By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Chapter 8 Web Security.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Key Management in Cryptography

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

IIT Indore © Neminath Hubballi

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Security and Privacy Issues.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

How to use DNS during the evolution of ICN? Zhiwei Yan.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Creating and Managing Digital Certificates Chapter Eleven.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Security Issues with Domain Name Systems

Cryptography and Network Security

DNS Cache Poisoning Attack

A New Approach to DNS Security (DNSSEC)

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

Presentation transcript:

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu

Agenda DNS & its structure DNS Threats DNSSEC Trust Models for Key Validation DNSSEC Vulnerabilities DNSSEC Roadblocks Alternatives to DNS Security The Road ahead

Domain Name System (DNS) Hierarchical distributed database which provides the service of translating the domain names to IP addresses. Follows a hierarchical tree structure – analogous to the Unix file system

DNS Threats: Packet interception Name Chaining DNS Communication Denial of Service Brute Force

DNSSEC First introduced in RFC 2535 "Domain Name System Security Extensions" in Provides authentication and integrity of DNS data Authentication of Name Server (NS) data by resolver Integrity of data checked through signed, hashed public key. Resolver is configured with public key of NSs A resolver that knows the zone’s public key can verify the signature and authenticate the DNS response. Can be visualized as a sealed transparent envelope, wherein seal applied to envelope and not to message, by the sender.

Trust Models for Key Validation A Tree Based approach: Follows a strict chain/hierarchy of trust. Zone public key considered valid only if signed by parent. Disadvantages: Creates a single point of failure. Places all the peer zones under the same umbrella of security.

Trust Models for Key Validation A Web of Trust approach: Allows servers to choose their own trust relationships. A public key is considered valid as long as it has been signed by another server. No single point of failure. Robust and scalable. Disadvantages: An impersonated malicious zone can create its own set of keys and establish a trust relationship.

DNSSec Vulnerabilities Zone private/public key compromise – Key compromise can lead to an entire sub-domain being marked as bogus. A server’s current time could be changed in order to validate expired signatures. Hence there should be some means to sync the time between primary and secondary servers. An attacker can spoof an entire zone server by querying the NSEC RR’s, which store an ordered list of all the existing domain names.

Roadblocks and Challenges It is infeasible to implement a PKI infrastructure. No third party authority of trust (CA) exists in DNSSec, highly dependable on private key usage. trade-off between performance and security. It is difficult to ensure all the servers have the updated keys. Servers high up in hierarchy are unaware of the state of the child nodes. All servers need to be online within a specified time frame in order to receive the updated keys.

Alternatives to DNSSEC Name Server Software Configuration and maintenance of name server to avoid DOS, Attacks such as Zone transfer, packet flooding, ARP spoofing. To counter these attacks, the following steps are implemented: Using secure OS, Using software to check integrity of zone files and Restricting access privileges on name server.

Contd.. TSIG – Transition Signature Involves mutual Authentication of servers based on shared secret key, Source side it employs HMAC Threats avoided by TSIG

Road Ahead.. The main hindrance in adopting DNSSEC Implementation complexity and Scalability To overcome this Software64 DNS signer is used to automate processes like generation, backup, restoration, roll over and zone signing in configuration file. Higher scalability achieved using high speed crypto. Algorithms 6,000 RSA operations/sec with 1024 bit key. Another improvisation is implementation of DNSSEC till the client stub resolver level (user level).

QUESTIONS