high speed cryptography dnssec and dnscurve d j bernstein
play

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein - PDF document

Jan 24, 2024 •307 likes •924 views

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

  1. High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR–0716498

  2. Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends the From/To lines, sends the mail message. Attackers can easily see all of these packets and change the packets.

  3. Forging web pages: easy! Starting from a URL: Your browser sends a DNS request, receives a server address, makes an HTTP connection, sends an HTTP request, receives a web page. Attackers can easily see all of these packets and change the packets.

  4. Solved by cryptography? In theory: Cryptography stops these attacks.

  5. Solved by cryptography? In theory: Cryptography stops these attacks. In practice: Am I using cryptography? Are you using cryptography?

  6. Solved by cryptography? In theory: Cryptography stops these attacks. In practice: Am I using cryptography? Are you using cryptography? Occasionally yes; usually no.

  7. Solved by cryptography? In theory: Cryptography stops these attacks. In practice: Am I using cryptography? Are you using cryptography? Occasionally yes; usually no. Problem 1: Most Internet protocols do not support cryptography. Why not? Obvious answer: Hard for protocol designers to integrate cryptography.

  8. Some popular Internet protocols do have cryptographic options. Important example: HTTPS.

  9. Some popular Internet protocols do have cryptographic options. Important example: HTTPS. Problem 2: Most implementations of these protocols do not support cryptography. Why not? Obvious answer: Hard for software authors to integrate cryptography. Much easier to implement the non-cryptographic option.

  10. Some popular implementations do support cryptography. Example: Apache.

  11. Some popular implementations do support cryptography. Example: Apache. Problem 3: Most installations of these implementations do not support cryptography. � 99% of the Apache servers on the Internet do not enable SSL. Why not? Obvious answer: Hard for site administrators to turn on the cryptography.

  12. Some important installations do support cryptography. Example: SourceForge has paid for an SSL certificate and set up SSL servers. Try https:// sourceforge.net/account .

  13. Some important installations do support cryptography. Example: SourceForge has paid for an SSL certificate and set up SSL servers. Try https:// sourceforge.net/account . Problem 4: Cryptography is not enabled for most data at these installations. Example: Try https:// sourceforge.net/community . SourceForge redirects your browser to http:// sourceforge.net/community .

  14. Why does SourceForge actively turn off cryptographic protection?

  15. Why does SourceForge actively turn off cryptographic protection? Obvious answer: Enabling SSL for more than a small fraction of SourceForge connections would massively overload the SourceForge servers. SourceForge doesn’t want to pay for a bunch of extra computers. Many companies sell SSL-acceleration hardware, but that costs money too.

  16. Making progress Obvious speed questions: Why are cryptographic computations so expensive? Can crypto be faster, without being easy to break? Can crypto be fast enough to solidly protect all of SourceForge’s communications? Can crypto be fast enough to protect every Internet packet?

  17. And questions beyond speed: Can universal crypto be easy to use and administer? Can universal crypto be easy to implement in software? Can universal crypto be easy to add to protocols? Can universal crypto be usable ?

  18. U.S. government, last century: “Encryption is dangerous! It can be used by terrorists, drug dealers, pedophiles, and money launderers!”

  19. U.S. government, last century: “Encryption is dangerous! It can be used by terrorists, drug dealers, pedophiles, and money launderers!” I say: Criminals have been using encryption for a long time. Low speed? Hard to use? They use it anyway. We cannot stop them.

  20. U.S. government, last century: “Encryption is dangerous! It can be used by terrorists, drug dealers, pedophiles, and money launderers!” I say: Criminals have been using encryption for a long time. Low speed? Hard to use? They use it anyway. We cannot stop them. What we can do is improve the speed and usability of cryptography for normal people.

  21. My current mission: Cryptographically protect every Internet packet against espionage, corruption, and sabotage. Confidentiality despite espionage: Spies cannot understand packets. Integrity despite corruption: Forged packets are detected. User does not see wrong data. Availability despite sabotage: User does see correct data.

  22. Securing DNS DNSCurve cryptographically protects DNS packets against espionage, corruption, and sabotage. DNSCurve is only for DNS, but same ideas can be adapted to many other protocols. Warning: DNSCurve does not hide packet length, sender, etc. But it does provide confidentiality for contents of packets, plus strong integrity, availability.

  23. Packet from DNSCurve client to DNSCurve server: � Here’s my public key. � Here’s an encrypted DNS query. Client encrypts, authenticates using client’s secret key, server’s public key. Server verifies, decrypts using server’s secret key, client’s public key.

  24. Packet from DNSCurve server to DNSCurve client: � Here’s an encrypted response. Server encrypts, authenticates using server’s secret key, client’s public key. Client verifies, decrypts using client’s secret key, server’s public key.

  25. Every packet is authenticated. Client verifies every packet immediately upon receipt. If packet fails verification, client discards packet and waits for correct packet. Attacker can stop correct packet by flooding the network, but this consumes many more attacker resources than sending a few forged packets. ) Many fewer victims.

  26. How does DNSCurve client retrieve server’s public key? Does it send more packets? No! DNS architecture: DNS client learns IP address of .ubuntu.com DNS server from .com DNS server. The .com server says: “The ubuntu.com DNS server is named ns3 and has IP address 209.6.3.210.”

  27. The name ns3 was selected by the ubuntu.com administrator and given to .com . To announce his DNSCurve server’s public key, the ubuntu.com administrator changes the name ns3 to an encoding of the public key. The DNSCurve client sees the public key, begins cryptographically protecting communication with that server.

  28. An older approach 1993.11 Galvin: “The DNS Security design team of the DNS working group met for one morning at the Houston IETF.” 1994.02 Eastlake–Kaufman, after months of discussions on dns-security mailing list: “DNSSEC” protocol specification. Continued DNSSEC efforts have received millions of dollars of government grants: e.g., DISA to BIND; NSF to UCLA; DHS to Secure64.

  29. The Internet has nearly 80000000 *.com names.

  30. The Internet has nearly 80000000 *.com names. Surveys by DNSSEC developers, last updated 2009.08.04, have found 274 *.com names with DNSSEC signatures. > 116. 116 on 2008.08.20; 274 “Wow, exponential growth!”

  31. The Internet has nearly 80000000 *.com names. Surveys by DNSSEC developers, last updated 2009.08.04, have found 274 *.com names with DNSSEC signatures. > 116. 116 on 2008.08.20; 274 “Wow, exponential growth!” The same surveys show 941 IP addresses worldwide running DNSSEC servers.

  32. DNSSEC’s design is driven by fear of cryptographic overload. Basic assumption: Busy servers cannot afford per-query crypto. Consequences: DNSSEC has no encryption. DNSSEC has no DoS protection. DNSSEC precomputes signatures. Signature is computed once; saved; sent to many clients. Hopefully the server can afford to sign each DNS record once.

  33. DNSSEC signatures do not depend on fresh client data. Consequences: To limit replay attacks, DNSSEC has to put expiration times on signatures. Normally 30 days; short intervals cause problems. Attackers can still replay data for 30 days; replay across clients; etc. DNSCurve: every response is freshly encrypted, authenticated.

  34. To avoid punishing sysadmin, DNSSEC requires new code in every DNS-management tool. Whenever a tool adds or changes a DNS record, it also has to precompute DNSSEC signature; store DNSSEC signature; arrange for re-signature before expiration. Any mistakes destroy your domain (“DNSSEC suicide”). 2009: This happened to all ISC DLV DNSSEC users. UCLA admin: “The solution in all cases was to disable DNSSEC validation.”

  35. 2009.06.02: “Today we reached a significant milestone in our effort to bolster online : : : [.ORG is] the first security open generic Top-Level Domain to successfully sign our zone with Domain Name Security Extensions (DNSSEC). To date, the .ORG zone is the largest domain registry to implement this needed security : : : measure. This process adds new records to the zone, which allows verification of the origin authenticity and integrity of data.”

  36. Verification! Authenticity! Integrity! Sounds great!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends

617 views • 40 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische

Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische

Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Disclaimer: I havent released DNSCurve software yet. But you can try prototypes: @mdempsky s DNSCurve cache, @hhavt s

890 views • 40 slides
High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Picture credits: geeky-gadgets.com ; Star Trek The Internet of Things Andrew Myers, Stanford Report, 2011.02.11:

543 views • 36 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

1.36k views • 44 slides
High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363 more elliptic-curve formulas; uses Weierstrass curves field arithmetic in Jacobian coordinates Daniel J. Bernstein to provide the fastest

2.15k views • 187 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

1.55k views • 138 slides
Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem

Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem

1 2 Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem where I need to make some University of Illinois at Chicago; cryptography faster, and Im Ruhr University Bochum setting up a $1000

573 views • 55 slides
New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides
High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J. Bernstein University of Illinois at Chicago wget -m -k -I / \ secspider.cs.ucla.edu cd secspider.cs.ucla.edu awk /GREEN.*GREEN.*GREEN.*Yes/

1.48k views • 94 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
DNSCurve D. J. Bernstein University of Illinois at Chicago The Domain Name System uma.es

DNSCurve D. J. Bernstein University of Illinois at Chicago The Domain Name System uma.es

DNSCurve D. J. Bernstein University of Illinois at Chicago The Domain Name System uma.es wants to see http://www.iitk.ac.in . Browser at uma.es The web server www.iitk.ac.in has IP address

1.12k views • 80 slides
Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise:

Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise:

Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise: How big is the dig +dnssec -t any se response packet? @a.ns.se How big was the query packet? Some general questions Why doesnt the Internet

1.43k views • 86 slides
Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args)

Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args)

Recall the Racket PostFix Interpreter Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args) ) PostFix and S-expressions (define (postfix-exec-commands cmds init-stk) ) (define

306 views • 6 slides
CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's learning goals Sipser Sec 3.2 Prove Turing-recognizability using Turing machines Enumerators State and use the Church-Turing thesis.

512 views • 16 slides
The Differential Equation for a Vibrating String Bernd Schr oder logo1 Bernd Schr oder

The Differential Equation for a Vibrating String Bernd Schr oder logo1 Bernd Schr oder

Model Forces The Equation The Differential Equation for a Vibrating String Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science The Differential Equation for a Vibrating String Model

697 views • 53 slides
#5: Data Representation SAMS PROGRAMMING C Review from Last Week Combine blocks of code to

#5: Data Representation SAMS PROGRAMMING C Review from Last Week Combine blocks of code to

#5: Data Representation SAMS PROGRAMMING C Review from Last Week Combine blocks of code to create complex programs Use the problem-solving process to develop solutions to new problems Use testing and debugging to verify that our programs work

1.59k views • 32 slides
Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA

Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA

Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015 The Cloud David Pointcheval Introduction 2 / 30 Access from

761 views • 41 slides
Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov

Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov

Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov Outsourced Applications Today Server data data Encrypt the data! Encrypt the Data App functionality no App functionality no longer works :( longer

1.42k views • 58 slides
Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint work with Pratish Datta and Ratna Dutta Department of Mathematics Indian Institute of Technology Kharagpur Kharagpur-721302 India PKC 2016

340 views • 23 slides

More recommend