This is a very cool story for those crypto geeks out there. Apparently, Zachary Harris, a mathematician by trade, received an email from a Google recruiter. He happened to notice that Google used DKIM to verify the message’s authenticity based on a relatively short 512-bit RSA key. Thinking it was a “challenge” for Google employment, Zachary figured he could crack it in a reasonable time and so he did. He then forged an email to Larry Page from Sergey Brin referencing his website as something they might want to check out. Zackary didn’t hear anything back from the recruiter but a few days later he noticed Google switched to using 2048-bit keys and lots of hits on his website from Google IPs. Seeing Google’s flaws he investigated a few other popular sites and discovered many others, including Amazon, Twitter, eBay and Yahoo, using crackable key lengths. In this day in age sites should at least be using 1024-bit public keys.
US-CERT has issued a warning that DomainKeys Identified Mail (DKIM) verifiers that use low-grade encryption are open to being spoofed and need to be upgraded to combat attackers wielding contemporary quantities of computing power.
You might think this is no big deal – after all the value of strong cryptography has been recognized for years. Unfortunately this problem has been found to affect some of the biggest names in the tech industry, including Google, Microsoft, Amazon, PayPal and several large banks.
The DKIM system adds a signature file to messages that can be checked to ascertain the domain of the sender by checking with DNS. It also takes a cryptographic hash of the message, using the SHA-256 cryptographic hash and RSA public key encryption scheme, so it can’t be altered en route.
Do you know of any other sites using crackable key lengths? Post your comments below. Today’s post pic is from Facebook.com.