Presentation is loading. Please wait.

Presentation is loading. Please wait.

NSEC5: Provably Preventing DNSSEC Zone Enumeration DNS OARC Fall 2014 Workshop, Los Angeles, October 12, 2014 Sharon Goldberg Dimitrios Papadopoulos Leonid.

Similar presentations


Presentation on theme: "NSEC5: Provably Preventing DNSSEC Zone Enumeration DNS OARC Fall 2014 Workshop, Los Angeles, October 12, 2014 Sharon Goldberg Dimitrios Papadopoulos Leonid."— Presentation transcript:

1 NSEC5: Provably Preventing DNSSEC Zone Enumeration DNS OARC Fall 2014 Workshop, Los Angeles, October 12, 2014 Sharon Goldberg Dimitrios Papadopoulos Leonid Reyzin Sachin Vasant Moni Naor Asaf Ziv

2 outline How does DNSSEC deal with denial of existence? –RFC 4470: Online Signing –RFC 4034: NSEC –RFC 5155: NSEC3 Zone enumeration in NSEC and NSEC3 attacker makes a few online queries & enumerates all names in the zone via offline dictionary attacks Demo’d by [nsec3walker; 2011],[Wander-Schwittmann-Boelmann- Weis;2014] We introduce NSEC5 –NSEC5 is just like NSEC3, replacing the hash with a RSA-based “keyed hash” –NSEC5 provably prevents zone enumeration. –NSEC5 maintains zone integrity, even if the hash key is leaked. We hope to turn NSEC5 into an Internet Draft & want feedback!

3 how to deal with authenticated denial of existence? q.com? NXDOMAIN Zone File: a.com c.com z.com DNSKEY: NXDOMAIN

4 a.com c.com z.com DNSKEY: generic pre-signed NXDOMAIN violates integrity. a.com? NXDOMAIN Integrity: No denial-of-existence for name that exists. Violate integrity by replaying NXDOMAIN! Integrity ? DNS X Generic Signed NXDOMAIN X Online Signing ✔ NSEC NSEC3 NSEC5

5 online signing for denial of existence (RFC 4470) q.com? q.com NXDOMAIN Secret ZSK: Integrity ? Tolerates bad nameserver ? DNS XX Sign Online ✔ X NSEC NSEC3 NSEC5 Zone File: a.com c.com z.com DNSKEY: Trusting every 2 ary nameserver with the secret ZSK can be problematic.

6 NSEC (RFC 4034): precomputed denial of existence q.com? a.com c.com NSEC Zone File: a.com c.com z.com DNSKEY: c.com z.com NSEC z.com a.com NSEC c.com z.com NSEC

7 why NSEC maintains integrity a.com c.com NSEC a.com c.com z.com DNSKEY: c.com z.com NSEC z.com a.com NSEC a.com? No valid NSEC record to replay. ! Integrity ? Tolerates bad nameserver ? DNS XX Sign Online ✔ X NSEC ✔✔ NSEC3 ✔✔ NSEC5 Integrity: No denial-of-existence for name that exists.

8 NSEC introduces a new issue: zone enumeration (1) Zone with n names: ~n online queries enumerate all names. b.com? a.com c.com NSEC a.com c.com z.com DNSKEY: c.com z.com NSEC z.com a.com NSEC a.com c.com NSEC Names: a.com c.com Integrity ? Tolerates bad nameserver ? DNS XX Sign Online ✔ X NSEC ✔✔ NSEC3 ✔✔ NSEC5

9 NSEC introduces a new issue: zone enumeration (2) Names: a.com c.com z.com d.com? a.com c.com NSEC a.com c.com z.com DNSKEY: c.com z.com NSEC z.com a.com NSEC c.com z.com NSEC Integrity ? Tolerates bad nameserver ? No zone enumeration? DNS XX ✔ Sign Online ✔ X ✔ NSEC ✔✔ X NSEC3 ✔✔ ?????? NSEC5 Zone with n names: ~n online queries enumerate all names. Integrity ? Tolerates bad nameserver ? DNS XX Sign Online ✔ X NSEC ✔✔ NSEC3 ✔✔ NSEC5

10 arguments for why zone enumeration can be issue An enumerated zone can expose private device names; toehold for other attacks is a “source of probable addresses for spam” [RFC 5155], thus compromising a registrar’s “attitude towards consumer protection” [Nominet (.uk)] can be a “key for WHOIS queries” to “reveal registrant data that many registries may have legal obligations to protect” [RFC 5155] –e.g., “Germany’s Federal Data Protection Act “[DENIC] –e.g., “Data protection Laws” in the UK [Nominet (.uk)] is in conflict with “the registry’s legal rights. The TLD register database is a key business asset”, “its compilation is protected in law under Database Rights in the UK and copyright in other countries.” [Nominet (.uk)] NSEC3 (RFC 5155) introduced to limit zone enumeration

11 trusted authority for zone precomputes NSEC3 records 23ced.com a1bb5.com NSEC3 a.com c.com z.com H( a.com ) = a1bb5 H( c.com ) = 23ced H( z.com ) = dde45 Hash names sort 23ce d a1bb 5 dde4 5 Sign NSEC3 records with secret ZSK a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3

12 Integrity ? Tolerates bad nameserver ? DNS XX Sign Online ✔ X NSEC ✔✔ NSEC3 ✔✔ NSEC5 NSEC3 in action q.com? H( q.com ) = c987b 23ced.com a1bb5.com NSEC3 a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3 a.com c.com z.com DNSKEY: a1bb5.com dde45.com NSEC3

13 Integrity ? Tolerates bad nameserver ? No zone enumeration? DNS XX ✔ Sign Online ✔ X ✔ NSEC ✔✔ X NSEC3 ✔✔ ?????? NSEC5 but does NSEC3 really prevent zone enumeration? r.com? 23ced.com a1bb5.com NSEC3 a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3 a.com c.com z.com DNSKEY: 23ced.com a1bb5.com NSEC3 Learned: a1bb5.com dde45.com 23ced.com H( r. com ) = 33c46

14 zone enumeration is still possible with NSEC3! Hashes learned: a1bb5.com dde45.com 23ced.com Names learned: a.com z.com c.com 1) Make dictionary of plausible names a.com b.com c.com …. z.com 2) Hash each name H(a.com) = a1bb5 H(b.com) = H(c.com) = 23ced …. H(z.com) = dde45 Offline dictionary attack Oversimplified! There’s one salt per zone, many hash iterations, … NSEC3 zone enumeration has been demonstrated: [Wander, Schwittmann, Boelmann, Weis 2014] reversed 64% of NSEC3 hashes in the.com TLD over 4.5 days using a GPU. In 2011, nsec3walker guessed 2 34 hashes/per day on a laptop. Zone with n names: ~n online queries enumerate all names. Crack them using an offline dictionary attack!

15 why is zone enumeration possible with NSEC3? The fundamental issue : Dictionary attacks possible b/c resolvers can compute hashes offline. q.com? H( q.com ) = c987b Find a matching NSEC3 record a1bb5.com dde45.com NSEC3 Offline dictionary attack to crack hashes a1bb5, dde45

16 introducing NSEC5 Why NSEC5 prevents zone enumeration: No more dictionary attacks b/c resolvers can’t compute hashes! q.com? H ( q.com ) = 7a89b 3cd91.com 8cb67.com NSEC5 Offline dictionary attack to crack hashes 3cd91, 8cb67 Secret Non- Signing Key (NSK): X Can’t compute hashes without secret NSK! Find a matching NSEC5 record

17 trusted authority for zone precomputes NSEC5 records 3cd91.com 8cb67.com NSEC5 a.com c.com z.com sort 3cd9 1 8cb6 7 9ae3 e Sign NSEC5s with secret ZSK 8cb67.com 9ae3e.com NSEC5 9ae3e.com 3cd91.com NSEC5 “Hash” with secret NSK H( RSASIG (a.com) ) =9ae3e H( RSASIG (c.com) ) =8cb67 H( RSASIG (z.com) ) =3cd91 * This is deterministic RSA (aka“Full Domain Hash”)

18 NSEC5 in action q.com? RSASIG (q.com)=aa867a PROOF aa867a Secret NSK: 3cd91.com 8cb67.com NSEC5 8cb67.com 9ae3e.com NSEC5 9ae3e.com 3cd91.com NSEC5 a.com c.com z.com 3cd91.com 8cb67.com NSEC5 H( aa867a ) =7a89b Public NSK: Do NSEC5, PROOF match: 3cd19 < H( aa867a ) < 8cb67 RSAVER ( q.com, aa867a ) Do query, PROOF match: How to verify? PROOF aa867a

19 why does NSEC5 prevent zone enumeration? q.com? PROOF aa867a Secret NSK: a.com c.com z.com 3cd91.com 8cb67.com NSEC5 Public NSK: Offline dictionary attack to crack hashes 3cd91, 8cb67? X Can’t compute hashes without secret NSK! H( RSASIG (c.com) ) = 8cb67

20 why does NSEC5 prevent zone enumeration? q.com? PROOF aa867a Secret NSK: a.com c.com z.com 3cd91.com 8cb67.com NSEC5 Public NSK: RSAVER just verifies PROOFs, not hashes! X Offline dictionary attack to crack hashes 3cd91, 8cb67? using RSAVER? RSAVER ( q.com, aa867a ) H( RSASIG (c.com) ) = 8cb67

21 Secret NSK: why does NSEC5 maintain integrity? Resolver rejects b/c RSAVER (a.com,666666) = FALSE a.com c.com z.com 3cd91.com 8cb67.com NSEC5 8cb67.com 9ae3e.com NSEC5 9ae3e.com 3cd91.com NSEC5 a.com? 3cd91.com 8cb67.com NSEC5 Repla y Integrity: No denial-of-existence for name that exists. Can’t compute PROOF (ie. RSASIG (a.com) ) Public NSK: PROOF

22 Integrity? Tolerates bad nameserver? No zone enumeration ? DNS XX ✔ Sign Online ✔ X ✔ NSEC ✔✔ X NSEC3 ✔✔ X NSEC5 ✔✔ summary but what about managing the extra secret key? Secret NSK: ?????

23 Secret NSK: a.com c.com z.com a.com? PROOF 556e3e NSEC5 maintains integrity even if secret NSK is leaked! There is no valid NSEC5 to replay! ! Integrity: No denial-of-existence for name that exists. 3cd91.com 8cb67.com NSEC5 8cb67.com 9ae3e.com NSEC5 9ae3e.com 3cd91.com NSEC5 Compute PROOF RSASIG (a.com)= 556e3e Public NSK: H( 556e3e)=9ae3e

24 See our paper for the crypto proofs! Integrity? Tolerates bad nameserver? No zone enumeration ? DNS XX ✔ Sign Online ✔ X ✔ NSEC ✔✔ X NSEC3 ✔✔ X NSEC5 ✔✔✔ NSEC5; lost secret NSK ✔✔ X summary Just like NSEC3!

25 Nameserver does 1 online RSA signature/query (to get PROOF) But online signing is necessary to prevent zone enumeration! Explains why hash-based schemes are vulnerable to zone enumeration. Extra computational overhead in NSEC5 (vs NSEC3) Theorem [Informal]: ANY denial of existence scheme that 1.prevents zone enumeration, and 2.provides integrity (even against malicious slave nameservers) requires nameservers to compute a public-key signature for every negative response. 3cd91.com 8cb67.com NSEC5 PROOF 6aeb3a

26 Key Management: NSEC5 public non-signing key (NSK) distributed in a DNSKEY RR. Secret NSK at each nameserver; but this is not a “high security” key. Response size: NSEC5 & NSEC3 records are the same size. –~2048 bits (signature) + 2 x 256 bits (hashes) Plus PROOF sent with each NSEC5 (~2048 bits) But, using wildcard optimization, an NSEC5 response is only ~2048 bit longer than today’s unoptimized NSEC3 standard NSEC5 vs NSEC3: Key management & response size Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 PROOF 6aeb3a a1bb5.com dde45.com NSEC3

27 More details in our paper Integrity ? Tolerates bad nameserver? No zone enumeration ? DNS XX ✔ Sign Online ✔ X ✔ NSEC ✔✔ X NSEC3 ✔✔ X NSEC5 ✔✔✔ NSEC5, leaked NSK ✔✔ X 3cd91.com 8cb67.com NSEC5 PROOF 6aeb3a Public NSK:


Download ppt "NSEC5: Provably Preventing DNSSEC Zone Enumeration DNS OARC Fall 2014 Workshop, Los Angeles, October 12, 2014 Sharon Goldberg Dimitrios Papadopoulos Leonid."

Similar presentations


Ads by Google