The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance
|
|
- Bertina Gaines
- 5 years ago
- Views:
Transcription
1 The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance Christian Grothoff The GNUnet Project Never doubt your ability to change the world. Glenn Greenwald
2 The Internet Virtually all Internet protocols are broken: Ethernet MAC spoofing, cleartext IP IP spoofing, cleartext BGP AS hijacking, cleartext DNS cache poisoning, cleartext DNSSEC cleartext, often no end-to-end authentication TLS 100 CAs can certify anybody for anything HTTP too chatty, complex, slow... 2 / 51
3 The Internet Virtually all Internet protocols are broken: Ethernet MAC spoofing, cleartext IP IP spoofing, cleartext BGP AS hijacking, cleartext DNS cache poisoning, cleartext DNSSEC cleartext, often no end-to-end authentication TLS 100 CAs can certify anybody for anything HTTP too chatty, complex, slow... Rule 1 for the GNUnet: Encrypt everything. 2 / 51
4 Encryption to the Rescue? Existing Internet PKIs are easily controlled: DNSSEC root certificate X.509 CAs (HTTPS certificates) Major browser vendors (CA root stores!) 3 / 51
5 Encryption to the Rescue? Existing Internet PKIs are easily controlled: DNSSEC root certificate X.509 CAs (HTTPS certificates) Major browser vendors (CA root stores!) Encryption does not help if PKI is compromised! 3 / 51
6 Encryption to the Rescue? Existing Internet PKIs are easily controlled: DNSSEC root certificate X.509 CAs (HTTPS certificates) Major browser vendors (CA root stores!) Encryption does not help if PKI is compromised! PGP Web-of-Trust leaks social graph 3 / 51
7 How bad is it? 4 / 51
8 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net 5 / 51
9 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com 5 / 51
10 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net 5 / 51
11 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de 5 / 51
12 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net 5 / 51
13 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net 5 / 51
14 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de 5 / 51
15 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de 5 / 51
16 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de 5 / 51
17 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de 5 / 51
18 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de NS of tu-muenchen.de is ws-han1.wip-ip.dfn.de 5 / 51
19 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de NS of tu-muenchen.de is ws-han1.wip-ip.dfn.de NS of dfn.de is ws-han1.wip-ip.dfn.de 5 / 51
20 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de NS of tu-muenchen.de is ws-han1.wip-ip.dfn.de NS of dfn.de is ws-han1.wip-ip.dfn.de NS of net.in.tum.de is dns1.lrz.de 5 / 51
21 A DNS Lookup in What would a simple DNS lookup do? Say for taler.net? NS of net is a.gtld-servers.net NS of taler.net is dns1.name-services.com NS of com is a.gtld-servers.net CNAME of taler.net is pixel.net.in.tum.de NS of de is n.de.net NS of net was a.gtld-servers.net NS of de.net is ns1.denic.de NS of tum.de is dns1.lrz.de NS of lrz.de is dns1.lrz.de NS of in.tum.de is tuminfo1.informatik.tu-muenchen.de NS of tu-muenchen.de is ws-han1.wip-ip.dfn.de NS of dfn.de is ws-han1.wip-ip.dfn.de NS of net.in.tum.de is dns1.lrz.de A of pixel.net.in.tum.de is / 51
22 Exemplary Attacks: MORECOWBELL 6 / 51
23 Exemplary Attacks: QUANTUMDNS 7 / 51
24 DNSSEC DNS Server Root Zone a.root-servers.net. Stub Resolver A RRSIG example.com. K0rp9n... AD DNSSEC Trust Anchor 49AAC1... Recursive Name Server NS a.gtld-servers.net.test DS E2D3C9... RRSIG. S4LXnQiBS... NS a.gtld-servers.net.test DS 3490A6... RRSIG com. U/ZW6P3c... DNS Server.com a.gtld-servers.net. A RRSIG example.com. K0rp9n... DNS Server example.com a.iana-servers.net. 8 / 51
25 Query Name Minimization Stub Resolver A Recursive Name Server NS com? NS a.gtld-servers.net. NS example.com? NS a.iana-servers.net. DNS Server Root Zone a.root-servers.net. DNS Server.com a.gtld-servers.net A DNS Server example.com a.iana-servers.net 9 / 51
26 DNS over TLS Stub Resolver A Recursive Name Server NS a.gtld-servers.net. NS a.iana-servers.net. DNS Server Root Zone a.root-servers.net. DNS Server.com a.gtld-servers.net. A DNS Server example.com a.iana-servers.net. 10 / 51
27 The Textbook Version of the Internet Layering, 1990 HTTPS DNS TLS UDP TCP IPv4 Ethernet Phys. Layer 11 / 51
28 The Textbook Version of the Internet Layering, 1990 Layering, 2020 HTTPS DNS TLS UDP TCP IPv4 Ethernet Phys. Layer HTTPS TLS-with-DANE DNS-over-TLS TLS TCP IPv6 Ethernet Phys. Layer libmicrohttpd libgnutls libunbound libnss Linux Linux = castrated version without RFC 6125 or RFC 6394, possibly NULL cipher, see TLS profiles draft. 11 / 51
29 DNSCurve DNSCurve Cache Public Key P c Private Key S c NS a.gtld-servers.net. NS uz5...hyw.iana-servers.net. DNS Server Root Zone a.root-servers.net. DNS Server.com a.gtld-servers.net. Pc, N, E ( N, E (A ) DNSCurve Server example.com uz5...hyw.iana-servers.net. 12 / 51
30 Namecoin Append registration to block chain Namecoin Client Local Copy of Block Chain Get copy of block chain P2P Network Block Chain 13 / 51
31 Zooko s Triangle Secure Global Memorable A name system can only fulfill two! 14 / 51
32 Zooko s Triangle Secure Cryptographic Identifiers Petname Systems Global Hierarchical Registration Memorable DNS,.onion IDs and /etc/hosts/ are representative designs. 15 / 51
33 Zooko s Triangle Secure mnemonic URLs Cryptographic Identifiers SDSI Petname Systems Global certificates Hierarchical Registration Memorable DNSSEC security is broken by design (adversary model!) 16 / 51
34 Namecoin 17 / 51
35 Namecoin Memorable: 17 / 51
36 Namecoin Memorable: Check Global: 17 / 51
37 Namecoin Memorable: Check Global: Check Secure: 17 / 51
38 Namecoin Memorable: Check Global: Check Secure: different adversary model! 17 / 51
39 Namecoin Memorable: Check Global: Check Secure: different adversary model! Availability of names (registration rate) is restricted 17 / 51
40 Namecoin Memorable: Check Global: Check Secure: different adversary model! Availability of names (registration rate) is restricted Adversary must not have 51% compute power 17 / 51
41 The GNU Name System 1 Properties of GNS Decentralized name system with secure memorable names Delegation used to achieve transitivity Achieves query and response privacy Provides alternative public key infrastructure Interoperable with DNS 1 Joint work with Martin Schanzenbach and Matthias Wachs 18 / 51
42 Zone Management: like in DNS 19 / 51
43 Name resolution in GNS Local Zone: K Bob pub www A Bob Bob's webserver K Bob priv Bob can locally reach his webserver via 20 / 51
44 Secure introduction Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: Mobile: Mail: Bob gives his public key to his friends, possibly via QR code 21 / 51
45 Delegation Alice learns Bob s public key Alice creates delegation to zone Kpub Bob under label bob Alice can reach Bob s webserver via 22 / 51
46 Name Resolution DHT Bob Alice Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 23 / 51
47 Name Resolution 0 PUT 8FS7-www: DHT Bob Alice Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 24 / 51
48 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice Bob Alice 8FS7. A47G. www A bob PKEY 8FS7. 25 / 51
49 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 26 / 51
50 Name Resolution 0 PUT 8FS7-www: DHT 1 Bob Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 27 / 51
51 Name Resolution 0 PUT 8FS7-www: DHT 4 8FS7-www? 1 Bob Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 28 / 51
52 Name Resolution 0 PUT 8FS7-www: DHT 4 8FS7-www? 1 Bob 5 A ! Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 29 / 51
53 GNS as PKI (via DANE/TLSA) 30 / 51
54 Privacy Issue: DHT 0 PUT 8FS7-www: DHT 4 8FS7-www? 1 Bob 5 A ! Alice 3 PKEY 8FS7! 2 'bob'? Bob 8FS7. www A Alice A47G. bob PKEY 8FS7. 31 / 51
55 Query Privacy: Terminology G generator in ECC curve, a point n size of ECC group, n := G, n prime x private ECC key of zone (x Z n ) P public key of zone, a point P := xg l label for record in a zone (l Z n ) R P,l q P,l B P,l set of records for label l in zone P query hash (hash code for DHT lookup) block with encrypted information for label l in zone P published in the DHT under q P,l 32 / 51
56 Query Privacy: Cryptography Publishing records R P,l as B P,l under key q P,l h : = H(l, P) (1) d : = h x mod n (2) B P,l : = S d (E HKDF (l,p) (R P,l )), dg (3) q P,l : = H(dG) (4) 33 / 51
57 Query Privacy: Cryptography Publishing records R P,l as B P,l under key q P,l h : = H(l, P) (1) d : = h x mod n (2) B P,l : = S d (E HKDF (l,p) (R P,l )), dg (3) q P,l : = H(dG) (4) Searching for records under label l in zone P h : = H(l, P) (5) q P,l : = H(hP) = H(hxG) = H(dG) obtain B P,l (6) R P,l = D HKDF (l,p) (B P,l ) (7) 33 / 51
58 The GNU Name System (GNS) Bob s NSS.gnu = Pbob A Bob s GNS Service Pbob zone database carol PKEY Pcarol www A PUT (H(carol, Pbob), E(PKEY Pcarol)) PUT (H(www, Pbob), E(A )) Carols s GNS Service Pcarol zone database www A PUT (H(www, Pcarol), E(A )) GET (H(carol, Pbob)) DHT E (PKEY Pcarol) GET (H(www, Pcarol)) E (A ) P2P Network Alice s NSS.gnu = Palice A Alice s GNS Service A Palice zone database bob PKEY Pbob www A / 51
59 Revocation Revocation Basics Revocation certificate (RC): message signed with private key Peer receives new valid RC, floods to all neighbours All peers store all valid RCs forever Expensive operation proof-of-work 35 / 51
60 Revocation Revocation Basics Revocation certificate (RC): message signed with private key Peer receives new valid RC, floods to all neighbours All peers store all valid RCs forever Expensive operation proof-of-work Revocation Magic Peers maybe offline during initial flood Network might be temporarily partitioned Need to reconsile revocation sets on connect Whenever two peers establish a P2P connection, they must compute the set union of their RC sets! 35 / 51
61 The.zkey ptld LABELS.PKEY.zkey format PKEY is the public key of the zone Works a bit like.onion Globally unique identifiers! Bob Builder, Ph.D. Address: Country, Street Name 23 Phone: Mobile: Mail: bob@h2r84l4jil3g5c.zkey 36 / 51
62 NICKnames alice.bob.carol.dave.gnu is a bit long for Edward (.gnu ) Also, we need to trust Bob, Carol and Dave (for each lookup) Finally, Alice would have liked to be called Krista (just Bob calls her Alice) 37 / 51
63 NICKnames alice.bob.carol.dave.gnu is a bit long for Edward (.gnu ) Also, we need to trust Bob, Carol and Dave (for each lookup) Finally, Alice would have liked to be called Krista (just Bob calls her Alice) NICK records allow Krista to specify her preferred NICKname GNS adds a NICK record to each record set automatically Eve learns the NICK, and GNS creates krista.short.gnu 37 / 51
64 NICKnames alice.bob.carol.dave.gnu is a bit long for Edward (.gnu ) Also, we need to trust Bob, Carol and Dave (for each lookup) Finally, Alice would have liked to be called Krista (just Bob calls her Alice) NICK records allow Krista to specify her preferred NICKname GNS adds a NICK record to each record set automatically Eve learns the NICK, and GNS creates krista.short.gnu Memorable, short trust path in the future! TOFU! Krista better pick a reasonably unique NICK. 37 / 51
65 Shadow Records Records change Expiration time controls validity, like in DNS DHT propagation has higher delays, compared to DNS 38 / 51
66 Shadow Records Records change Expiration time controls validity, like in DNS DHT propagation has higher delays, compared to DNS SHADOW is a flag in a record Shadow records are only valid if no other, non-expired record of the same type exists 38 / 51
67 Practical Concerns Name registration Support for browsing New record types Integration with applications State of the implementation 39 / 51
68 Registering a name in GNS Bob gives his PKEY to his friends via QR code or registers it at the GNUnet fcfs authority pin.gnu as bob Bob s friends can resolve his records via *.petname.gnu or *.bob.pin.gnu 40 / 51
69 From DNS to GNS Names are not globally unique, but we need support for Virtual Hosting!... we need support for SSL! 41 / 51
70 From DNS to GNS Names are not globally unique, but we need support for Virtual Hosting!... we need support for SSL! Solution: Client Side SOCKS Proxy 41 / 51
71 Legacy Hostname (LEHO) Records LEHO records give a hint about the DNS name the server expects. Dave HTTP GET HTTP GET Host: Local Proxy Host: <a href= " <a href= " 42 / 51
72 Legacy Hostname (LEHO) Records LEHO records give a hint about the DNS name the server expects. Dave HTTP GET HTTP GET Host: Local Proxy Host: <a href= " <a href= " HTTP GET Host: Local Proxy HTTP GET Host: Alice Server 42 / 51
73 Long-Term Vision Integration with browser and HTTP server HTTP server receives GNS-Zone: PKEY instead of Hostname HTTP client uses TLSA record of GNS, instead of LEHO 43 / 51
74 Relative Names GNS records can contain.+ CNAME: server1.+ MX: mail.+.+ stands for relative to current zone Supporting this for links in browsers would be nice, too. 44 / 51
75 New Record Types PKEY: delegate to another GNS zone NICK: preferred names for shortening LEHO: legacy hostname 45 / 51
76 New Record Types PKEY: delegate to another GNS zone NICK: preferred names for shortening LEHO: legacy hostname GNS2DNS: delegate to DNS VPN: peers hosting TCP/IP services PHONE: call users using gnunet-conversation 45 / 51
77 DNS Delegation Delegate to DNS using GNS2DNS records GNS2DNS record specifies: Name of DNS resolver (i.e. ns1.example.com or piratedns.+ ) DNS domain to continue resolution in (i.e. example.com or piratebay.org ) GNS will first resolve DNS resolver name to A/AAAA record GNS will then resolve left.of.gns2dns.example.com using DNS 46 / 51
78 VPN Delegation Delegates to GNUnet VPN VPN record specifies: Identity of hosting peer (no anonymity!) Service identifier (hash code) GNS can map VPN record to A/AAAA record of gnunet-vpn tunnel 47 / 51
79 PHONE service PHONE record specifies: Identity of hosting peer (no anonymity yet!) Line number (to support multiple phones per peer) 48 / 51
80 Application Integration SOCKS proxy (gnunet-gns-proxy) NSS plugin DNS packet interception (gnunet-dns-service) GNS (C) API GNS (IPC) protocol GNS command-line tool 49 / 51
81 Current State GNS part of GNUnet since Crypto changed to Curve25519 in Internationalized Domain Names are supported 50 / 51
82 Current State GNS part of GNUnet since Crypto changed to Curve25519 in Internationalized Domain Names are supported Installation is non-trivial (for your parents) Needs more work on reverse lookup 50 / 51
83 Privacy summary Method Defense against MiTM Zone privacy Privacy vs. network Privacy vs. operator DNS DNSSEC DNSCurve DNS-over-TLS n/a Namecoin GNS Traffic amplification resistance Censorship resistance Ease of migration EDNS0 51 / 51
84 Key management summary Suitable for personal use Memorable Decentralised Modern cryptography Understandable Exposes metadata Transitive DNS DNSSEC DNSCurve DNS-over-TLS TLS-X.509 Web of Trust TOFU SMP/PANDA Namecoin GNS 52 / 51
85 Conclusion We have decentralized the PKI Privacy and security are preserved 53 / 51
86 Conclusion We have decentralized the PKI Privacy and security are preserved 53 / 51
87 Do you have any questions? References: Nathan Evans and Christian Grothoff. R 5 N. Randomized Recursive Routing for Restricted-Route Networks. 5th International Conference on Network and System Security, Matthias Wachs, Martin Schanzenbach and Christian Grothoff. On the Feasibility of a Censorship Resistant Decentralized Name System. 6th International Symposium on Foundations & Practice of Security, M. Schanzenbach Design and Implementation of a Censorship Resistant and Fully Decentralized Name System. Master s Thesis (TUM), / 51
Towards Secure Name Resolution on the Internet
Towards Secure Name Resolution on the Internet C. Grothoff M. Wachs M. Ermert J. Appelbaum 26.2.2017 The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee Security Goals for Name Systems
More informationSecure Name Resolution
Secure Name Resolution Christian Grothoff Berner Fachhochschule 10.11.2017 The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee Background: Efficient Set Union (based on What s the difference?
More informationThe GNU name system. Christian Grothoff Inria Rennes Bretagne Atlantique
The GNU name system Christian Grothoff Inria Rennes Bretagne Atlantique 11.7.2016 The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee Trouble at the root ICANN asserts cctlds are not
More informationThe GNU Name System and the Future of Social Networking with GNUnet
The GNU Name System and the Future of Social Networking with GNUnet Christian Grothoff Technische Universität München 24.08.2013 Never doubt your ability to change the world. Glenn Greenwald Cyberwar Presidential
More informationComponents for Building Secure Decentralized Networks
Components for Building Secure Decentralized Networks Christian Grothoff Technische Universität München 26.11.2013 Never doubt your ability to change the world. Glenn Greenwald Where We Are Where We Are
More informationAn Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
More informationRSA and ECDSA. Geoff Huston APNIC. #apricot2017
RSA and ECDSA Geoff Huston APNIC It s all about Cryptography Why use Cryptography? Public key cryptography can be used in a number of ways: protecting a session from third party eavesdroppers Encryption
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationRoot Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS
More informationDNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 8: Protocols for public-key management Ion Petre Department of IT, Åbo Akademi University 1 Key management two problems
More informationThe Internet is Broken: Idealistic Ideas for Building a NEWGNU Network. Christian Grothoff Bartlomiej Polot Carlo von Loesch. The GNUnet Project
The Internet is Broken: Idealistic Ideas for Building a NEWGNU Network Christian Grothoff Bartlomiej Polot Carlo von Loesch 1 Introduction The GNUnet Project The Internet is broken, by design. Recent revelations
More informationCSC 574 Computer and Network Security. DNS Security
CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) A primer on routing Routing Problem: How do Alice s messages
More informationComputer Security CS 426
Computer Security CS 426 Lecture 34 DNS Security 1 Domain Name System Translate host names to IP addresses E.g., www.google.com 74.125.91.103 Hostnames are human-friendly IP addresses keep changing And
More informationProtecting Privacy: The Evolution of DNS Security
Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015 Agenda DNS Overview
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationA survey of the peer to peer based DNS system
A survey of the peer to peer based DNS system Who am I? Data Analyst @ Dyn Keeper of dogs Lover of Internet Hater of Ne er do wells The Year of The Crypto Currency I swear I m not making this up Proof
More informationOSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)
OSI Session / presentation / application Layer Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 1 Higher level protocols On top of IP, TCP, UDP, etc. there are a plethora
More informationDNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS
More informationThe Importance of Being an Earnest stub
The Importance of Being an Earnest Challenges and solution for the versatile Willem Toorop 13 May 2017 OARC 26 (Madrid) From the ground-up security et n A rc a -o s 98 n 1 d 910 1 4 6 Recursive dns-oarc
More informationA Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationDNS. A Massively Distributed Database. Justin Scott December 12, 2018
DNS A Massively Distributed Database Justin Scott December 12, 2018 What is DNS? Translates Hostnames to IP Addresses What is DNS? Example: www.serverlogic.com 23.185.0.4 What is DNS? Example: www.serverlogic.com
More informationDNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr
DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationSecurity Impact of DNS Delegation Structure and Configuration Problems
Universität Stuttgart INSTITUT FÜR NACHRICHTENVERMITTLUNG UND DATENVERARBEITUNG Prof. Dr.-Ing. Dr. h. c. mult. P. J. Kühn INSTITUT FÜR KOMMUNIKATIONSNETZE UND RECHNERSYSTEME Prof. Dr.-Ing. Dr. h. c. mult.
More informationModern cryptography 2. CSCI 470: Web Science Keith Vertanen
Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Modern cryptography Overview Asymmetric cryptography Diffie-Hellman key exchange (last time) Pubic key: RSA Pretty Good Privacy (PGP) Digital
More informationMore on DNS and DNSSEC
More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationWhen HTTPS Meets CDN: A Case of Authentication in Delegated Services. J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, J. Wu
When HTTPS Meets CDN: A Case of Authentication in Delegated Services J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, J. Wu Problem statement: TLS, an End-to-End Protocol 2 Problem Statement: End-to-End Protocol
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationUniform Resource Locators (URL)
The World Wide Web Web Web site consists of simply of pages of text and images A web pages are render by a web browser Retrieving a webpage online: Client open a web browser on the local machine The web
More informationKerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos
Kerberos and Public-Key Infrastructure Key Points Kerberos is an authentication service designed for use in a distributed environment. Kerberos makes use of a thrusted third-part authentication service
More informationPersonalized Pseudonyms for Servers in the Cloud. Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.
Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.) Background Server s identity is not well protected with
More informationIntroduction to the DANE Protocol
Introduction to the DANE Protocol ICANN 46 April 10, 2013 Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: Case Studies Tutorials
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006-2015 Wenliang Du, Syracuse University. The development of this document is partially funded by the National Science Foundation s Course,
More informationThe Performance of ECC Algorithms in DNSSEC: A Model-based Approach
Master Thesis The Performance of ECC Algorithms in DNSSEC: A Model-based Approach Faculty: Group: Electrical Engineering, Mathematics and Computer Science Design and Analysis of Communication Systems Author
More informationDomain Name System (DNS)
Domain Name System (DNS) Computer Networks Lecture 9 http://goo.gl/pze5o8 Domain Name System Naming service used in the Internet Accomplishes mapping of logical ("domain") names to IP addresses (and other
More informationDNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and
More informationIntroduction to the DANE Protocol And Updates From IETF 88
Introduction to the DANE Protocol And Updates From IETF 88 Dan York, Senior Content Strategist Internet Society ICANN 48, Buenos Aires, Argentina November 20, 2013 A Quick Overview of DANE www.internetsociety.org
More informationDNS & Iodine. Christian Grothoff.
DNS & Iodine christian@grothoff.org http://grothoff.org/christian/ The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee 1 DNS: Domain Name System Unique Distributed Database Application-layer
More informationLet s Encrypt and DANE
Let s Encrypt and DANE CaribNOG 13 Barbados 18 Apr 2017 The Deploy360 Programme The Challenge: The IETF creates protocols based on open standards, but some are not widely known or deployed People seeking
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot October 2008 Bengt Sahlin 2008/10/02 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationDomain Name System Security
Slide title 70 pt APITALS Domain Name System Security e subtitle um 30 pt Bengt Sahlin Ericsson Research NomadicLab Bengt.Sahlin@ericsson.com Objectives Provide DNS basics, essential for understanding
More informationOn the Internet, nobody knows you re a dog.
On the Internet, nobody knows you re a dog. THREATS TO DISTRIBUTED APPLICATIONS 1 Jane Q. Public Big Bank client s How do I know I am connecting to my bank? server s Maybe an attacker...... sends you phishing
More informationOrdinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver
Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30 k.root-servers.net Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30
More informationChapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010
Cryptography Chapter 8 Network Security Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security An Introduction
More informationDNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A
DNS Review Quiz Match the term to the description: C B A Level: Domain name DNS zone Delegation Descriptions: A. Transfer of authority for/to a subdomain B. A set of names under the same authority (ie.com
More informationToward Unspoofable Network Identifiers. CS 585 Fall 2009
Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software
More informationDENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:
More informationBIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium
BIND-USERS and Other Debugging Experiences Mark Andrews Internet Systems Consortium Mark_Andrews@isc.org http://isc.org BIND-USERS and Other Debugging Experiences We will look at some typical debugging
More informationCS 470 Spring Distributed Web and File Systems. Mike Lam, Professor. Content taken from the following:
CS 470 Spring 2017 Mike Lam, Professor Distributed Web and File Systems Content taken from the following: "Distributed Systems: Principles and Paradigms" by Andrew S. Tanenbaum and Maarten Van Steen (Chapters
More informationECE 435 Network Engineering Lecture 7
ECE 435 Network Engineering Lecture 7 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 25 September 2018 HW#3 was Posted Announcements 1 HW#2 Review C code will be discussed next
More informationTen Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Presented by Joshua Schiffman & Archana Viswanath Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier Trust Models Rooted Trust Model! In a
More informationIntroduction. Overview of Tor. How Tor works. Drawback of Tor s directory server Potential solution. What is Tor? Why use Tor?
Introduction 1 Overview of Tor What is Tor? Why use Tor? How Tor works Encryption, Circuit Building, Directory Server Drawback of Tor s directory server Potential solution Using DNS Security Extension
More informationWhen HTTPS Meets CDN
When HTTPS Meets CDN A Case of Authentication in Delegated Service Jinjin Liang 1, Jian Jiang 1, Haixin Duan 1, Kang Li 2, Tao Wan 3, Jianping Wu 1 1 Tsinghua University 2 University of Georgia 3 Huawei
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationCS 470 Spring Distributed Web and File Systems. Mike Lam, Professor. Content taken from the following:
CS 470 Spring 2018 Mike Lam, Professor Distributed Web and File Systems Content taken from the following: "Distributed Systems: Principles and Paradigms" by Andrew S. Tanenbaum and Maarten Van Steen (Chapters
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationRe-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist
Re-engineering the DNS One Resolver at a Time Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist 1 In this presentation I ll talk about the DNS, and the root server infrastructure
More informationDomain Name System.
Domain Name System http://xkcd.com/302/ CSCI 466: Networks Keith Vertanen Fall 2011 Overview Final project + presentation Some TCP and UDP experiments Domain Name System (DNS) Hierarchical name space Maps
More informationPublic-Key Infrastructure NETS E2008
Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key
More informationDANE Best Current Practice
DANE Best Current Practice draft-dukhovni-dane-ops-01 Viktor Dukhovni & Wes Hardaker IETF 87, Berlin July 2013 General DANE Guidelines (Type Independent) Large DNS payload issues Issues with large UDP
More informationOFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner
OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner 1 AGENDA Objectives Attacking Impact Mitigation Summary 2 AGENDA
More informationThe Evolving Architecture of the Web. Nick Sullivan
The Evolving Architecture of the Web Nick Sullivan Head of Cryptography CFSSL Universal SSL Keyless SSL Privacy Pass Geo Key Manager Recently Standards work TLS 1.3 Competing Goals make browsing more
More informationDNS Fundamentals. Steve Conte ICANN60 October 2017
DNS Fundamentals Steve Conte ICANN60 October 2017 Names and Numbers IP addresses easy for machines but hard for people IPv4: 192.0.2.7 IPv6: 2001:db8::7 People need to use names In the early days of the
More informationDNS Mark Kosters Carlos Martínez ARIN - LACNIC
DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationDNS. Introduction To. everything you never wanted to know about IP directory services
Introduction To DNS everything you never wanted to know about IP directory services Linux Users Victoria, April 3 rd 2007 what is the domain name system anyway? it's like a phone book...kinda DNS is (1)
More informationTable of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.
Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationAuthenticating People and Machines over Insecure Networks
Authenticating People and Machines over Insecure Networks EECE 571B Computer Security Konstantin Beznosov authenticating people objective Alice The Internet Bob Password= sesame Password= sesame! authenticate
More informationSome Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution
SYSADMIN DNSSEC Sergey Ilin, Fotolia Trusted name resolution with DNSSEC CHAIN OF TRUST Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution service.
More informationUMSSIA DAY VI: ARE WE THERE YET?
UMSSIA DAY VI: ARE WE THERE YET? CRYPTO PROTOCOLS Good crypto algorithms are hard to design but easy to find on the web. Building robust security protocols, even from secure algorithms, is also hard. Subtle
More informationDANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!
DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014! Outline! What is DANE?! The TLSA Record! TLSA Browser Plugin! Generating the TLSA Record! Other uses for DANE! 2!
More informationChapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads
Cryptography p y Chapter 8 Network Security Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security An Introduction
More informationNetwork Security Chapter 8
Network Security Chapter 8 Cryptography Symmetric-Key Algorithms Public-Key Algorithms Digital Signatures Management of Public Keys Communication Security Authentication Protocols Email Security Web Security
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationComputer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ
Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
More informationInternet security and privacy
Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed
More informationOverview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly
Last Lecture Overview Scheduled tasks and log management This Lecture DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly Next Lecture Address assignment (DHCP) TELE 301 Lecture 11: DNS 1 TELE
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot September 2010 Bengt Sahlin 2011/09/27 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationThe Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla
The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Venugopalan Ramasubramanian Emin Gün Sirer Presented By: Kamalakar Kambhatla * Slides adapted from the paper -
More informationHow to get a trustworthy DNS Privacy enabling recursive resolver
How to get a trustworthy DNS an analysis of authentication mechanisms for DNS s Willem Toorop NLnet Labs (presenter) Melinda Shore Fastly Benno Overeinder NLnet Labs DNS over TLS What are the actors, and
More informationIntroduction to Network. Topics
Introduction to Network Security Chapter 7 Transport Layer Protocols 1 TCP Layer Topics Responsible for reliable end-to-end transfer of application data. TCP vulnerabilities UDP UDP vulnerabilities DNS
More informationPublic Key Infrastructures
Public Key Infrastructures Certcoin Cryptography and Computer Algebra Prof. Johannes Buchmann Dr. Johannes Braun Background Blockchain Distributed database, consisting of a list of blocks Decentralized
More informationDNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31
DNS and SMTP James Walden CIT 485: Advanced Cybersecurity James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31 Table of contents 1. DNS 2. DNS Protocol Packets 3. DNS Caching 4. DNS Cache Poisoning
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationScott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University
Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationHands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016
Hands-on DNSSEC with DNSViz Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016 Preparation Demo and exercises available at: http://dnsviz.net/demo/ Includes links to the following: VirtualBox
More informationNetwork Security. DNS (In)security. Radboud University, The Netherlands. Spring 2017
Network Security DNS (In)security Radboud University, The Netherlands Spring 2017 Security in Times of Surveillance No lecture on May 29 Use the opportunity and register for Security in Times of Surveillance
More informationQUANTUM SAFE PKI TRANSITIONS
QUANTUM SAFE PKI TRANSITIONS Quantum Valley Investments Headquarters We offer quantum readiness assessments to help you identify your organization s quantum risks, develop an upgrade path, and deliver
More informationCS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017
CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017 Background Motivation Overview Network Infrastructure Security DNS and DNS Vulnerabilities The DNS Security Extensions
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationNetwork Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015
Network Security DNS (In)security Radboud University, The Netherlands Autumn 2015 A short recap Routing means directing (Internet) traffic to its target Internet is divided into 52, 000 Autonomous Systems
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More information