NSEC5: Provably Preventing DNSSEC Zone Enumeration

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

Review iClickers. Ch 1: The Importance of DNS Security.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

Lecture 5: Cryptographic Hashes

Primary-Secondary-Resolvers Membership Proof Systems and their Applications to DNSSEC Moni Naor Based on: NSEC5: Provably Preventing DNSSEC Zone Enumeration.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

Copyright Justin Klein Keane InfoSec Training Encryption.

Security and Information Assurance for the DNS Dan Massey USC/ISI.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

IIT Indore © Neminath Hubballi

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

NSEC3 Status and Issues IETF March 2006 Geoffrey Sisson Ben Laurie Roy Arends.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Presented by Mark Minasi 1 SESSION CODE: WSV333.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

Threshold password authentication against guessing attacks in Ad hoc networks Authors: Zhenchuan Chai, Zhenfu Cao, Rongxing Lu Sources: Ad Hoc Networks,

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Security Issues with Domain Name Systems

NSEC5: Updated Specification & Implementation Results

Lecture 20 DNS Sec Slides adapted from Olag Kampman

State of DNSSEC deployment ISOC Advisory Council

DNS Session 5 Additional Topics

DNS Cache Poisoning Attack

DNSSEC Basics, Risks and Benefits

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

Presentation transcript:

NSEC5: Provably Preventing DNSSEC Zone Enumeration DNS OARC Fall 2014 Workshop, Los Angeles, October 12, 2014 Sharon Goldberg Dimitrios Papadopoulos Leonid Reyzin Sachin Vasant Moni Naor Asaf Ziv Say --- we have been looking at existing things, lets look at new things

outline How does DNSSEC deal with denial of existence? RFC 4470: Online Signing RFC 4034: NSEC RFC 5155: NSEC3 Zone enumeration in NSEC and NSEC3 attacker makes a few online queries & enumerates all names in the zone via offline dictionary attacks Demo’d by [nsec3walker; 2011],[Wander-Schwittmann-Boelmann- Weis;2014] We introduce NSEC5 NSEC5 is just like NSEC3, replacing the hash with a RSA-based “keyed hash” NSEC5 provably prevents zone enumeration. NSEC5 maintains zone integrity, even if the hash key is leaked. We hope to turn NSEC5 into an Internet Draft & want feedback!

how to deal with authenticated denial of existence? Zone File: a.com c.com z.com DNSKEY: q.com? NXDOMAIN NXDOMAIN Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes.

generic pre-signed NXDOMAIN violates integrity. Integrity: No denial-of-existence for name that exists. a.com c.com z.com DNSKEY: a.com? NXDOMAIN Violate integrity by replaying NXDOMAIN! Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. Integrity? DNS X Generic Signed NXDOMAIN Online Signing ✔ NSEC NSEC3 NSEC5

online signing for denial of existence (RFC 4470) Zone File: a.com c.com z.com DNSKEY: q.com? q.com NXDOMAIN Secret ZSK: Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. Integrity? Tolerates bad nameserver? DNS X Sign Online ✔ NSEC NSEC3 NSEC5 Trusting every 2ary nameserver with the secret ZSK can be problematic.

NSEC (RFC 4034): precomputed denial of existence Zone File: a.com c.com z.com DNSKEY: q.com? c.com z.com NSEC a.com c.com NSEC It is an attestition that there is nothing between a.com and z.com c.com z.com NSEC z.com a.com NSEC

why NSEC maintains integrity Integrity: No denial-of-existence for name that exists. a.com c.com z.com DNSKEY: a.com? No valid NSEC record to replay. ! a.com c.com NSEC Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. c.com z.com NSEC Integrity? Tolerates bad nameserver? DNS X Sign Online ✔ NSEC NSEC3 NSEC5 z.com a.com NSEC

NSEC introduces a new issue: zone enumeration (1) Zone with n names: ~n online queries enumerate all names. a.com c.com z.com DNSKEY: Names: a.com c.com b.com? a.com c.com NSEC a.com c.com NSEC c.com z.com NSEC Integrity? Tolerates bad nameserver? DNS X Sign Online ✔ NSEC NSEC3 NSEC5 z.com a.com NSEC

NSEC introduces a new issue: zone enumeration (2) Zone with n names: ~n online queries enumerate all names. a.com c.com z.com DNSKEY: Names: a.com c.com z.com d.com? c.com z.com NSEC a.com c.com NSEC (Thus, its hard for the nameserver to detect & rate limit!) make this point c.com z.com NSEC Integrity? Tolerates bad nameserver? No zone enumeration? DNS X ✔ Sign Online NSEC NSEC3 ?????? NSEC5 z.com a.com NSEC Integrity? Tolerates bad nameserver? DNS X Sign Online ✔ NSEC NSEC3 NSEC5

arguments for why zone enumeration can be issue An enumerated zone can expose private device names; toehold for other attacks is a “source of probable e-mail addresses for spam” [RFC 5155], thus compromising a registrar’s “attitude towards consumer protection” [Nominet (.uk)] can be a “key for WHOIS queries” to “reveal registrant data that many registries may have legal obligations to protect” [RFC 5155] e.g., “Germany’s Federal Data Protection Act “[DENIC] e.g., “Data protection Laws” in the UK [Nominet (.uk)] is in conflict with “the registry’s legal rights. The TLD register database is a key business asset”, “its compilation is protected in law under Database Rights in the UK and copyright in other countries.” [Nominet (.uk)] Why is this an issue? Its enough of an isue to have lead to the design & adoption of nsec3, lets run through some of the reasons that people have given NSEC3 (RFC 5155) introduced to limit zone enumeration

trusted authority for zone precomputes NSEC3 records a.com c.com z.com H(a.com) = a1bb5 H(c.com) = 23ced H(z.com) = dde45 Hash names sort 23ced.com a1bb5.com NSEC3 23ce d a1bb 5 dde4 5 Sign NSEC3 records with secret ZSK a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3

Tolerates bad nameserver? NSEC3 in action H(q.com) = c987b a.com c.com z.com DNSKEY: q.com? a1bb5.com dde45.com NSEC3 23ced.com a1bb5.com NSEC3 Integrity? Tolerates bad nameserver? DNS X Sign Online ✔ NSEC NSEC3 NSEC5 Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3

but does NSEC3 really prevent zone enumeration? H(r.com) = 33c46 a.com c.com z.com DNSKEY: Learned: a1bb5.com dde45.com 23ced.com r.com? 23ced.com a1bb5.com NSEC3 23ced.com a1bb5.com NSEC3 Integrity? Tolerates bad nameserver? No zone enumeration? DNS X ✔ Sign Online NSEC NSEC3 ?????? NSEC5 Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. a1bb5.com dde45.com NSEC3 dde45.com 23ced.com NSEC3

zone enumeration is still possible with NSEC3! Zone with n names: ~n online queries enumerate all names. Crack them using an offline dictionary attack! Hashes learned: a1bb5.com dde45.com 23ced.com Names learned: a.com z.com c.com Offline dictionary attack 2) Hash each name NSEC3 zone enumeration has been demonstrated: [Wander, Schwittmann, Boelmann, Weis 2014] reversed 64% of NSEC3 hashes in the .com TLD over 4.5 days using a GPU. In 2011, nsec3walker guessed 234 hashes/per day on a laptop. 1) Make dictionary of plausible names a.com b.com c.com …. z.com H(a.com) = a1bb5 H(b.com) = 33333 H(c.com) = 23ced …. H(z.com) = dde45 Oversimplified! There’s one salt per zone, many hash iterations, …

why is zone enumeration possible with NSEC3? The fundamental issue : Dictionary attacks possible b/c resolvers can compute hashes offline. q.com? H(q.com) = c987b a1bb5.com dde45.com NSEC3 Offline dictionary attack to crack hashes a1bb5 , dde45 Find a matching NSEC3 record

Why NSEC5 prevents zone enumeration: introducing NSEC5 Why NSEC5 prevents zone enumeration: No more dictionary attacks b/c resolvers can’t compute hashes! Secret Non- Signing Key (NSK): q.com? H (q.com) = 7a89b 3cd91.com 8cb67.com NSEC5 Offline dictionary attack to crack hashes 3cd91 , 8cb67 X Find a matching NSEC5 record Can’t compute hashes without secret NSK!

trusted authority for zone precomputes NSEC5 records a.com c.com z.com H(RSASIG (a.com))=9ae3e H(RSASIG (c.com))=8cb67 H(RSASIG (z.com))=3cd91 “Hash” with secret NSK sort 3cd91.com 8cb67.com NSEC5 3cd9 1 8cb6 7 9ae3 e Sign NSEC5s with secret ZSK 8cb67.com 9ae3e.com NSEC5 9ae3e.com 3cd91.com NSEC5 * This is deterministic RSA (aka“Full Domain Hash”)

NSEC5 in action H(aa867a)=7a89b RSASIG (q.com)=aa867a a.com c.com PROOF aa867a RSASIG (q.com)=aa867a H(aa867a)=7a89b a.com c.com z.com q.com? 3cd91.com 8cb67.com NSEC5 PROOF aa867a Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 How to verify? Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. 8cb67.com 9ae3e.com NSEC5 Do NSEC5, PROOF match: 3cd19 < H(aa867a) < 8cb67 9ae3e.com 3cd91.com NSEC5 Do query, PROOF match: RSAVER (q.com, aa867a)

why does NSEC5 prevent zone enumeration? a.com c.com z.com q.com? 3cd91.com 8cb67.com NSEC5 PROOF aa867a Secret NSK: Public NSK: Offline dictionary attack to crack hashes 3cd91 , 8cb67? X Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. H(RSASIG (c.com))= 8cb67 Can’t compute hashes without secret NSK!

why does NSEC5 prevent zone enumeration? a.com c.com z.com q.com? 3cd91.com 8cb67.com NSEC5 PROOF aa867a Secret NSK: Public NSK: Offline dictionary attack to crack hashes 3cd91 , 8cb67? using RSAVER? Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. RSAVER just verifies PROOFs, not hashes! X H(RSASIG (c.com))= 8cb67 RSAVER (q.com, aa867a)

why does NSEC5 maintain integrity? Integrity: No denial-of-existence for name that exists. a.com c.com z.com a.com? 3cd91.com 8cb67.com NSEC5 PROOF 666666 Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 Repla y Using the word hops, explains that each hop adds and announces to the next Explain what is traffic Explain IP prefixes. Can’t compute PROOF (ie. RSASIG (a.com) ) 8cb67.com 9ae3e.com NSEC5 Resolver rejects b/c RSAVER (a.com,666666) = FALSE 9ae3e.com 3cd91.com NSEC5

X ✔ ????? summary No zone enumeration? Tolerates bad nameserver? Integrity? Tolerates bad nameserver? No zone enumeration? DNS X ✔ Sign Online NSEC NSEC3 NSEC5 ????? but what about managing the extra secret key? Secret NSK:

NSEC5 maintains integrity even if secret NSK is leaked! Integrity: No denial-of-existence for name that exists. a.com c.com z.com a.com? PROOF 556e3e Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 Compute PROOF RSASIG (a.com)= 556e3e 8cb67.com 9ae3e.com NSEC5 H(556e3e)=9ae3e There is no valid NSEC5 to replay! ! 9ae3e.com 3cd91.com NSEC5

Tolerates bad nameserver? summary Integrity? Tolerates bad nameserver? No zone enumeration? DNS X ✔ Sign Online NSEC NSEC3 NSEC5 NSEC5; lost secret NSK See our paper for the crypto proofs! http://eprint.iacr.org/2014/582.pdf Just like NSEC3!

Extra computational overhead in NSEC5 (vs NSEC3) Nameserver does 1 online RSA signature/query (to get PROOF) But online signing is necessary to prevent zone enumeration! Explains why hash-based schemes are vulnerable to zone enumeration. 3cd91.com 8cb67.com NSEC5 PROOF 6aeb3a Theorem [Informal]: ANY denial of existence scheme that prevents zone enumeration, and provides integrity (even against malicious slave nameservers) requires nameservers to compute a public-key signature for every negative response.

NSEC5 vs NSEC3: Key management & response size NSEC5 public non-signing key (NSK) distributed in a DNSKEY RR. Secret NSK at each nameserver; but this is not a “high security” key. Response size: NSEC5 & NSEC3 records are the same size. ~2048 bits (signature) + 2 x 256 bits (hashes) Plus PROOF sent with each NSEC5 (~2048 bits) But, using wildcard optimization, an NSEC5 response is only ~2048 bit longer than today’s unoptimized NSEC3 standard Secret NSK: Public NSK: 3cd91.com 8cb67.com NSEC5 PROOF 6aeb3a a1bb5.com dde45.com NSEC3 http://eprint.iacr.org/2013/254.pdf on .gov domain, 60% of

More details in our paper Tolerates bad nameserver? http://eprint.iacr.org/2014/582.pdf Integrity? Tolerates bad nameserver? No zone enumeration? DNS X ✔ Sign Online NSEC NSEC3 NSEC5 NSEC5, leaked NSK 3cd91.com 8cb67.com NSEC5 Public NSK: PROOF 6aeb3a