Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Published byMelinda Cummings Modified over 8 years ago

Similar presentations

Presentation on theme: "By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu."— Presentation transcript:

1 By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu

2 Agenda DNS & its structure DNS Threats DNSSEC Trust Models for Key Validation DNSSEC Vulnerabilities DNSSEC Roadblocks Alternatives to DNS Security The Road ahead

3 Domain Name System (DNS) Hierarchical distributed database which provides the service of translating the domain names to IP addresses. Follows a hierarchical tree structure – analogous to the Unix file system

4 DNS Threats: Packet interception Name Chaining DNS Communication Denial of Service Brute Force

5 DNSSEC First introduced in RFC 2535 "Domain Name System Security Extensions" in 1999. Provides authentication and integrity of DNS data Authentication of Name Server (NS) data by resolver Integrity of data checked through signed, hashed public key. Resolver is configured with public key of NSs A resolver that knows the zone’s public key can verify the signature and authenticate the DNS response. Can be visualized as a sealed transparent envelope, wherein seal applied to envelope and not to message, by the sender.

6 Trust Models for Key Validation A Tree Based approach: Follows a strict chain/hierarchy of trust. Zone public key considered valid only if signed by parent. Disadvantages: Creates a single point of failure. Places all the peer zones under the same umbrella of security.

7 Trust Models for Key Validation A Web of Trust approach: Allows servers to choose their own trust relationships. A public key is considered valid as long as it has been signed by another server. No single point of failure. Robust and scalable. Disadvantages: An impersonated malicious zone can create its own set of keys and establish a trust relationship.

8 DNSSec Vulnerabilities Zone private/public key compromise – Key compromise can lead to an entire sub-domain being marked as bogus. A server’s current time could be changed in order to validate expired signatures. Hence there should be some means to sync the time between primary and secondary servers. An attacker can spoof an entire zone server by querying the NSEC RR’s, which store an ordered list of all the existing domain names.

9 Roadblocks and Challenges It is infeasible to implement a PKI infrastructure. No third party authority of trust (CA) exists in DNSSec, highly dependable on private key usage. trade-off between performance and security. It is difficult to ensure all the servers have the updated keys. Servers high up in hierarchy are unaware of the state of the child nodes. All servers need to be online within a specified time frame in order to receive the updated keys.

10 Alternatives to DNSSEC Name Server Software Configuration and maintenance of name server to avoid DOS, Attacks such as Zone transfer, packet flooding, ARP spoofing. To counter these attacks, the following steps are implemented: Using secure OS, Using software to check integrity of zone files and Restricting access privileges on name server.

11 Contd.. TSIG – Transition Signature Involves mutual Authentication of servers based on shared secret key, Source side it employs HMAC Threats avoided by TSIG

12 Road Ahead.. The main hindrance in adopting DNSSEC Implementation complexity and Scalability To overcome this Software64 DNS signer is used to automate processes like generation, backup, restoration, roll over and zone signing in configuration file. Higher scalability achieved using high speed crypto. Algorithms 6,000 RSA operations/sec with 1024 bit key. Another improvisation is implementation of DNSSEC till the client stub resolver level (user level).

13 QUESTIONS

Download ppt "By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google