dnssec with smartcardhsm
play

DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse - PowerPoint PPT Presentation

Aug 11, 2023 •627 likes •739 views

DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse Namibian Network Information Centre 2015-06-24 Lisse (NA-NiC) SmartcardHSM 2015-06-24 1 / 10 Introduction Why? So, what are we looking for? Easy off the shelf DNSSEC

  1. DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse Namibian Network Information Centre 2015-06-24 Lisse (NA-NiC) SmartcardHSM 2015-06-24 1 / 10

  2. Introduction Why? So, what are we looking for? Easy off the shelf DNSSEC is Easy! Secure Is it Secure? hardware based Secure DNSSEC is Expensive! Cheap Is it really? Solution for small (cc)TLDs individual domains Lisse (NA-NiC) SmartcardHSM 2015-06-24 2 / 10

  3. Workflow Registry System with BIND Database Bind style tables SW keys BIND dnssec-signzone HW Keys Registry System Sign files So fu HSM OpenDNSSEC HSM Proper SmartcardHSM Update serial Reload signed zone Lisse (NA-NiC) SmartcardHSM 2015-06-24 3 / 10

  4. Hardware Keys From the Esoteric to the Expensive HSM HW keys TPM SmartcardHSM Smardcards Athena ASE Lisse (NA-NiC) SmartcardHSM 2015-06-24 4 / 10

  5. Smartcard Many Brands SmartcardHSM Linux and OS X Key Signing Scripts Rick Lamb Flexible number of Crypto Officers generate backup cards Speed is not an issue 2 signings per second = 7200 per hour (reload) Lisse (NA-NiC) SmartcardHSM 2015-06-24 5 / 10

  6. dnssec-signzone BIND Needs a Patch Works quite well with a Software Key Security Issue Requires a Patch for SmartcardHSM Works well Rick Lamb Not in the repositories manual re-patching of source after each update does not scale ISC has looked at it Lisse (NA-NiC) SmartcardHSM 2015-06-24 6 / 10

  7. openDNSSEC Ubuntu 12.04 LTS and 14.04 LTS Special Repository Maintainer: Ondřej Surý OpenSC v0.14.0 (14.04 LTS) v0.15.0 (source) pcscd daemon to interface to the reader(s) Choice of Database MySQL SQLite3 Lisse (NA-NiC) SmartcardHSM 2015-06-24 7 / 10

  8. openDNSSEC SmartcardHSM Requirements Nontrivial Configuration for SmartcardHSM conf.xml < TokenLabel > SmartCard-HSM ( UserPIN ) < /TokenLabel > pkcs15-tool -D PKCS#15 Card [ SmartCard-HSM ] PIN [ UserPIN ] Significant Learning Curve short RRSIG < Validity > Interval Lisse (NA-NiC) SmartcardHSM 2015-06-24 8 / 10

  9. Conclusion Not Ready for Prime Time Yet There were no hardware issues Once inserted the cards were always visible if pcscd was working Significant software issues pcscd stopped working all the time different readers (different brands) different cards (same brand) cause not yet found developers not yet contacted openDNSSEC then failed to sign short RRSIG Validity caused resolution to fail heartbeat script resolved this to some extent not acceptable for production Lisse (NA-NiC) SmartcardHSM 2015-06-24 9 / 10

  10. Back to the Drawing Board PowerDNS to the Rescue? http://jpmens.net/2015/03/30/powerdns-with-a-smartcard-hsm-for- dnssec/ not yet studied Approach perhaps: Stealth Server on uncommon port only accessible from local host Notify Master on local host which does AXFER of signed zone A number of CoCCA users seem to use OpenDNSSEC Usually with SoftHSM CoCCA has support for PowerDNS built in Might just be what the doctor ordered... Lisse (NA-NiC) SmartcardHSM 2015-06-24 10 / 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez &amp; Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez &amp; Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez &amp; Eberhard W Lisse University of Costa Rica &amp; Namibian Network Information Centre 2015-02-09 Espinoza &amp; Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

202 views • 19 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
A Private and Decentralized Marketplace Kewde Anonymous upon till now.. Bachelors degree

A Private and Decentralized Marketplace Kewde Anonymous upon till now.. Bachelors degree

A Private and Decentralized Marketplace Kewde Anonymous upon till now.. Bachelors degree in business engineering (last year) 21 years old, but fascinated by computers at the age of 12 Interests Programming, security,

530 views • 29 slides
ocamlbuild , a tool for automatic compilation of OCaml projects Berke Durak Nicolas Pouillard

ocamlbuild , a tool for automatic compilation of OCaml projects Berke Durak Nicolas Pouillard

ocamlbuild , a tool for automatic compilation of OCaml projects ocamlbuild , a tool for automatic compilation of OCaml projects Berke Durak Nicolas Pouillard Berke.Durak@inria.fr Nicolas.Pouillard@inria.fr June 6, 2007 Berke Durak, Nicolas

1.73k views • 124 slides
New Mexico Public Schools: Budget &amp; Finance June 4, 2020 Dr. Gloria Rendon David Craig,

New Mexico Public Schools: Budget &amp; Finance June 4, 2020 Dr. Gloria Rendon David Craig,

New Mexico Public Schools: Budget &amp; Finance June 4, 2020 Dr. Gloria Rendon David Craig, PED Dr. Hugh Prather Panel of Experts: Terry Dean, NMASBO TJ Parks, Superintendent, Hobbs David Craig, PED Fiduciary Responsibility-what does that

734 views • 34 slides
Presentation to ITAC CHILDS Replacement Program (Guardian) State of Arizona Department of

Presentation to ITAC CHILDS Replacement Program (Guardian) State of Arizona Department of

Presentation to ITAC CHILDS Replacement Program (Guardian) State of Arizona Department of Child Safety April 26, 2017 Status Through: March 31, 2017 Contents Program Status Program Integrated Milestone Schedule IV&amp;V Actions Status

483 views • 19 slides
INFORMATION SECURITY AT COCC COCC created and filled the Information Security position within

INFORMATION SECURITY AT COCC COCC created and filled the Information Security position within

Subject Cybersecurity Strategic Plan Connection Institutional Efficiency: Goal Statement: Strengthen systems, policies and procedures to create more proactive, responsive and effective internal processes. Goal Intention: While the College has

178 views • 3 slides
The NASA Aeronautics Blueprint - Toward a Bold New Era of Aviation 1 Table of Contents 2.4 The

The NASA Aeronautics Blueprint - Toward a Bold New Era of Aviation 1 Table of Contents 2.4 The

The NASA Aeronautics Blueprint - Toward a Bold New Era of Aviation 1 Table of Contents 2.4 The Airspace System i. The NASA Aeronautics Blueprint Towards a Bold new Era of Aviation 2.4.1 Weather 2.4.2 Traffic Optimization ii. Table of

426 views • 39 slides
A NEW VILLAIN: INVESTIGATING STEGANOGRAPHY IN SOURCE ENGINE BASED VIDEO GAMES Table of Contents

A NEW VILLAIN: INVESTIGATING STEGANOGRAPHY IN SOURCE ENGINE BASED VIDEO GAMES Table of Contents

May 2 nd ,2012 Christopher Hale Dr. Cihan Varol Graduate Advisor A NEW VILLAIN: INVESTIGATING STEGANOGRAPHY IN SOURCE ENGINE BASED VIDEO GAMES Table of Contents History behind platform Impact of platform Creating game levels with

486 views • 35 slides
Matryoshka: Hiding Secret Communicatjon in Plain Sight Iris Safaka , Christjna Fragouli, Katerina

Matryoshka: Hiding Secret Communicatjon in Plain Sight Iris Safaka , Christjna Fragouli, Katerina

Matryoshka: Hiding Secret Communicatjon in Plain Sight Iris Safaka , Christjna Fragouli, Katerina Argyraki Free communicatjon systems Give away some privacy 2 Wanna play tennis today? Free communicatjon systems Give away some

252 views • 22 slides

More recommend