How to get a trustworthy DNS Privacy enabling recursive resolver

Similar documents
Updates: 7858 (if approved) Intended status: Standards Track Expires: March 15, 2018 McAfee September 11, 2017

DANE, why we need it. Daniel Stirnimann Bern, 29. March SWITCH 1

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. McAfee March 2018

The Importance of Being an Earnest stub

DNS Privacy Clients. Stubby, Mobile apps and beyond! dnsprivacy.org

Recommendations for DNS Privacy Service Operators

DANE Best Current Practice

DNS Privacy. EDU Tutorial dnsprivacy.org. Sara Dickinson Sinodun

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track ISSN: October 2015

DNS security extensions

Public Key Infrastructures. Using PKC to solve network security problems

Introduction to the DANE Protocol

Key Management and Distribution

Where s my DNS? Sara Dickinson IDS 2. Where s my DNS?

Internet Engineering Task Force. Updates: 6698 (if approved) Intended status: Standards Track Expires: January 06, 2016 Two Sigma July 05, 2015

Impact of security vulnerabilities in timing protocols on Domain Name System (DNS)

getdns API Implementation Update Update Willem Toorop NLnet Labs 14 May 2015 NLnet Labs

DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!

Secure the connections of mail servers

Public-Key Infrastructure NETS E2008

IHE Change Proposal. Tracking information: Change Proposal Status: Date of last update: Sep 13, 2018 Charles Parisot, Vassil Peytchev, John Moehrke

Session initiation protocol & TLS

Introduction to the DANE Protocol And Updates From IETF 88

Internet Engineering Task Force (IETF) Category: Informational October 2011 ISSN:

QNAME minimisation. Ralph Dolmans (NLnet Labs) March 2016 Stichting NLnet Labs

DNSSEC Basics, Risks and Benefits

DNSSEC Basics, Risks and Benefits

Protecting Privacy: The Evolution of DNS Security

Innovative uses as result of DNSSEC

DNS Privacy - Implementation and Deployment Status

Let s Encrypt and DANE

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Using EAP-TLS with TLS 1.3 draft-mattsson-eap-tls IETF 101, EMU, MAR John Mattsson, MOHIT sethi

Public Key Infrastructures

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

U.S. E-Authentication Interoperability Lab Engineer

Lecture 15 Public Key Distribution (certification)

Server-based Certificate Validation Protocol

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Public-key Infrastructure Options and choices

Research Project 1. Extended Validation using DNSSEC

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Internet Engineering Task Force (IETF) Request for Comments: 6961 June 2013 Category: Standards Track ISSN:

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

secure communications

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Enumerating Privacy Leaks in DNS Data Collected above the Recursive

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology

Public Key Infrastructures

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Algorithm for DNSSEC Trusted Key Rollover

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT

DANE/DNSSEC/TLS Testing in the Go6lab. Jan Žorž, Internet Society

How to Set Up External CA VPN Certificates

Cryptography and Network Security

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

Security Impact of DNS Delegation Structure and Configuration Problems

Connecting Securely to the Cloud

Towards Secure Name Resolution on the Internet

Some Lessons Learned from Designing the Resource PKI

Data Sheet NCP Secure Enterprise Management

Check Point Connectra Citrix Troubleshooting (4th Edition) October 10, 2005

A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing (draft-jones-perc-private-media-framework-00)

HT818 Firmware Release Note

DNS Sessions. - where next? OARC 27 San Jose, Sep Sep 2017, San Jose. DNS OARC 27

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

CT30A8800 Secured communications

COOPERATIVE ITS SECURITY STANDARDIZATION AND ACTIVITIES ON EUROPEAN C ITS TRUST MODEL AND POLICY

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Pervasive Monitoring. June /16

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

Public Key Infrastructure

The Evolving Architecture of the Web. Nick Sullivan

Developing a monitoring plugin for DNS-over-TLS at the IETF hackathon

Preventing Attackers From Using Verifiers: A-PAKE With PK-Id

DOTS Server(s) Discovery

Share Count Analysis HEADERS

Apple 9L Mac OS X Security and Mobility Download Full Version :

CSE 565 Computer Security Fall 2018

Certificates, Certification Authorities and Public-Key Infrastructures

Public Key Establishment

KEY DISTRIBUTION AND USER AUTHENTICATION

Internet Engineering Task Force (IETF) Request for Comments: 6490 Category: Standards Track. G. Michaelson APNIC. S. Kent BBN February 2012

DNS Related Activities at the RIPE NCC

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

Digital Certificates Demystified

Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)

Trust Router Trust Model. David Chadwick University of Kent

Chapter 9: Key Management

Public-key Cryptography: Theory and Practice

The Changing Landscape of the DNS

All over DNS BoF. ENOG III / RIPE NCC Regional Meeting May 2012, Odessa

How can we provide the devices with valid certificates?

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Internet Engineering Task Force (IETF) Request for Comments: 7817 Updates: 2595, 3207, 3501, 5804 March 2016 Category: Standards Track ISSN:

Transcription:

How to get a trustworthy DNS an analysis of authentication mechanisms for DNS s Willem Toorop NLnet Labs (presenter) Melinda Shore Fastly Benno Overeinder NLnet Labs

DNS over TLS What are the actors, and what are their relationships? Current Spec (RFC7858) focuses on securing stub to recursive traffic local network (DHCP) (wifi) TLS from the system stub client to a privacy enabling can withstand he power and capabilities of a passive pervasive monitor (i.e. an eavesdropper) The user entrusts her queries with the How did the stub resolver learn the? (traditionally via DHCP)

DNS over TLS What are the actors, and what are their relationships? Current Spec (RFC7858) focuses on securing stub to recursive traffic dnsovertls.sinodun.com Gateway User trusts the channel (Verbally? Website?) over which the connection end-point (IP-address? Name?) was communicated (what is most reliable to get right, name or IP?) How to get the IP-address for a name securely, and privately (what is acceptable to leak?) Trust the root trust-anchor + provisioning channel + TLD of the name?

Authentication TLS from stub to resolver cat withstand the power and capabilities of an eavesdropper, it does not withstand an attacker that plugs itself into the path local network (wifi) Gateway malicious Gateway/ resolver Trust in the network can be replaced with authentication In RFC7858 and draft-ietf-dtls-and-tls-profiles authenticated TLS is called Strict. Oppertunistic is the best you can get modus operandi

Analysis of authentication mechanisms Analyzed mechanisms: (from draft-ietf-dprive-dtls-and-tls-profiles) SubjectPublicKeyInfo pinning SPKI Traditional Public Key Infrastructure for X.509 Certificates Statically configured Authentication Domain Name and IP address PKIX ADN + IP Statically configured Authentication Domain Name + dynamically obtained IP PKIX ADN only DNS Based Authentication of Named Entities DANE TLS Authentication Chain Extension There are key trade-offs between Usability & provision flexibility (important for adoption and correct usage) meta queries leaking information in these mechanisms Requirements on additional dependencies (fewer deps, less can break; i.e. Robustness) Availability of unhampered and capable stub resolver Third parties (Trust anchor/ca store) that do the authentication

Analysis of authentication mechanisms 1 2 3 4 5 SPKI PKIX ADN + IP PKIX ADN only DANE Chain Extension We did an analysis on the basis of these considerations: 1) Ease of configuration Least possible config to identify the trusted 2) Key management Can it handle updated, rolled or withdrawn keys 3) Information leakage Leaks info about the trusted, via DNS or SNI 4) dependency Needs availability and capability for bootstrapping 5) Trust requirements Dependencies and maintainability on Trust Anchor and/or CA store

SubjectPublicKeyInfo (SPKI) pinning IP address: 2001:610:1:40ba:145:100:185:15 SPKI pinset: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=? IP address? hash of Public Key + direct and simple + nothing is leaked + no additional network activity

SubjectPublicKeyInfo (SPKI) pinning IP address: 2001:610:1:40ba:145:100:185:15 SPKI pinset: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= SPKI pinset updates? IP address? hash of Public Key + direct and simple + nothing is leaked + no additional network activity - IP-address and pinset are easy to get wrong - Lacks provisioning - Lacks compromised and updated keys signaling Tip! Backup pinsets

Traditional Public Key Infrastructure for X.509 Certificates (PKIX)? name? IP address - static, DHCP or DNS name: dns.cmrg.net IP? + traditional, well-known OS managed + keys can be rolled - All CA s in the store can vouch for any name

Traditional Public Key Infrastructure for X.509 Certificates (PKIX)? name? IP address - static, DHCP or DNS name: dns.cmrg.net + traditional, well-known OS managed SNI: dns.cmrg.net OCSP etc. - All CA s in the store can vouch for any name - no signaling of unknown CA (reason for opportunistic encryption with SMTPS) - network access + DNS is already needed for OCSP etc.

? name? static IP address PKIX - statically configured IP address name: dnsovertls.sinodun.com ip: 2001:610:1:40ba:145:100:185:15 - IP easy to get wrong - no IP change signalling SNI: dns.cmrg.net OCSP etc.

PKIX Both name and IP address came from DHCP + Dynamically configured Authentication Domain Name name: dns.cmrg.net ip: 199..58.81.218 SNI: dns.cmrg.net DHCP OCSP etc. - Needs secure DHCP (does not exist) + extension to convey the ADN - Shifts problem to bootstrapping secure DHCP (how is that statically configured?)

PKIX statically configured name, IP address from DNS Lookup the privacy resolver with DNS _domain-s._tcp.dns.cmrg.net SRV name: dns.cmrg.net + IP change provisioning 199.58.81.218 unhampered SNI: dns.cmrg.net OCSP etc. draft-ietf-dprive-dtls-and-tls-profiles requires for lookup - Needs unhampered - capable stub resolver needed - Additional trust in trust anchor + In protocol trust anchor rollover (RFC5011)

DNS Based Authentication of Named Entities (DANE) Lookup the privacy resolver with DNS _domain-s._tcp.dns.cmrg.net SRV _853._tcp.dns.cmrg.net TLSA + IP change provisioning + No more dependency on CA infrastructure name: dns.cmrg.net TLSA 199.58.81.218 unhampered SNI: dns.cmrg.net Not concerning the option with provided IP, because that has no additional benefits - Needs unhampered - capable stub resolver needed - Additional trust in trust anchor + In protocol trust anchor rollover (RFC5011)

draft-ietf-tlsdnssec-chain-extension TLS Authentication Chain Extension name: dnsovertls.sinodun.com Ip: 2001:610:1:40ba:145:100:185:15 TLSA SNI: dns.cmrg.net + Smallest setup latency (same as SPKI) No IP change provisioning Not concerning the option with resolved IP, because that has no additional benefits compared to the pure DANE option + No more dependency on CA infrastructure + No need for unhampered capable stub resolver needed Additional trust in trust anchor + In protocol trust anchor rollover (RFC5011)

Comparison of the different considerations per mechanism Ease of configuration SPKI -- PKIX ADN + IP - PKIX ADN only ++ DANE ++ Chain extension - ++) PKIX ADN only, DANE need only the name -) PKIX ADN + IP, Chain ext. need name + IP (IPv6 addresses are hard to communicate) --) SPKI needs IP + pinset (Base64 pinset is impossible to communicate)

Comparison of the different considerations per mechanism Ease of configuration Key management SPKI -- -- PKIX ADN + IP - - PKIX ADN only ++ - DANE ++ + Chain extension - + + ) DANE, Chain extension has single trust anchor in protocol key management (RFC5011) bootstrap problem when of for long period? - ) PKIX ADN s Traditional, well known, managed by OS, but weakest link problem lack of unknown CA signaling --) SPKI Complete manual provisioning with long Base64 string

Comparison of the different considerations per mechanism Ease of configuration Key management Information leakage SPKI -- -- ++ PKIX ADN + IP - - - PKIX ADN only ++ - -- DANE ++ + -- Chain extension - + + ++) SPKI No non-tls communications, no SNI + ) Chain extension No non-tls communications, leaks name by SNI - ) PKIX ADN + IP No non-tls communications, leaks name by SNI, leaks CRL checking --) PKIX ADN only, DANE DNS communication before TLS setup, leaks SNI PKIX also leaks CRL

Comparison of the different considerations per mechanism Ease of configuration Key management Information leakage dependency SPKI -- -- ++ ++ PKIX ADN + IP - - - ++ PKIX ADN only ++ - -- -- DANE ++ + -- -- Chain extension - + + + ++) SPKI, PKIX ADN + IP No dependency +) Chain extension Not affected by hampering middle boxes Requires capable stub resolver --) PKIX ADN only, DANE Requires unhampered availability Requires capable stub resolver

Comparison of the different considerations per mechanism Ease of configuration Key management Information leakage dependency Trust requirements SPKI -- -- ++ ++ ++ PKIX ADN + IP - - - ++ - PKIX ADN only ++ - -- -- -- DANE ++ + -- -- + Chain extension - + + + + ++) SPKI trust the outbound communication channel connection endpoint details + ) DANE, Chain extension Additional trust on trust anchor + TLD - ) PKIX ADN + IP Additional trust on all CA s in the trust store --) PKIX ADN only Additional trust on trust anchor + TLD Additional trust on all CA s in the trust store

Comparison of the different considerations per mechanism Ease of configuration Key management Information leakage dependency Trust requirements SPKI -- -- ++ ++ ++ PKIX ADN + IP - - - ++ -- PKIX ADN only ++ - -- -- -- DANE ++ + -- -- - Chain extension - + + + + How would you weigh the considerations?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback