTbupY0zVdaJCtcMHi7j7rFgSrRi8nH55Frhq4aiS00ocdw1po0p72c7TkTNm5 E1Q2jZ4pGpjEXJtjzb9YckwIDAQAB"

All dkim information is stored under the _domainkey.“domain” and a unique selector is used for each public key [2]. The selector is ex1 in this example. The reason to have multiple selectors for a single domain is to have easier key manage-ment, for example different keys each month, keys for different branches within the company or one for each user.

Key revocation is simply done by removing the key from the p variable in the dns record, thus invalidating any message signed by that key pair [2].

3.4.4 Verification

Verification is performed at the mta, the mda, or the mua and it is recommended that the validation is performed closest to the recipient to prevent any malicious action by a third party [2]. The verifier starts by validating the dkim-Signature: header field to find the configuration parameters and any inconsistencies. The signature contains the information of how to reconstruct the signature as the signer did it. The signing process is reconstructed and compared with the values stored in the signature header. If everything matches, then the message is authenticated. This can by indicated by adding a header, like Authentication-Results:, to the email so that processes later in the chain can take appropriate actions. See example 3.3.

(37)

3.4 More about DKIM 23

It is recommended that the verification is performed when the message arrives, but it can be done later as long as the sender does not remove the associated dns record [2].

Example 3.3: DKIM verification results

Authentication-Results: exempel2.tset.se; dkim=pass (1024-bit key) header.i=@exempel1.tset.se; dkim-asp=none

3.4.5 The need for DNSSEC

One big weakness with the dkim system is how trustworthy the dkim public keys are. The dkim system depends on the reliability of the dns system to deliver the correct dkim public key, but there are vulnerabilities to the dns system that will aid attackers doing malicious distribution of dkim public keys. Some of these attacks, as discussed in chapter 2, can be detected by introducing dnssec [7]. The sending domain must sign its rrs by using dnssec and the dkim validator can then verify the origin of the dkim public key and thus knowing that it is not spoofed by a malicious entity.

(38)

(39)

Chapter 4

Deployment and testing of

DKIM

The dkim milter with patched dnssec capabilities is tested by deploying it in a lab environment that simulates the fundamental properties of the real world email system. Test servers are installed and configured to interact with each other. The basic functionality is evaluated against different test cases and the results are presented at the end of this chapter.

4.1 Server set-up

The first part is to have the different servers installed and configured before any testing can be done. The following section shows how the testing environment looks like.

4.1.1 The lab environment

The verification and testing are done with different mail servers, both locally on site and public servers on the Internet. The local mail servers are a collection of the mail servers that support dkim milter. There is a server available for testing purposes at .se that run the operating system Ubuntu.

A dnssec system for test purposes is already running and no specific configu-ration is needed, except adding records to the dns.

(40)

4.1.2 Supported mail servers

Since the project concerns the dkim milter, only mtas that support the milter api can be used in the test cases [56].

• Sendmail 8.12.0 and later

Open source www.sendmail.org

• Postfix 2.4 and later

Open source www.postfix.org

• Postoffice SMTP server 1.3 and later

Open source

www.tsfr.org/~orc/Code/postoffice/

Only Sendmail and Postfix are used in the test suite due to their popularity.

4.1.3 Installation of necessary software

The basic idea for the test environment is to have two mail servers that can send and receive email. Each mail server has its own domain name, so that they act independently of each other. The first mail server runs Postfix and the second one runs Sendmail. To each mail server there are different mail filters and security software connected to it.

A single dns server hosts the dns records for both of the domains. These domains are subdomains of a dnssec enabled domain called tset.se. Figure 4.1 illustrates the test configuration.

Each step of the installation and the configuration parameters are documented in appendix A.

IP aliasing

There is only one computer available for testing purposes in the lab environment and all test servers must be running on this computer. The problem is that both Postfix and Sendmail need exclusive rights to certain ports on the Network

Interface Card (nic). There is therefore a need of multiple ip addresses to be able

to provide the mtas with their own set of ports. This can be solved by having multiple nics installed in the computer or by using a technique called ip aliasing. ip aliasing gives the computer access to multiple ip addresses by letting one nic host them. The difference between these two solutions is a performance issue regarding how the traffic are flowing to the computer through the network, but this has no importance for the test cases since they are not performing any stress testing.

(41)

4.1 Server set-up 27

SASL SMTP

TLS

Postfix

exempel1.tset.se Sendmail_{exempel2.tset.se} DNS

DKIMMilter DKIMMilter

Procmail Microsoft

Outlook Microsoft_Outlook

SMTP SMTP User 1 User 2 IMAP TLS Password file

(42)

DNS

When the ip addresses of the machine are configured it is time to publish their existence by using the dns system. This is done by having a dns server installed on the machine, which will answer for any queries about these domains. Bind 9 is the dns server of choice because of the default configuration of the lab equipment. dnssec is enabled and the domains are connected to the trusted zone of .se by a delegation from the domain tset.se. Two domains are in use, exempel1.tset.se and

exempel2.tset.se and each of them represent one of the mail servers.

Mail servers

There are two mail servers that will serve as a the base of the test suite. Sendmail and Postfix are selected because of their widespread use and reliability. Postof-fice is neglected because it is mainly intended for use in the NetBSD operating system. Further more, there should not be any big differences between these sys-tems regarding dkim milter since they all communicate with it through the Milter interface.

DKIM Milter

dkim milter is an implementation of the dkim standard. It attaches it self to the mail servers by using the Milter api and thus getting access to the information about the emails in transit through the mail server. dkim milter can with this information decide if it should sign the particular email and validate the signature of incoming emails. The results are put in the header of the email and any entity later in the chain can take specific action with this result in mind. The dkim milter is extended with a patch from .se that will make it to evaluate the dns queries with the aid of dnssec.

IMAP

An interface to the mail servers are needed to be able to retrieve the delivered emails. Dovecot is an implementation of imap and is used in the test suite to be able to read message from an external computer. There are other implementations of imap, but the selection of implementation should not influence the test results since it is just an method of retrieving email from the mail server.

SASL

The mail servers are configured so that only authorized users can send email out from them and with Cyrus sasl can an external user authenticate it self to the mail servers and thus be able to send email to other domains. The smtp-auth func-tionality is thus enabled. The discussion concerning the choice of implementation is similar to the one for imap.

(43)

4.2 Testing of DKIM Milter 29

Key generation

To be able to secure the system, there is a need of asymmetric keys. The keys are needed to the dkim signature and when signing the dns zones.

The first key generated for each zone is the Zone Signing Key (zsk) and is used for signing the rrs within the zone [33]. The second key is the Key Signing Key (ksk) and it is used for signing the zsk when it is published as a dnskey record. The reason to have two sets of keys is for easier key management when changing keys. The ksk is used as a secure entry point to the zone and if a new key is used for signing the zone, no one needs to be informed of this because they already have a copy of the ksk and thus a secure path to the zone. It is recommended that the key length is longer for the ksk than the zsk since it should be more secure. It is current recommended to use either rsasha1 or dsa as a key algorithm.

dkim on the otherhand uses the rsa algoritm and those keys are used for signing and validating the dkim signature. [2]

Certificates

Digital certificates are needed to create the secure channels between the user and the mail server. The certificate shows the identity of the public key owner and thus the ability to validate the origin of the connection. They are usually obtained from an Certificate Authority (ca) like VeriSign.com or Thawte.com and is the base for this type of public-key infrastructure. The other possibility it to generate a self-signed certificate locally on the server, but then no one can really trust the content of the certificate since they do not have a trusted relationship to the server like with the cas. These types of self-signed certificates are used in the test suite, since the certificates from the cas are a service you have to pay for and that the secure channel between the user and the mail server is not a top priority for the test suite.

4.2 Testing of DKIM Milter

There are two types of tests that are performed, function testing and domain

testing. The first one verifies the functionality and the second one tries to find any

unexpected events. The tests focus on the new inputs to the dkim milter that are created because of the patch.

4.2.1 Function testing

These types of tests are suitable for the first set of tests, because they are aimed at the smallest building block visible to the outside of a program [30]. The idea is to focus on one variable or function and see how they react to middle-of-the-road values as input data. That is, values that are expected to pass the test. It is easy to evaluate the outcome of the tests because the complexity of the procedures is fairly low. The result is often predictable and the program will not fail these sets of tests, but it will fail if there is something fundamentally wrong in the program.

(44)

The functionality of the program can be verified by doing these tests and if the tests fail, the problems can be fixed before the more complex test scenarios are started.

4.2.2 Domain testing

The domain testing takes the function testing one step further by testing a wide range of input values to a given function or variable [30]. A problem with this is that the combinations of possible input values often are enormous and would take very long time to go through all these tests. What the domain testing does is that it reduces this massive set into subdomains. A subdomain is a set of input data that are similar in property and will give similar outcome of the function. Then at least one representative value is selected from each subdomain, often the boundary or the extreme values.

4.2.3 Variables to test

The first basic tests focus on the new inputs to the dkim milter and how they affect the system. The reason of doing this is because different inputs will make the system behave in different ways. The patch introduces the dnssec functionality to the system and two components are needed to have this functionality function properly. The first is that the dns response from the email author’s domain is needed to be dnssec enabled. The second component is the trust anchor needed to be able to trust the origin of the dns response.

There are three types of dns rrs that are of interest for this test [5]:

• dnskey

Holds the public key of the dns server. The variables consist of flags, protocol number, algorithm type, and the public key.

• rrsig

Holds the signature of a rr. The variables consist of type covered, algorithm, labels, original Time to Live (ttl), signature expiration, signature inception, key tag, signer’s name, and the signature.

• ds

Holds a secure pointer to the dnssec enabled child domain. The variables consist of key tag, algorithm, digest type and digest.

Each of these rrs is defined in the RFC4034. It describes how and what values should be used and what actions are expected to be taken by the recipient. Read the rfc for a more detailed explanation of the different rrs.

The second component to test is the trust anchor file and it is formatted just like the dnskey rr. It acts as a local copy of the public key to the trusted zone.

(45)

4.2 Testing of DKIM Milter 31

4.2.4 Test cases

The test cases are made according to model recently discussed. The first part is to verify that functionality, table 4.1, and the second part tries to interrupt the system by using boundary values, table 4.2. The tests are performed by sending an email from one email server to the other. Each direction is tested.