Presentation is loading. Please wait.

Presentation is loading. Please wait.

NSEC5: Provably Preventing DNSSEC Zone Enumeration

Published byKaylynn Burbank Modified over 9 years ago

Similar presentations

Presentation on theme: "NSEC5: Provably Preventing DNSSEC Zone Enumeration"— Presentation transcript:

1 NSEC5: Provably Preventing DNSSEC Zone Enumeration
DNS OARC Fall Workshop, Los Angeles, October 12, 2014 Sharon Goldberg Dimitrios Papadopoulos Leonid Reyzin Sachin Vasant Moni Naor Asaf Ziv Say --- we have been looking at existing things, lets look at new things

2 outline How does DNSSEC deal with denial of existence?
RFC 4470: Online Signing RFC 4034: NSEC RFC 5155: NSEC3 Zone enumeration in NSEC and NSEC3 attacker makes a few online queries & enumerates all names in the zone via offline dictionary attacks Demo’d by [nsec3walker; 2011],[Wander-Schwittmann-Boelmann- Weis;2014] We introduce NSEC5 NSEC5 is just like NSEC3, replacing the hash with a RSA-based “keyed hash” NSEC5 provably prevents zone enumeration. NSEC5 maintains zone integrity, even if the hash key is leaked. We hope to turn NSEC5 into an Internet Draft & want feedback!

3 how to deal with authenticated denial of existence?
Zone File: a.com c.com z.com DNSKEY: q.com? NXDOMAIN NXDOMAIN Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes.

4 generic pre-signed NXDOMAIN violates integrity.
Integrity: No denial-of-existence for name that exists. a.com c.com z.com DNSKEY: a.com? NXDOMAIN Violate integrity by replaying NXDOMAIN! Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. Integrity? DNS X Generic Signed NXDOMAIN Online Signing NSEC NSEC3 NSEC5

5 online signing for denial of existence (RFC 4470)
Zone File: a.com c.com z.com DNSKEY: q.com? q.com NXDOMAIN Secret ZSK: Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. Integrity? Tolerates bad nameserver? DNS X Sign Online NSEC NSEC3 NSEC5 Trusting every 2ary nameserver with the secret ZSK can be problematic.

6 NSEC (RFC 4034): precomputed denial of existence
Zone File: a.com c.com z.com DNSKEY: q.com? c.com z.com NSEC a.com c.com NSEC It is an attestition that there is nothing between a.com and z.com c.com z.com NSEC z.com a.com NSEC

7 why NSEC maintains integrity
Integrity: No denial-of-existence for name that exists. a.com c.com z.com DNSKEY: a.com? No valid NSEC record to replay. ! a.com c.com NSEC Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. c.com z.com NSEC Integrity? Tolerates bad nameserver? DNS X Sign Online NSEC NSEC3 NSEC5 z.com a.com NSEC

8 NSEC introduces a new issue: zone enumeration (1)
Zone with n names: ~n online queries enumerate all names. a.com c.com z.com DNSKEY: Names: a.com c.com b.com? a.com c.com NSEC a.com c.com NSEC c.com z.com NSEC Integrity? Tolerates bad nameserver? DNS X Sign Online NSEC NSEC3 NSEC5 z.com a.com NSEC

9 NSEC introduces a new issue: zone enumeration (2)
Zone with n names: ~n online queries enumerate all names. a.com c.com z.com DNSKEY: Names: a.com c.com z.com d.com? c.com z.com NSEC a.com c.com NSEC (Thus, its hard for the nameserver to detect & rate limit!) make this point c.com z.com NSEC Integrity? Tolerates bad nameserver? No zone enumeration? DNS X Sign Online NSEC NSEC3 ?????? NSEC5 z.com a.com NSEC Integrity? Tolerates bad nameserver? DNS X Sign Online NSEC NSEC3 NSEC5

10 arguments for why zone enumeration can be issue
An enumerated zone can expose private device names; toehold for other attacks is a “source of probable addresses for spam” [RFC 5155], thus compromising a registrar’s “attitude towards consumer protection” [Nominet (.uk)] can be a “key for WHOIS queries” to “reveal registrant data that many registries may have legal obligations to protect” [RFC 5155] e.g., “Germany’s Federal Data Protection Act “[DENIC] e.g., “Data protection Laws” in the UK [Nominet (.uk)] is in conflict with “the registry’s legal rights. The TLD register database is a key business asset”, “its compilation is protected in law under Database Rights in the UK and copyright in other countries.” [Nominet (.uk)] Why is this an issue? Its enough of an isue to have lead to the design & adoption of nsec3, lets run through some of the reasons that people have given NSEC3 (RFC 5155) introduced to limit zone enumeration

11 trusted authority for zone precomputes NSEC3 records
a.com c.com z.com H(a.com) = a1bb5 H(c.com) = 23ced H(z.com) = dde45 Hash names sort 23ced.com a1bb5.com NSEC3 23ce d a1bb 5 dde4 5 Sign NSEC3 records with secret ZSK a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3

12 Tolerates bad nameserver?
NSEC3 in action H(q.com) = c987b a.com c.com z.com DNSKEY: q.com? a1bb5.com dde45.com NSEC3 23ced.com a1bb5.com NSEC3 Integrity? Tolerates bad nameserver? DNS X Sign Online NSEC NSEC3 NSEC5 Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3

13 but does NSEC3 really prevent zone enumeration?
H(r.com) = 33c46 a.com c.com z.com DNSKEY: Learned: a1bb5.com dde45.com 23ced.com r.com? 23ced.com a1bb5.com NSEC3 23ced.com a1bb5.com NSEC3 Integrity? Tolerates bad nameserver? No zone enumeration? DNS X Sign Online NSEC NSEC3 ?????? NSEC5 Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3

14 zone enumeration is still possible with NSEC3!
Zone with n names: ~n online queries enumerate all names. Crack them using an offline dictionary attack! Hashes learned: a1bb5.com dde45.com 23ced.com Names learned: a.com z.com c.com Offline dictionary attack 2) Hash each name NSEC3 zone enumeration has been demonstrated: [Wander, Schwittmann, Boelmann, Weis 2014] reversed 64% of NSEC3 hashes in the .com TLD over 4.5 days using a GPU. In 2011, nsec3walker guessed 234 hashes/per day on a laptop. 1) Make dictionary of plausible names a.com b.com c.com …. z.com H(a.com) = a1bb5 H(b.com) = 33333 H(c.com) = 23ced …. H(z.com) = dde45 Oversimplified! There’s one salt per zone, many hash iterations, …

15 why is zone enumeration possible with NSEC3?
The fundamental issue : Dictionary attacks possible b/c resolvers can compute hashes offline. q.com? H(q.com) = c987b a1bb5.com dde45.com NSEC3 Offline dictionary attack to crack hashes a1bb5 , dde45 Find a matching NSEC3 record

16 Why NSEC5 prevents zone enumeration:
introducing NSEC5 Why NSEC5 prevents zone enumeration: No more dictionary attacks b/c resolvers can’t compute hashes! Secret Non- Signing Key (NSK): q.com? H (q.com) = 7a89b 3cd91.com 8cb67.com NSEC5 Offline dictionary attack to crack hashes 3cd91 , 8cb67 X Find a matching NSEC5 record Can’t compute hashes without secret NSK!

17 trusted authority for zone precomputes NSEC5 records
a.com c.com z.com H(RSASIG (a.com))=9ae3e H(RSASIG (c.com))=8cb67 H(RSASIG (z.com))=3cd91 “Hash” with secret NSK sort 3cd91.com 8cb67.com NSEC5 3cd9 1 8cb6 7 9ae3 e Sign NSEC5s with secret ZSK 8cb67.com 9ae3e.com NSEC5 9ae3e.com 3cd91.com NSEC5 * This is deterministic RSA (aka“Full Domain Hash”)

18 NSEC5 in action H(aa867a)=7a89b RSASIG (q.com)=aa867a a.com c.com
PROOF aa867a RSASIG (q.com)=aa867a H(aa867a)=7a89b a.com c.com z.com q.com? 3cd91.com 8cb67.com NSEC5 PROOF aa867a Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 How to verify? Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. 8cb67.com 9ae3e.com NSEC5 Do NSEC5, PROOF match: cd19 < H(aa867a) < 8cb67 9ae3e.com 3cd91.com NSEC5 Do query, PROOF match: RSAVER (q.com, aa867a)

19 why does NSEC5 prevent zone enumeration?
a.com c.com z.com q.com? 3cd91.com 8cb67.com NSEC5 PROOF aa867a Secret NSK: Public NSK: Offline dictionary attack to crack hashes 3cd91 , 8cb67? X Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. H(RSASIG (c.com))= 8cb67 Can’t compute hashes without secret NSK!

20 why does NSEC5 prevent zone enumeration?
a.com c.com z.com q.com? 3cd91.com 8cb67.com NSEC5 PROOF aa867a Secret NSK: Public NSK: Offline dictionary attack to crack hashes 3cd91 , 8cb67? using RSAVER? Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. RSAVER just verifies PROOFs, not hashes! X H(RSASIG (c.com))= 8cb67 RSAVER (q.com, aa867a)

21 why does NSEC5 maintain integrity?
Integrity: No denial-of-existence for name that exists. a.com c.com z.com a.com? 3cd91.com 8cb67.com NSEC5 PROOF Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 Repla y Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. Can’t compute PROOF (ie. RSASIG (a.com) ) 8cb67.com 9ae3e.com NSEC5 Resolver rejects b/c RSAVER (a.com,666666) = FALSE 9ae3e.com 3cd91.com NSEC5

22 X ✔ ????? summary No zone enumeration? Tolerates bad nameserver?
Integrity? Tolerates bad nameserver? No zone enumeration? DNS X Sign Online NSEC NSEC3 NSEC5 ????? but what about managing the extra secret key? Secret NSK:

23 NSEC5 maintains integrity even if secret NSK is leaked!
Integrity: No denial-of-existence for name that exists. a.com c.com z.com a.com? PROOF 556e3e Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 Compute PROOF RSASIG (a.com)= 556e3e 8cb67.com 9ae3e.com NSEC5 H(556e3e)=9ae3e There is no valid NSEC5 to replay! ! 9ae3e.com 3cd91.com NSEC5

24 Tolerates bad nameserver?
summary Integrity? Tolerates bad nameserver? No zone enumeration? DNS X Sign Online NSEC NSEC3 NSEC5 NSEC5; lost secret NSK See our paper for the crypto proofs! Just like NSEC3!

25 Extra computational overhead in NSEC5 (vs NSEC3)
Nameserver does 1 online RSA signature/query (to get PROOF) But online signing is necessary to prevent zone enumeration! Explains why hash-based schemes are vulnerable to zone enumeration. 3cd91.com 8cb67.com NSEC5 PROOF 6aeb3a Theorem [Informal]: ANY denial of existence scheme that prevents zone enumeration, and provides integrity (even against malicious slave nameservers) requires nameservers to compute a public-key signature for every negative response.

26 NSEC5 vs NSEC3: Key management & response size
NSEC5 public non-signing key (NSK) distributed in a DNSKEY RR. Secret NSK at each nameserver; but this is not a “high security” key. Response size: NSEC5 & NSEC3 records are the same size. ~2048 bits (signature) + 2 x 256 bits (hashes) Plus PROOF sent with each NSEC5 (~2048 bits) But, using wildcard optimization, an NSEC5 response is only ~2048 bit longer than today’s unoptimized NSEC3 standard Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 PROOF 6aeb3a a1bb5.com dde45.com NSEC3 on .gov domain, 60% of

27 More details in our paper Tolerates bad nameserver?
Integrity? Tolerates bad nameserver? No zone enumeration? DNS X Sign Online NSEC NSEC3 NSEC5 NSEC5, leaked NSK 3cd91.com 8cb67.com NSEC5 Public NSK: PROOF 6aeb3a

Download ppt "NSEC5: Provably Preventing DNSSEC Zone Enumeration"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Primary-Secondary-Resolvers Membership Proof Systems and their Applications to DNSSEC Moni Naor Based on: NSEC5: Provably Preventing DNSSEC Zone Enumeration.

Primary-Secondary-Resolvers Membership Proof Systems and their Applications to DNSSEC Moni Naor Based on: NSEC5: Provably Preventing DNSSEC Zone Enumeration.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
Copyright Justin Klein Keane InfoSec Training Encryption.

Copyright Justin Klein Keane InfoSec Training Encryption.
Security and Information Assurance for the DNS Dan Massey USC/ISI.

Security and Information Assurance for the DNS Dan Massey USC/ISI.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

Similar presentations

Ads by Google