Enhance keylength of Domainkeys for more security

[Deleted member 121791]

Currently Plesk uses 768bit for sha-rsa private keys of created all Domainkey for signing.
You can check it:
root@server1234 ~ # openssl rsa -in /etc/domainkey/example.org/default -text
Private-Key: (768 bit)

The short keys are violating RFC 4871 see Section 3.3.3

How can the keylength be extended?
This is a must for secure signing mails with DKIM/Domainkeys.

See also
http://www.h-online.com/security/news/item/Mathematician-exposes-weak-DKIM-keys-1736423.html
http://tools.ietf.org/html/rfc4871#section-3.3.3

 

[IgorG]

Could you please fill this template http://forum.parallels.com/showthread.php?t=106113 with all necessary details? I will forward it to developers for investigation.

 

[Deleted member 121791]

---------------------------------------------------------------
PRODUCT, VERSION, MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE
Parallels Plesk Panel, 11.0.9, #21, Debian 6.0.6, Linux 2.6.32-5-amd64 #1 SMP x86_64 GNU/Linux

PROBLEM DESCRIPTION
Key length of private key of Domainkeys is too short (<1024bit) and results in weak mail signatures for outgoing mails

STEPS TO REPRODUCE
1. Open Control panel for a domain with no current Domainkey set
2. Select Mail tab
3. Select Change settings
4. Activate [x] Use DomainKeys spam protection system to sign outgoing e-mail messages
5. Hit OK button
6. Open connection to server in ssh shell
7. show information of private key with openssl: openssl rsa -in /etc/domainkeys/domain.tld/default -text

ACTUAL RESULT
root@srv12 /etc/domainkeys/domain.tld # openssl rsa -in default -text
Private-Key: (768 bit)
modulus:
......
......


EXPECTED RESULT
Should be Private-Key: (1024 bit)
or greater key length for more security!

ANY ADDITIONAL INFORMATION
According to RFC 4871 Sec. 3.3.3 length of key for Domainskeys should be greater or equal to 1024 bits
<http://tools.ietf.org/html/rfc4871#section-3.3.3>
Using weak keys in digital signing fo mails results in crackable signatures.
RSA 768 can be cracked <http://www.h-online.com/security/news/item/768-bit-RSA-cracked-898986.html>

Plesk should generate longer keys for more security in digital signing of mails.

--------------------------------------------------------------

 

[IgorG]

Thanks, I have forwarded report to developers (#122108). I will update thread with results as soon as I receive them.

 

[Server7]

Any update about this?

Thank

 

[IgorG]

Any update about this?

Thank

Sorry, no any news.

 

[JLS]

Can you please let us know when this becomes available?
It's a quite important matter I would say.

 

[IgorG]

It will be implemented in one of nearest Plesk 11.5 update.

 

[Nikolay.]

I think it's already fixed in Plesk 11.5.30. Though only for new mailnames. Alternatively you need to turn DK on/off to generate new keys.

 

[Deleted member 121791]

Key length of private key is now 1024 bit.

 

[AndreasY]

Hi,

we just installed Plesk 11.5.30 Update #9 to 'resolve' this issue and the key length of the private key is still 768 bit.

How should we resolve this issue ?

Thanks

 

[AndreasY]

Hi,

we just installed Plesk 11.5.30 Update #9 to 'resolve' this issue and the key length of the private key is still 768 bit.

How should we resolve this issue ?

Thanks

Just to add

Even when creating a new domain and a new mailname, the private key length is still 768 bit.

-- EDIT --

Oh I apologies, didnt note that I am posting in the Linux part of the forum.

We are using Plesk for Windows, should this not apply ??