Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 1 Information Security 1 (InfSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Similar presentations


Presentation on theme: "Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 1 Information Security 1 (InfSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications."— Presentation transcript:

1 Andreas Steffen, , 5-DNSSEC.pptx 1 Information Security 1 (InfSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 5 DNS Security Extensions DNSSEC

2 Andreas Steffen, , 5-DNSSEC.pptx 2 Information Security 1 (InfSi1) 5.1 Kaminsky Attack on the Domain Name Service

3 Andreas Steffen, , 5-DNSSEC.pptx 3 DNS Resolution via Recursive Nameserver

4 Andreas Steffen, , 5-DNSSEC.pptx 4 DNS Request

5 Andreas Steffen, , 5-DNSSEC.pptx 5 DNS Response

6 Andreas Steffen, , 5-DNSSEC.pptx 6 Simple DNS Cache Poisoning

7 Andreas Steffen, , 5-DNSSEC.pptx 7 Guessing Query ID and UDP Source Port

8 Andreas Steffen, , 5-DNSSEC.pptx 8 The Dan Kaminsky DNS Vulnerability – July 2008

9 Andreas Steffen, , 5-DNSSEC.pptx 9 Information Security 1 (InfSi1) 5.2 DNS Root Servers

10 Andreas Steffen, , 5-DNSSEC.pptx 10 DNS Root Servers A VeriSign Inc. B C D E F G H I J K L M Information Sciences Institute, USC OperatorIPv IPv6 2001:503:BA3E::2:30 # 2001:478:65:: :500:2D::D :500:2F::F :500:1::803F: :7FE:: :503:C27::2: :7FD::1 2001:500:3:: :DC3::35 Cogent Communications University of Maryland2 NASA Ames Research Center12 Internet Systems Consortium Inc.56 US DoD Network Information Center6 US Army Research Lab2 Netnod43 VeriSign Inc.69 RIPE NCC17 ICANN146 WIDE Project6 376 Total number of servers:

11 Andreas Steffen, , 5-DNSSEC.pptx 11 Global Map of Root Servers

12 Andreas Steffen, , 5-DNSSEC.pptx 12 Information Security 1 (InfSi1) 5.3 DNS Security Resource Records

13 Andreas Steffen, , 5-DNSSEC.pptx 13 root DNSKEY (KSK) * * explicit import e.g. via trusted web site ch. DNSKEY (KSK) ZSK ch. DS DNSSEC Chain of Trust root KSK/ZSK ch. DNSKEY (ZSK) ZSK switch.ch. DS switch.ch. DNSKEY (KSK) KSK/ZSK switch.ch. DNSKEY (ZSK) ch. switch.ch. A x.x.x.x ZSK switch.ch. NS ns1/ns2 ZSKKSK/ZSK root DNSKEY (ZSK)

14 Andreas Steffen, , 5-DNSSEC.pptx 14 DNSSEC Resource Records I - DNSKEY DNSKEY - DNS Public Key Contains a public key used to sign the RRsets of a zone switch.ch IN DNSKEY AwEAAeCDWwjJO4mXBzayiKf4p7waJ7Ew eUnsTsAWkxpfELci4iaVdBugzYPfsZIg 9R6TIPky3LoPAPmIjCc2fbFkKnrGI7hJ jXAGMRwRJIBprFx4BXZSsjsvGb6MGC+e xHSlXw== ;{id = (zsk), size = 768b} Flags field 256 -> Zone Signing Key (ZSK) 257 -> Key Signing Key (KSK) with secure entry point (SEP) flag set Algorithm field 5 -> SHA-1 with RSA 7 -> SHA-1 with RSA & NSEC3 with SHA-1 8 -> SHA-256 with RSA 10 -> SHA-512 with RSA

15 Andreas Steffen, , 5-DNSSEC.pptx 15 DNSSEC Resource Records II - RRSIG RRSIG - Resource Record Signature Contains a public key signature over a resource record set (RRset) merapi.switch.ch IN A merapi.switch.ch IN RRSIG A switch.ch. 3KW9YjxdL08FqVYKFSn9 Q4+8U1iYrVCun+J1Ny8Y IiMC+6oQS/GZwRn2mr+H MruwEjNB9s7bWGzRmRiR TATPvS67gxjCiJkSP58P kGJ1dW3wBaz6r1feGNvz KhHLhvRe ;{id = 64608} Signature Expiration and Inception Fields The signature is not valid before Inception and after Expiration date. Key Tag Field Contains the key tag of the key which signed the RRset.

16 Andreas Steffen, , 5-DNSSEC.pptx 16 DNSSEC Resource Records III - DS DS - Delegation Signer Signed hash computed over KSK of child zone switch.ch IN DS dcfca519cf8b cc switch.ch IN DS cef df83311a92b48ae7f19 1ae e38b1ab7b3d0966b9ee55 switch.ch IN RRSIG DS ch. LPh8RgXQSqPcdQz6s1PJOjTuopO9RxQg s1YYCY/CnhYaHxb6ndNBJ7QP20eKN+91 /ULjN4Ep/k9Pgtos979i5OfEXpfLcWcv rKP1xGvqW4PjP+MT1PDs6uKisEUqGBoQ p7+nkkzjY+YsDbxtTV+/8uHcSnNmXoMm SqPms3G0aw4= ;{id = 31034}

17 Andreas Steffen, , 5-DNSSEC.pptx 17 DNSSEC Resource Records IV - NSEC NSEC – Next Owner Name Authenticated denial of existence of an owner name merapi.switch.ch. 180 IN NSEC mercury.switch.ch. A PTR AAAA LOC RRSIG NSEC merapi.switch.ch. 180 IN RRSIG NSEC switch.ch. kW1SnXWoJKwOHEG1P3INI83EOGuQ GujwvBT/MSWVQ+ms/2DXxjQcpt1Z P07+XI51cc0t7erUUG31KZdmUpXZ tQzPUJh49jjLh9aTjRiH1xGhlxv5 af+N95JDykRGSOAq ;{id = 64608} Proof that there is no name between merapi.switch.ch. and mercury.switch.ch. Allows enumeration of complete zone data!!!

18 Andreas Steffen, , 5-DNSSEC.pptx 18 DNSSEC Resource Records V - NSEC3 NSEC3 – Next Owner Name in Hashed Order Hashed Authenticated Denial of Existence h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN NSEC d399eaab h9rsfb7fpf2l8hg35cmpc765tdk23rp6 NS SOA RRSIG DNSKEY NSEC3PARAM ; flags: optout h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN RRSIG NSEC org. a+CC37hRM7yCFBaZn2SeRgY9h247GXptCuBYf45TwaoR xvBwTAXPT+UwZ/4hxwc2v7AR7ZZ8UOMiNJvYsl59eFW8 Xtgws4/Aih0fJ2/O8yUHwI695fRf9PrpxXEpqzStjSZP 5arJ1oldDAHcnxgLqdAMW6wnK1FNrslfJblJlmU= ;{id = 5273} Proof that there is no name between org. and ???.org. Does not allow straight enumeration of zone data! Dictionary attacks are possible but expensive.

19 Andreas Steffen, , 5-DNSSEC.pptx 19 Information Security 1 (InfSi1) 5.4 DANE

20 Andreas Steffen, , 5-DNSSEC.pptx 20 DNS-based Authentication of Named Entities DANE (RFC 6698, August 2012) DANE defines a TLSA Resource Record Certificate Usage 0 – CA Certificate Constraint 1 – Server Certificate Constraint 2 – Trust Anchor Assertion for Private CA 3 – Domain Issued Certificate Selector 0 – Full Certificate 1 – Public Key Info (Public Key plus Key Type Information) Matching Type 0 – Exact Match on Selected Content 1 – SHA-256 Hash of Selected Content 2 – SHA-512 Hash of Selected Content Cert. UsageSelectorMatching Type Certificate Association Data

21 Andreas Steffen, , 5-DNSSEC.pptx 21 DANE – Verifying Server and CA Certificates Kool CA TLS Server TLS Client Kool CA DNS Server hsr.ch TLSA ZSK SHA-256 Hash check server certificate TLSA ZSK SHA-512 Hash check CA certificate or private key

22 Andreas Steffen, , 5-DNSSEC.pptx 22 DANE – Getting CA Certificate or Public Key TLS Server TLS Client HSR CA DNS Server hsr.ch TLSA ZSK get CA certificate HSR CA or TLSA ZSK get CA public key private key

23 Andreas Steffen, , 5-DNSSEC.pptx 23 DANE – Verifying Self-Signed Server Certificates TLS Server TLS Client Self DNS Server hsr.ch TLSA ZSK SHA-256 Hash check server certificate private key

24 Andreas Steffen, , 5-DNSSEC.pptx 24 DANE – Verifying Raw RSA Keys TLS Server TLS Client DNS Server hsr.ch TLSA ZSK SHA-256 Hash check server public key private key

25 Andreas Steffen, , 5-DNSSEC.pptx 25 DANE – Getting Server Certificate or Public Key TLS Server TLS Client DNS Server hsr.ch TLSA ZSK get server certificate Self or TLSA ZSK get server public key private key

26 Andreas Steffen, , 5-DNSSEC.pptx 26 Information Security 1 (InfSi1) 5.5 DNS Root Signing Process

27 Andreas Steffen, , 5-DNSSEC.pptx 27 DNSSEC Root Zone Signing Process ICANN Vetting and Processing TLD Operator DS Records DoC NTIA Authorization of Changes DS Records VeriSign Editing and Signing of Root Zone DS Records Root Servers (A,..., M) DS Records Root ZSK ZSK

28 Andreas Steffen, , 5-DNSSEC.pptx 28 DNSSEC Root Zone Signing Key Signing Process VeriSign ZSK Management ZSK Private Key ZSK ICANN KSK Management KSR Key Signing Request KSK Private Key KSK Published on Web Site ZSK KSK SKR Signed Key Response

29 Andreas Steffen, , 5-DNSSEC.pptx 29 ICANN Key Ceremonies Tier 1 – Facility – Access Control by Data Center Tier 2 – Facility – Access Control by Data Center Tier 3 – Facility – Access Control by Data Center Tier 4 – Cage – Access Control by Data Center Tier 5 – Safe Room – Access Control by ICANN Tier 6 – Safe #1 Tier 6 – Safe #2 Tier 7 – Safe Deposit Box Crypto Officers Credentials Tier 7 – HSM KSK Private Keys Key Ceremony Computer

30 Andreas Steffen, , 5-DNSSEC.pptx 30 ICANN Key Ceremonies

31 Andreas Steffen, , 5-DNSSEC.pptx 31 Periodic Key Rollover T-10T+0T+10T+20T+30T+40T+50T+60T+70T+80T+90 ZSK post-publish ZSK pre-publish ZSK post-publish ZSK pre-publish ZSK KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK revoke+sign KSK revoke+sign KSK publish KSK publish KSK publish KSK publish KSK publish KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign ZSK Rollover (every 90 days) Optional KSK Rollover (every 2-5 years or on demand) RRSIG Validity Period (10 days + 50% overlap)

32 Andreas Steffen, , 5-DNSSEC.pptx 32 DNSSEC Deployment (October 22, 2013) TLDs signed by root zone: 13 gTLDs: arpa asia biz cat com edu gov info mil museum net org post 81 ccTLDS: ac af ag am at be bg br bz ca cc ch cl co cr cx cz de dk eu fi fo fr gi gl gn gr gs hn in io is jp kg ki kr la lb lc li lk lt lu lv me mm mn my na nc nf nl nu nz pl pm pr pt pw re ru sb sc se sh si su sx tf th tm tt tv tw tz ua ug uk us wf yt 8 IDN ccTLDS: xn--kprw13d xn--kpry57d ( Taiwan) xn--mgbx4cd0ab (مليسيا Malaysia) xn--3e0b707e ( South Korea) xn--o3cw4h ( Thailand) xn-l1acc (мон Mongolia) xn-h2brj9c ( India) xn--p1ai (рф Russia) Signing of major gTLDs: net: December 2010 com: March 2011


Download ppt "Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 1 Information Security 1 (InfSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications."

Similar presentations


Ads by Google