Google, Microsoft and Yahoo have recently fixed a cryptographic weakness that affected their email systems, which could allow a hacker to make a fake message that could pass a mathematical security variation.
The weakness that these companies targeted affects DKIM, or DomainKeys Identified Mail, which is a security system that big email senders use. DKIM puts a cryptographic signature around the email that acts as a verification of the domain name through which the email was sent. This makes it easier to filter out the fake messages from the real ones.
The problem is with signing keys that are not above 1024 bits, which in some cases can be factored because of increasing computer power. US-CERT stated in its advisory this week that signing keys that are not greater than 1024 bits are weak, and that keys as great as RSA-768 bits have been factored.
The issue was revealed when a mathematician in Florida named Zachary Harris received an email from a recruiter at Google that used a 512 bit key. He though that this could be some sort of clever test from Google. The math whiz factored the key, and then used it to send a fake message from Sergey Brin to Larry Page, who are the founders of Google.
It turned out to not be a test, but was a very serious problem, where emails that are actually faked could be treated as real. The DKIM standard states that email messages that have keys that are not greater than 1024 bits will not always be rejected.
Harris discovered that this problem was not only with Google, but also with Yahoo and Microsoft. All of the companies appear to have fixed this problem in the last few days, US-CERT has found. Harris told Wired magazine that he found 512 bit and 768 bit keys being used at Paypal, Amazon, Dell, LinkedIn, Twitter, Apple, and more.
Weak keys mean ‘party time’ for cybercriminals and hackers. They target people with emails that have malicious links. They are attempting to exploit the software of a computer and install malware. If the email has the right DKIM signature, it is more likely to end up in the inbox, rather than in spam.