Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 1 Information Security 1 (InfSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Published byRyan Ramirez Modified over 10 years ago

Similar presentations

Presentation on theme: "Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 1 Information Security 1 (InfSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications."— Presentation transcript:

1 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 1 Information Security 1 (InfSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 5 DNS Security Extensions DNSSEC

2 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 2 Information Security 1 (InfSi1) 5.1 Kaminsky Attack on the Domain Name Service

3 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 3 DNS Resolution via Recursive Nameserver

4 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 4 DNS Request

5 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 5 DNS Response

6 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 6 Simple DNS Cache Poisoning

7 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 7 Guessing Query ID and UDP Source Port

8 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 8 The Dan Kaminsky DNS Vulnerability – July 2008

9 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 9 Information Security 1 (InfSi1) 5.2 DNS Root Servers

10 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 10 DNS Root Servers A VeriSign Inc. B C D E F G H I J K L M Information Sciences Institute, USC OperatorIPv4 198.41.0.4 192.228.79.201 192.33.4.12 199.7.91.13 192.203.230.10 192.5.5.241 192.112.36.4 128.63.3.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33 IPv6 2001:503:BA3E::2:30 # 2001:478:65::53 - 2001:500:2D::D - 2001:500:2F::F - 2001:500:1::803F:235 2001:7FE::53 2001:503:C27::2:30 2001:7FD::1 2001:500:3::42 2001:DC3::35 Cogent Communications 8 1 8 University of Maryland2 NASA Ames Research Center12 Internet Systems Consortium Inc.56 US DoD Network Information Center6 US Army Research Lab2 Netnod43 VeriSign Inc.69 RIPE NCC17 ICANN146 WIDE Project6 376 Total number of servers:

11 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 11 Global Map of Root Servers

12 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 12 Information Security 1 (InfSi1) 5.3 DNS Security Resource Records

13 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 13 root DNSKEY (KSK) * * explicit import e.g. via trusted web site ch. DNSKEY (KSK) ZSK ch. DS DNSSEC Chain of Trust root KSK/ZSK ch. DNSKEY (ZSK) ZSK switch.ch. DS switch.ch. DNSKEY (KSK) KSK/ZSK switch.ch. DNSKEY (ZSK) ch. switch.ch. www.switch.ch. A x.x.x.x ZSK switch.ch. NS ns1/ns2 ZSKKSK/ZSK root DNSKEY (ZSK)

14 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 14 DNSSEC Resource Records I - DNSKEY DNSKEY - DNS Public Key Contains a public key used to sign the RRsets of a zone switch.ch. 81154 IN DNSKEY 256 3 5 AwEAAeCDWwjJO4mXBzayiKf4p7waJ7Ew eUnsTsAWkxpfELci4iaVdBugzYPfsZIg 9R6TIPky3LoPAPmIjCc2fbFkKnrGI7hJ jXAGMRwRJIBprFx4BXZSsjsvGb6MGC+e xHSlXw== ;{id = 64608 (zsk), size = 768b} Flags field 256 -> Zone Signing Key (ZSK) 257 -> Key Signing Key (KSK) with secure entry point (SEP) flag set Algorithm field 5 -> SHA-1 with RSA 7 -> SHA-1 with RSA & NSEC3 with SHA-1 8 -> SHA-256 with RSA 10 -> SHA-512 with RSA

15 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 15 DNSSEC Resource Records II - RRSIG RRSIG - Resource Record Signature Contains a public key signature over a resource record set (RRset) merapi.switch.ch. 172800 IN A 130.59.211.10 merapi.switch.ch. 172800 IN RRSIG A 5 3 172800 20091128231033 20091029231033 64608 switch.ch. 3KW9YjxdL08FqVYKFSn9 Q4+8U1iYrVCun+J1Ny8Y IiMC+6oQS/GZwRn2mr+H MruwEjNB9s7bWGzRmRiR TATPvS67gxjCiJkSP58P kGJ1dW3wBaz6r1feGNvz KhHLhvRe ;{id = 64608} Signature Expiration and Inception Fields The signature is not valid before Inception and after Expiration date. Key Tag Field Contains the key tag of the key which signed the RRset.

16 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 16 DNSSEC Resource Records III - DS DS - Delegation Signer Signed hash computed over KSK of child zone switch.ch. 3364 IN DS 43837 5 1 91dcfca519cf8b038441869878cc3610 60200534 switch.ch. 3364 IN DS 43837 5 2 838cef7635952df83311a92b48ae7f19 1ae29484534e38b1ab7b3d0966b9ee55 switch.ch. 3416 IN RRSIG DS 7 2 3600 20091123183442 20091117220724 31034 ch. LPh8RgXQSqPcdQz6s1PJOjTuopO9RxQg s1YYCY/CnhYaHxb6ndNBJ7QP20eKN+91 /ULjN4Ep/k9Pgtos979i5OfEXpfLcWcv rKP1xGvqW4PjP+MT1PDs6uKisEUqGBoQ p7+nkkzjY+YsDbxtTV+/8uHcSnNmXoMm SqPms3G0aw4= ;{id = 31034}

17 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 17 DNSSEC Resource Records IV - NSEC NSEC – Next Owner Name Authenticated denial of existence of an owner name merapi.switch.ch. 180 IN NSEC mercury.switch.ch. A PTR AAAA LOC RRSIG NSEC merapi.switch.ch. 180 IN RRSIG NSEC 5 3 180 20091128231033 20091029231033 64608 switch.ch. kW1SnXWoJKwOHEG1P3INI83EOGuQ GujwvBT/MSWVQ+ms/2DXxjQcpt1Z P07+XI51cc0t7erUUG31KZdmUpXZ tQzPUJh49jjLh9aTjRiH1xGhlxv5 af+N95JDykRGSOAq ;{id = 64608} Proof that there is no name between merapi.switch.ch. and mercury.switch.ch. Allows enumeration of complete zone data!!!

18 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 18 DNSSEC Resource Records V - NSEC3 NSEC3 – Next Owner Name in Hashed Order Hashed Authenticated Denial of Existence h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN NSEC3 1 1 1 d399eaab h9rsfb7fpf2l8hg35cmpc765tdk23rp6 NS SOA RRSIG DNSKEY NSEC3PARAM ; flags: optout h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN RRSIG NSEC3 7 2 86400 20091202211702 20091118201702 5273 org. a+CC37hRM7yCFBaZn2SeRgY9h247GXptCuBYf45TwaoR xvBwTAXPT+UwZ/4hxwc2v7AR7ZZ8UOMiNJvYsl59eFW8 Xtgws4/Aih0fJ2/O8yUHwI695fRf9PrpxXEpqzStjSZP 5arJ1oldDAHcnxgLqdAMW6wnK1FNrslfJblJlmU= ;{id = 5273} Proof that there is no name between org. and ???.org. Does not allow straight enumeration of zone data! Dictionary attacks are possible but expensive.

19 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 19 Information Security 1 (InfSi1) 5.4 DANE

20 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 20 DNS-based Authentication of Named Entities DANE (RFC 6698, August 2012) DANE defines a TLSA Resource Record Certificate Usage 0 – CA Certificate Constraint 1 – Server Certificate Constraint 2 – Trust Anchor Assertion for Private CA 3 – Domain Issued Certificate Selector 0 – Full Certificate 1 – Public Key Info (Public Key plus Key Type Information) Matching Type 0 – Exact Match on Selected Content 1 – SHA-256 Hash of Selected Content 2 – SHA-512 Hash of Selected Content Cert. UsageSelectorMatching Type Certificate Association Data

21 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 21 DANE – Verifying Server and CA Certificates Kool CA TLS Server www.hsr.ch TLS Client www.hsr.ch Kool CA DNS Server hsr.ch www.hsr.ch. TLSA 1 0 1 ZSK SHA-256 Hash check server certificate www.hsr.ch. TLSA 0 0 2 ZSK SHA-512 Hash check CA certificate or private key

22 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 22 DANE – Getting CA Certificate or Public Key TLS Server www.hsr.ch TLS Client www.hsr.ch HSR CA DNS Server hsr.ch www.hsr.ch. TLSA 2 0 0 ZSK get CA certificate HSR CA or www.hsr.ch. TLSA 2 1 0 ZSK get CA public key private key

23 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 23 DANE – Verifying Self-Signed Server Certificates TLS Server www.hsr.ch TLS Client www.hsr.ch Self DNS Server hsr.ch www.hsr.ch. TLSA 3 0 1 ZSK SHA-256 Hash check server certificate private key

24 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 24 DANE – Verifying Raw RSA Keys TLS Server www.hsr.ch TLS Client DNS Server hsr.ch www.hsr.ch. TLSA 3 1 1 ZSK SHA-256 Hash check server public key private key

25 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 25 DANE – Getting Server Certificate or Public Key TLS Server www.hsr.ch TLS Client DNS Server hsr.ch www.hsr.ch. TLSA 3 0 0 ZSK get server certificate www.hsr.ch Self or www.hsr.ch. TLSA 3 1 0 ZSK get server public key private key

26 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 26 Information Security 1 (InfSi1) 5.5 DNS Root Signing Process

27 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 27 DNSSEC Root Zone Signing Process ICANN Vetting and Processing TLD Operator DS Records DoC NTIA Authorization of Changes DS Records VeriSign Editing and Signing of Root Zone DS Records Root Servers (A,..., M) DS Records Root ZSK ZSK

28 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 28 DNSSEC Root Zone Signing Key Signing Process VeriSign ZSK Management ZSK Private Key ZSK ICANN KSK Management KSR Key Signing Request KSK Private Key KSK Published on Web Site ZSK KSK SKR Signed Key Response

29 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 29 ICANN Key Ceremonies Tier 1 – Facility – Access Control by Data Center Tier 2 – Facility – Access Control by Data Center Tier 3 – Facility – Access Control by Data Center Tier 4 – Cage – Access Control by Data Center Tier 5 – Safe Room – Access Control by ICANN Tier 6 – Safe #1 Tier 6 – Safe #2 Tier 7 – Safe Deposit Box Crypto Officers Credentials Tier 7 – HSM KSK Private Keys Key Ceremony Computer

30 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 30 ICANN Key Ceremonies

31 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 31 Periodic Key Rollover T-10T+0T+10T+20T+30T+40T+50T+60T+70T+80T+90 ZSK post-publish ZSK pre-publish ZSK post-publish ZSK pre-publish ZSK KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK revoke+sign KSK revoke+sign KSK publish KSK publish KSK publish KSK publish KSK publish KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign ZSK Rollover (every 90 days) Optional KSK Rollover (every 2-5 years or on demand) RRSIG Validity Period (10 days + 50% overlap)

32 Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 32 DNSSEC Deployment (October 22, 2013) TLDs signed by root zone: 13 gTLDs: arpa asia biz cat com edu gov info mil museum net org post 81 ccTLDS: ac af ag am at be bg br bz ca cc ch cl co cr cx cz de dk eu fi fo fr gi gl gn gr gs hn in io is jp kg ki kr la lb lc li lk lt lu lv me mm mn my na nc nf nl nu nz pl pm pr pt pw re ru sb sc se sh si su sx tf th tm tt tv tw tz ua ug uk us wf yt 8 IDN ccTLDS: xn--kprw13d xn--kpry57d ( Taiwan) xn--mgbx4cd0ab (مليسيا Malaysia) xn--3e0b707e ( South Korea) xn--o3cw4h ( Thailand) xn-l1acc (мон Mongolia) xn-h2brj9c ( India) xn--p1ai (рф Russia) Signing of major gTLDs: net: December 2010 com: March 2011

Download ppt "Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 1 Information Security 1 (InfSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications."

Similar presentations

AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory

AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory
Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.

Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.
1

1
& dding ubtracting ractions.

& dding ubtracting ractions.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
We need a common denominator to add these fractions.

We need a common denominator to add these fractions.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Add Governors Discretionary (1G) Grants Chapter 6.

Add Governors Discretionary (1G) Grants Chapter 6.
CALENDAR.

CALENDAR.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.

1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.
1 1  1 =.

1 1  1 =.
1  1 =.

1  1 =.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 10 second questions

Year 6 mental test 10 second questions
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
A Fractional Order (Proportional and Derivative) Motion Controller Design for A Class of Second-order Systems Center for Self-Organizing Intelligent.

A Fractional Order (Proportional and Derivative) Motion Controller Design for A Class of Second-order Systems Center for Self-Organizing Intelligent.
Break Time Remaining 10:00.

Break Time Remaining 10:00.
Division- the bus stop method

Division- the bus stop method

Similar presentations

Ads by Google