Friday, October 21, 2016

Yes, we can validate the Wikileaks emails

Recently, WikiLeaks has released emails from Democrats. Many have repeatedly claimed that some of these emails are fake or have been modified, that there's no way to validate each and every one of them as being true. Actually, there is, using a mechanism called DKIM.

DKIM is a system designed to stop spam. It works by verifying the sender of the email. Moreover, as a side effect, it verifies that the email has not been altered.

Hillary's team uses "hillaryclinton.com", which as DKIM enabled. Thus, we can verify whether some of these emails are true.

Recently, in response to a leaked email suggesting Donna Brazile gave Hillary's team early access to debate questions, she defended herself by suggesting the email had been "doctored" or "falsified". That's not true. We can use DKIM to verify it.

You can see the email in question at the WikiLeaks site: https://wikileaks.org/podesta-emails/emailid/5205. The title suggests they have early access to debate questions, and includes one specifically on the death penalty, with the text:
since 1973, 156 people have been on death row and later set free. Since 1976, 1,414 people have been executed in the U.S
Indeed, during the debate the next day, they asked the question:
Secretary Clinton, since 1976, we have executed 1,414 people in this country.  Since 1973, 156 who were convicted have been exonerated from the death row.
It's not a smoking gun, but at the same time, it both claims they got questions in advance while having a question in advance. Trump gets hung on similar chains of evidence, so it's not something we can easily ignore.

Anyway, this post isn't about the controversy, but the fact that we can validate the email. When an email server sends a message, it'll include an invisible "header". They aren't especially hidden, most email programs allow you to view them, it's just that they are boring, so hidden by default. The DKIM header in this email looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=hillaryclinton.com; s=google;
        h=from:mime-version:references:in-reply-to:date:message-id:subject:to
         :cc;
        bh=EHIyNFKU1g6KhzxpAJQtxaW82g5+cTT3qlzIbUpGoRY=;
        b=JgW85tkuhlDcythkyCrUMjPIAjHbUVPtgyqu+KpUR/kqQjE8+W23zacIh0DtVTqUGD
         mzaviTrNmI8Ds2aUlzEFjxhJHtgKT4zbRiqDZS7fgba8ifMKCyDgApGNfenmQz+81+hN
         2OHb/pLmmop+lIeM8ELXHhhr0m/Sd4c/3BOy8=

How do you verify this is true. There are a zillion ways with various "DKIM verifiers". I use the popular Thunderbird email reader (from the Mozilla Firefox team). They have an addon designed specifically to verify DKIM. Normally, email readers don't care, because it's the email server's job to verify DKIM, not the client. So we need a client addon to enable verification.

Downloading the raw email from WikiLeaks and opening in Thunderbird, with the addon, I get the following verification that the email is valid. Specifically, it validates that the HillaryClinton.com sent precisely this content, with this subject, on that date.



Let's see what happens when somebody tries to doctor the email. In the following, I added "MAKE AMERICA GREAT AGAIN" to the top of the email.



As you can see, we've proven that DKIM will indeed detect if anybody has "doctored" or "falsified" this email.

I was just listening to ABC News about this story. It repeated Democrat talking points that the WikiLeaks emails weren't validated. That's a lie. This email in particular has been validated. I just did it, and shown you how you can validate it, too.

Btw, if you can forge an email that validates correctly as I've shown, I'll give you 1-bitcoin. It's the easiest way of solving arguments whether this really validates the email -- if somebody tells you this blogpost is invalid, then tell them they can earn about $600 (current value of BTC) proving it. Otherwise, no.




Update: I'm a bit late writing this blog post. Apparently, others have validated these, too.





Update: In the future, when HilaryClinton.com changes their DKIM key, it will no longer be able to verify. Thus, I'm recording the domain key here:

google._domainkey.hillaryclinton.com: type TXT, class IN
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJdAYdE2z61YpUMFqFTFJqlFomm7C4Kk97nzJmR4YZuJ8SUy9CF35UVPQzh3EMLhP+yOqEl29Ax2hA/h7vayr/f/a19x2jrFCwxVry+nACH1FVmIwV3b5FCNEkNeAIqjbY8K9PeTmpqNhWDbvXeKgFbIDwhWq0HP2PbySkOe4tTQIDAQAB

36 comments:

quintic said...

If someone did doctor an email, could they also doctor the DKIM header to match?

Silent said...

DKIM signs messages with a key that is stored in the DNS system. In order to forge the DKIM header they would also have to somehow modify the record on the DNS server or intercept and replace the key in transit so that the receiving email servers and in this case Rob's email client verify the message with the doctored key.

More on DKIM:
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

a said...

Using the DKIM signatures as proof of authenticity assumes the hillaryclinton.com mail server hasn't been compromised and the DKIM private key remains private, no?

Compromising hillaryclinton.com would certainly not be worth doing for 1 BTC, but it seems worth explicitly mentioning as a possible way of inserting an email into the archives that would appear legitimate by this method of verification.

Chip A. said...

Yes - but since their mail is hosted by Google I'd certainly consider hacking that mail server to be a challenge. We're not talking about some Exchange server in someone's basement.

Unknown said...

These keys are very short and could be spoofed, see
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Short_key_vulnerability


However, if a government is behind the hack indeed, it would be very believable they had the resources to pull this off.

On the other hand, given Hillary's history, I believe the email to be legit even IF the DKIM was doctored.

Unknown said...

It's only a 256 bit DKIM key... easy to spoof.

Michael G. said...

@Al Rogan: It's a 1024bit key

name@host:~]$ openssl rsa -noout -text -pubin < clinton.key

Public-Key: (1024 bit)
Modulus:
00:89:74:06:1d:13:6c:fa:d5:8a:54:30:5a:85:4c:
52:6a:94:5a:26:9b:b0:b8:2a:4f:7b:9f:32:66:47:
86:19:b8:9f:12:53:2f:42:17:7e:54:54:f4:33:87:
71:0c:2e:13:fe:c8:ea:84:97:6f:40:c7:68:40:fe:
1e:ef:6b:2a:ff:7f:f6:b5:f7:1d:a3:ac:50:b0:c5:
5a:f2:fa:70:02:1f:51:55:98:8c:15:dd:be:45:08:
d1:24:35:e0:08:aa:36:d8:f0:af:4f:79:39:a9:a8:
d8:56:0d:bb:d7:78:a8:05:6c:80:f0:85:6a:b4:1c:
fd:8f:6f:24:a4:39:ee:2d:4d
Exponent: 65537 (0x10001)

Steve said...
This comment has been removed by the author.
Steve said...

In your example it looks like the following is part of the hash:

h=from:mime-version:references:in-reply-to:date:message-id:subject:to
:cc;
Does this means that the from and to addresses are not part of the hash.? I think one can set the in-reply-to address manually. Could one then have an account on the system (plausible since they can dump the mail spool), send it from another account on the system to some other address and then change these later without invalidating the signature?

twopigames said...

So, isn't RSA1024 basically broken at this point when we are talking about state level actors like Russia?

RSA put out a note in 2003 stating that an estimated $10M hardware setup could sieve the whole keyrange for 1024bit in under a year. I'd assume most intelligence agencies have something laying around to do this?

RSA Note

WDS said...

twopigames while it is true RSA said this, it also appears they were a bit too optimistic in their predictions on the progress of cracking technology. Sure, the Russians could have broken 1024 bit RSA without it being public knowledge. But I think it is unlikely. There is definitely no way a $10,000,000 purpose-built machine could do it in a year.

Looking at the RSA numbers challenge on Wikipedia, the biggest factorization (which is the only hard step in RSA to being able to calculate the private key) is of a 768 bit number. And that was done by some legends in the field. 1024 bit numbers are probably still safe even from governments, but they are phased out now because better too early than too late.

It does raise a chilling prospect, though. Many people worry that HRC's using a home server was problematic in that it could have exposed classified information to unauthorized parties. But as she was using 1024 bit RSA for her DKIM, we must also ask ourselves about the possibility emails were sent as her -- as Secretary of State -- and DKIM authenticated all because of her using that home server.

twopigames said...

First, I don't particularly believe any of the emails are manipulated....:)

I thought RSA ended the challenge in 2007?

Is it outside the realm of likely that the NSA and therefore the Russia version would be capable of breaking 1024bit RSA in a somewhat time efficient manner. Wouldn't it only require a rainbow type lookup table for the sieve once you calculate it once? You've got to remember, the NSA has an insane amount of computing power laying around (I'm drawing conclusions about the Russians simply because I don't have a frame of reference for them).

Let's assume for argument sake 'they' aren't able to break RSA 1024. We agree that it's simple to fake an DKIM if you have the private key (otherwise why bother factoring the key at all).

It would be infinitely easier to break into the server and grabbing a copy of the private key used to generate the DKIM sig. Given that the state departments' servers were hacked during the same time-frame that HRC was using a private email server; I doubt her servers were more secure than the state dept ones. This has its own chilling consequences, due to the classified nature of some of her emails that were stored on that server, but honestly, is it worse than the state department servers being hacked?

All we really know is that the messages in question are signed by an entity that possesses the private key in question, which is literally all that DKIM is meant to prove.

Anyway, my whole point, there are other plausible options here, especially when we throw in the whole idea that a state actor might be behind the overall disclosures. Personally, I don't think this is the case, but hey, it's plausible, isn't it?

Matt Calhoun said...

are all the emails on wikileaks complete with header information that we can compare?
I didn't see header info for clintonemail.com messages

Unknown said...

Right, so there's this thing called email spoofing which is used in conjunction with man-in-the-middle attacks to intercept an email in transit, modify it, then send it on its way, all while still being "verified" as unaltered. This type of cyber attack is actually quite common and well documented. So while I see the merit in trying to validate or disprove claims of tampering, it's not actually easily ascertained by DKIM as you are claiming.

Marshall K. Stokes said...

So David D. Let me get this straight. You're suggesting that there was possibly a man-in-the-middle attack on the hillaryclinton.com mail server that intercepted all 19,000+ emails, modified them and sent them on their way systematically. What's more likely? That an email was captured after being sent, forwarded to a person in a foreign country with malicious intent, they read the email, then decided to modify the email to inflict the most damage to the Clinton campaign and then forwarded the modified email on to John Podesta without anyone knowing that the email was modified? Remember, both Podesta and Clinton admit that the emails were stolen. The manpower to make such modifications would be massive!

Or are these just the authentic emails from Podesta's account. (Occam's Razor)

Matt Calhoun said...

Is there header information for all of the Clinton emails available?

Also, I did the Thunderbird DKIM verification and it is stuck on validating.
Also, how can I input a picture to show the dkim error? IMG src tags aren't allowed.

Alfredo said...
This comment has been removed by the author.
Alfredo said...

@ Marshall Stokes said...

You said it buddy Occam's Razor.......

rchandan said...

happy diwali images messages 2016
Bigg Boss 10 Wiki
Rangoli Designs Images Photos
Rangoli Designs Images Photos
happy diwali quotes
Bigg Boss 10 In HD
Bigg Boss 10 JioTv Colors
how to watch bigg boss 10 on voot app

DrFinkster said...

But I don't see any DKIM headers on any of the emails sent by John Podesta. Also, it appears that the DKIM header is stripped out of any reply. Couldn't you then forge an email from hillaryclinton.org by crafting it as a reply by John Podesta to a non-existent email?

James said...

There's no reason to believe that HillaryClinton.com has been hacked. (Don't confuse it with ClintonEmail.com.) Also, even if Russia did get into the server (implausible), it doesn't mean they could get permissions to the DKIM private key, which is probably locked down tight.

James said...

@DrFinkster, DKIM only authenticates email sent directly by HillaryClinton.com, or any other domain that uses DKIM. Emails that include the DKIM header can be authenticated. Those that don't, can't.

Eric said...

I tried to do what you said and verify the emails myself because I don't like blindly trusting. I got thunderbird, but i didn't set up an email address in it. I got the DKIM verifyer add on and download the email you suggested. It just says "validating..." for seemingly ever. Does it take a long time to process? Or is something wrong?

Unknown said...

Where is the private key stored? If it is stored on the sending server (Hillary.com) then couldn't the russians hack into that server and read the private key? Once that was done then the emails could be completely fabricated and signed and no one would know the difference.What am i missing?

DrFinkster said...

@James, Exactly, which means that a big chunk of the Podesta emails (over 7000 of them I believe) can't be verified, which sort of undermines the headline of this piece.

Brian said...

would someone that hacked the server have access to the private key?

Rothgar said...

Faking these emails would NOT require a huge NSA/KGB level effort. All you need is an email with the fake content, a DKIM signed email (with any content) between the target email addresses, and a pair of accessible addresses using DKIM signatures.

Take an email with the fake content and send it between the pair of accessible addresses with DKIM signing turned on. This way DKIM provides the new body and subject content signature. Next, in a hex or binary editor (like ht) open the email between the targeted source/destination email address pair. Now, add the fake subject line and email body content. Finally, replace the first 32 symbols of the full message signature with the newly created body/subject signature from the fake email. Voila, you have a forged email that looks legitimate.

This is assuming that emails between Mr. Podesta and Sec. Clinton were signed using DKIM. If Sec. Clinton’s server only used DKIM to confirm an email came from Mr. Podesta as is standard, all the forger would need to do is combine the headers from a real email with fake message content.

This forgery is so easily accomplished it is hard to see how one could claim otherwise without some political motivation.

Unknown said...

Actually, DKIM does a one way hash of the entire contents, so any changes in the content would cause a invalid test.So, regardless of your political beliefs, this would not work. DKIM signs the email by encrypting the one way hash of the content. So this is wrong.

Dave C said...

Only with the private key. The question is who had access to that? And was it an endpoint hack?

Bob Enyart said...
This comment has been removed by the author.
Bob Enyart said...

KGOV.com has publicly committed to up Robert Graham's 1BTC bounty to $2,000 U.S., at http://kgov.com/hillary.

AKemWave said...

I found this, "7 Generate keys for signing

You need to generate a private and a public key for each of the domains for which you wish to sign mail. The private key is stored away on your server, while the public key gets published in your domain's DNS records so that receiving mail servers can verify your DKIM-signed mail." here - https://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim So if the private key resides on the MX, and the MX is compromised, what is to stop those who sucked stuff off the MX from being able to forge messages? And what if I just change this and host the private key on my host... then go back and erase the evidence I was in the MX editing files? /etc/opendkim/TrustedHosts –- a list of servers to "trust" when signing or verifying ---- just asking

Unknown said...

The only real way to edit or fabricate these emails is to hack into the server and get the private key, a very tall order. But difficulties don't stop there. The Russians would then have to have a staff of English speakers who are very knowledgeable about Hillary and her staff. That would be hugely labor intensive and risky, given the massive scrutiny that these emails get. A dumb mistake would be inevitable and give the lie to the entire enterprise. I think people have to accept these are authentic.

Unknown said...

What would be the best possible way to undermine the Wikileaks releases? The answer is simple. Find one doctored or fabricated email that can be proven to be so. This would be game over for Wikileaks. They would lose credibility completely. Podesta has said they don't have time to authenticate the emails. This is his way of admitting that they are authentic. If they thought they were not authentic they would devote massive resources to prove at least one was fabricated or edited. This would be the nuclear weapon that would vaporize Wikileaks forever. Certainly that would justify the effort and resources. So, we can assume Podesta believes they are authentic. No one would be dumb enough to let the opportunity slip away. Clearly, any discussion of cyptrographic subtleties is beside the point and a waste of time.

Roman said...

Thanks for the article, have the opportunity to use a more flexible service in the plan results and price
https://proofy.io/

Michael Thomas said...

I'm seeing this 4 years later, and as one of the authors of DKIM had been hunting around for whether this post-hoc verification might come up one day. Boy was I surprised that it was But Her Emails. I had figured that this could be a thing about 10 years ago when submission auth started to be widespread thus creating a chain of custody. Was it ever established that hillaryclinton.com required submission authentication? it's always possible that their submission servers were behind a firewall and didn't require auth to use them. if that were the case, you'd really only know that it was somebody behind that firewall who wrote it, not a particular person for sure.