Download presentation
Presentation is loading. Please wait.
1
DNS 安全防護傘 - DNSSEC 報告者:劉旭哲
2
原因 2008 駭客年會 Dan Kaminsky 公布重大安全漏 洞「 DNS Cache Poisoning 」 雲端運算的興起
3
Internet Normal DNS WebsiteIp A.com1.1.1.1 User Local DNS Master DNS Cache Query: A.com =? Res: A.com=1.1.1.1 Found it in my cache connect Website Query: B.com =? Not Found in my cache Not Found in my cache Query: B.com =? Res: B.com=2.2.2.2 Update My Cache WebsiteIp A.Com1.1.1.1 B.com2.2.2.2 Res: B.com=2.2.2.2 connect
4
DNS Cache Poisoning Internet User Local DNS Master DNS Cache Fake C.com Hacker WebsiteIp A.com1.1.1.1 Query: C.com = ? When I’m looking for… Update Res:C.com = 3.3.3.3 Res:C.com = 4.4.4.4 WebsiteIp A.com1.1.1.1 C.com4.4.4.4 When I found it… No use This user will connect to fake C.com If I was same as the original C.com, it’s easy to get info about user
5
Why need DNSSEC? VeriSign 發布的「 2010 年第二季度域名行業 報告」.com.net 網域總數破億,比第一季增加 2% VeriSign 的 DNS 查詢量每天 625 億次,最高峰 每天 836 億次,均較以往提高超過 15%
6
Forrester 調查發現, 297 名 IT 決策者中 – 51% 遇到過 DNS 相關攻擊 – 38% 遭遇到中間人攻擊
7
DNS Security Extensions DNSSEC = DNS + digital signature RFC 4034 & RFC 4035 新增四種 RRsets – DNS Public Key (DNSKEY) – Resource Record Signature (RRSIG) – Next Secure (NSEC) – Delegation Signer (DS) - optionally
8
DNS Public Key (DNSKEY) 公布 Public key 的地方 固定為三
9
For example example.com. 86400 IN DNSKEY 256 3 5 ( AQP…………….== ) Owner name TTL class RRtype Flag Pro. Algo. (PK)
10
Resource Record Signature (RRSIG) digital signature Root = 0
11
host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 ( 20030220173103 2642 example.com. oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8W TrPYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6 o9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfk G J5D6fwFm8nN+6pBzeDQfsS3Ap3o= ) Algo. Key Tag Signer’s name Base64 Encoding
12
Next Secure (NSEC) If next domain name doesn’t exist, itwill be the first domain name. chain
13
alfa.example.com. 86400 IN NSEC host.example.com. ( A MX RRSIG NSEC TYPE1234 )
14
Delegation Signer (DS) Protect user get right PK Let upper manager sign 1 ( SHA-1 )
15
dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQO……….== ) ; key id = 60485 dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A 98631FAD1A292118 ) SHA-1
16
目前現況 VeriSign 與 美國商務部和 ICANN 合作 ,在 root 中部屬 DNSSEC 預計在年底完成.net 的部屬 2011 第一季在.com 中實現 DNSSEC
17
http://tech.hexun.com.tw/2010-09- 27/125010169.html http://tech.hexun.com.tw/2010-09- 27/125010169.html http://www.isc.org/files/DNSSEC_in_6_minutes.p df http://www.isc.org/files/DNSSEC_in_6_minutes.p df http://www.informationsecurity.com.tw/article/a rticle_detail.aspx?tv=13&aid=5886 http://www.informationsecurity.com.tw/article/a rticle_detail.aspx?tv=13&aid=5886 http://phorum.study- area.org/index.php?topic=60268.0 http://phorum.study- area.org/index.php?topic=60268.0 http://www.ietf.org/rfc/rfc4035.txt http://www.ietf.org/rfc/rfc4034.txt
Similar presentations
