robertdavidgraham / hunter-dkim Goto Github PK

• I assert emails from January 2015 can verify against the current modern gmail DKIM keys. I believe the key rotation was patchy/rolling and took a long time. I also have emails from April 2015 which don't, but do validate against the key in this repository as of commitid 44e0c36.
• The original DKIM key length Google was using was at least as small as 512-bits, and it was cracked very quickly.
• Theoretically, Google themselves could have forged the email "yesterday" with their old keys.
• Who knows if this was actually from Hunter's laptop.
• The best way for random other people to validate the key is, per Mr. Maxwell's suggestion, to look at their own old emails and triangulate/validate with the key against them, especially if they have old copies of their emails that have been stored out of Google or otherwise under their sole control since 2015ish.
• There's no real way to prove context or accuracy of content. Thank you for implying that in your FAQ.

Thank you very much for publishing this repository, Robert. It's a fun diversion. :) Plus, you gave me reason to find and locate some emails I thought I'd lost. (Original pointer to this repository due to Mr. Maxwell, for which I am very grateful.)

The FAQ (which is a nice addition) says that due to being quoted-printable, there's no place to add a space. I'm not entirely sure what you mean by that.

$ diff -u Meeting\ for\ coffee.eml change-space.eml
--- Meeting for coffee.eml	2020-10-30 00:07:03.000000000 -0400
+++ change-space.eml	2020-10-30 12:50:07.000000000 -0400
@@ -46,7 +46,7 @@
 Content-Transfer-Encoding: quoted-printable
 Mime-Version: 1.0 (1.0)

-Dear Hunter, thank you  for inviting me to DC and giving an opportunity to m=
+Dear Hunter,                                       thank you  for inviting me to DC and giving an opportunity to m=
 eet your father and spent some time together. It's realty an honor and pleas=
 ure.
 As we spoke yesterday evening, would be great to meet today for a quick coff=
$ ./verify.py *.eml
Meeting for coffee.eml: DKIM signature verified
change-space.eml: DKIM signature verified
forgery.eml: DKIM signature verification failed

I can't imagine what problems not verifying the exact number of spaces people are worried about with this, but it certainly seems possible to add spaces and still pass verification.

Thanks for posting this repo. It's an interesting technical/intellectual exercise. I'm no expert, but I've configured and managed mail servers using DKIM for several years now and have had to do forensics on a number of e-mails with questionable lineage.

DKIM offers an effective but limited scope of integrity assurance regarding a message's content. Assuming a correct DKIM setup, a message that has a valid DKIM signature means that its contents are the same as signed by the origin mail server, prior to the mail being sent. This is different than saying the message came from the mail account holder and that it was not changed in any way.

Malicious actors don't try to circumvent DKIM; that's generally too hard. Instead, they seek to alter or inject messages into the "transit path" prior to the mail server signing and sending it. There are other ways too that don't appear to apply in this case. From the mail headers in this message, here are a few techniques that could be used to deliver a malicious e-mail that has a valid DKIM signature (they = malicious party):

• If they know the gmail account credentials.
• The mail appears to have been sent from an iPhone. If they have access to the unlocked phone, or if they convince its owner to download malware to the phone.
• If they threaten the owner to force them to send illegitimate e-mails.
• If they exploit a security weakness in the mail server software.

I'm not trying to prove or disprove the validity of this particular message. Rather, I want to point out that DKIM is awesome but what it can tell you is limited.

As you say, this particular email says nothing except that he "met" Joe Biden, which could be as little as getting the opportunity to shake his hand. Probably more important would be to verify the May 12, 2014 email with the subject "urgent issue", which requests "advice on how you could use your influence". That would at least verify that "influence" was considered on of the key things of value that Hunter Biden was providing.

i.e. we can use DKIM to verify the sender, but can we use DKIM to verify the recepient? i.e. the To: header (which is part of the dkim hash) isn't actually used in delivery. So while, we can have be fairly sure the sender sent it when they did (or at least time boxed), can we really know who it was sent to?

i.e. I'm wondering if this statement is a little bit too absolute "the intended recipient was to the account [email protected], known to have been used by Hunter Biden". We know that was To: header, but that doesn't actually mean it was the intended recipient, if the rcpt to was to a different address.

I have little experience with cryptography but was wondering about this the other way around.

Given that we (at least for now) have a single email with headers, would brute-forcing the signature be viable and less computationally intensive than cracking the private key? E.g. randomly generating signatures until one validates?

Apparently there is a discussion on Wikipedia about this https://en.wikipedia.org/wiki/Talk:Biden%E2%80%93Ukraine_conspiracy_theory/Archive_3#DKIM_email_verification

A question some people will have when confirming this confirmation is if the provided key old google key is authentic. One way that you can check this is by checking if other contemporary known-google-signed messages were signed with the same key.

One way for any person who was using gmail back in 2015 to accomplish this is simply by validating one of their own received emails from on/around the date in question.

It's as simple as bringing up an email to you in gmail from around that date, clicking show original, and pasting the entire text output into a file. The file will then validate with the repo's script. (And indeed, it does for me on a couple messages I checked).

I was also able to check those messages against an old google-takeout dump of my entire mailbox.

Presumably other people have older published google-received messages from around that date, complete with headers. It might even be possible to find some in court records to convince people who don't have their own.