Is DANE the Future of Secure Mail? Evaluation of DNS-based - - PowerPoint PPT Presentation
Chair for Network Architectures and Services Technische Universit at M unchen Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler April 7,
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler
April 7, 2016 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 1
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Motivation for Enhancing Email Transport Security Background on Security Goals & Email Lifecycle Analysis of Methods for Email Security Improving Email Transport Security with DANE Evaluation of DANE Conclusion
Stefan Fochler – Is DANE the Future of Secure Mail? 2
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 3
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Motivation for Enhancing Email Transport Security
◮ Email is used for a lot of sensitive information ◮ Email Transport over SMTP uses optimistic encryption
◮ Can be intervened easily during handshake
◮ Large portions of email get transported unencrypted ◮ What mechanisms can be introduced to secure Email
transport?
Stefan Fochler – Is DANE the Future of Secure Mail? 4
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 5
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Security Goals Confidentiality
◮ Protect data from being visible to unauthorized parties ◮ Assumes passive attacker model ◮ Differenciate between contents and meta-data
Stefan Fochler – Is DANE the Future of Secure Mail? 6
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Security Goals Confidentiality
◮ Protect data from being visible to unauthorized parties ◮ Assumes passive attacker model ◮ Differenciate between contents and meta-data
Integrity & Authenticity
◮ Data read by receiver equal to data sent? ◮ Modifications to message have to be detected or prevented ◮ Usage of digital signature schemes can provide both
integrity and authenticity
Stefan Fochler – Is DANE the Future of Secure Mail? 6
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Security Goals Availability
◮ Mail infrastructure is critical ◮ Profitable target to Denial-of-Service attacks ◮ Unsolicited Commercial Email poses challenges to
availability
◮ (Typically) only little application-layer protection
Stefan Fochler – Is DANE the Future of Secure Mail? 7
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecycle Internet Origin MUA Destination MUA
Stefan Fochler – Is DANE the Future of Secure Mail? 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecycle Internet Origin MUA Destination MUA Origin MSA/MTA Destination MRA/MDA
Stefan Fochler – Is DANE the Future of Secure Mail? 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecycle Internet Origin MUA Destination MUA Origin MSA/MTA Destination MRA/MDA
creation
Stefan Fochler – Is DANE the Future of Secure Mail? 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecycle Internet Origin MUA Destination MUA Origin MSA/MTA Destination MRA/MDA
submission
Stefan Fochler – Is DANE the Future of Secure Mail? 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecycle Internet Origin MUA Destination MUA Origin MSA/MTA Destination MRA/MDA
submission processing & storage
Stefan Fochler – Is DANE the Future of Secure Mail? 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecycle Internet Origin MUA Destination MUA Origin MSA/MTA Destination MRA/MDA
submission transfer
Stefan Fochler – Is DANE the Future of Secure Mail? 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecycle Internet Origin MUA Destination MUA Origin MSA/MTA Destination MRA/MDA
submission processing & storage
Stefan Fochler – Is DANE the Future of Secure Mail? 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecycle Internet Origin MUA Destination MUA Origin MSA/MTA Destination MRA/MDA
submission retrieval
Stefan Fochler – Is DANE the Future of Secure Mail? 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 9
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Security Measures End-to-End Encryption
◮ Secure/Multipurpose Internet Mail Extensions (RFC 5751)
◮ Signatures and encryption based on certificates
◮ OpenPGP (RFC 4880)
◮ Cross-signed keys instead of certificate authorities Stefan Fochler – Is DANE the Future of Secure Mail? 10
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Security Measures End-to-End Encryption
◮ Secure/Multipurpose Internet Mail Extensions (RFC 5751)
◮ Signatures and encryption based on certificates
◮ OpenPGP (RFC 4880)
◮ Cross-signed keys instead of certificate authorities
Mail Origin Safeguarding
◮ Sender Policy Framework (SPF) & DMARC (RFC 7208 &
7489)
◮ Whitelist hosts for sending mail ◮ Request reports for unsolicited email
◮ DomainKeys Identified Mail (DKIM) (RFC 6376)
◮ Email signatures ◮ Domain’s public key in DNS Stefan Fochler – Is DANE the Future of Secure Mail? 10
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Active Attacks on Email Transport Security STARTTLS Stripping
◮ SMTP negotiates encryption using the STARTTLS
command (optimistic encryption)
◮ ISPs or network security hardware remove or invalidate
this command
◮ No integrity protection availabile to detect this attack ◮ [6] found up to 96,13 % stripping in Tunesia in 2015
Stefan Fochler – Is DANE the Future of Secure Mail? 11
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Active Attacks on Email Transport Security STARTTLS Stripping
◮ SMTP negotiates encryption using the STARTTLS
command (optimistic encryption)
◮ ISPs or network security hardware remove or invalidate
this command
◮ No integrity protection availabile to detect this attack ◮ [6] found up to 96,13 % stripping in Tunesia in 2015
DNS Hijacking
◮ Public DNS servers or integrated DNS servers ◮ Deliver fraudulent IP addresses for MX records ◮ Third-party mail servers can man-in-the-middle the
intended connection
◮ 2 % of public DNS servers affected [6]
Stefan Fochler – Is DANE the Future of Secure Mail? 11
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 12
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Idea DNS-based Authentication of Named Entities (DANE) [5]
◮ Mechanism to make TLS connections more secure ◮ Use DNS to express Certificate Assertions using entries of
type TSLA
◮ Use DNSSEC for security and specific behaviour to avoid
downgrading
Stefan Fochler – Is DANE the Future of Secure Mail? 13
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
DNS Setup Requirements (1) [2]
and transport mechanism on one host
Stefan Fochler – Is DANE the Future of Secure Mail? 14
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
DNS Setup Requirements (1) [2]
and transport mechanism on one host Solutions (1)
Assertions: Prefix with port and transport
◮
◮
Stefan Fochler – Is DANE the Future of Secure Mail? 14
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Certificate Assertions Requirements (2) [2]
authority for this domain
certificate for this domain
that does not come from a well-known CA1
1Note the security implications of this [2, p. 8]
Stefan Fochler – Is DANE the Future of Secure Mail? 15
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Certificate Assertions Requirements (2) [2]
authority for this domain
certificate for this domain
that does not come from a well-known CA1 Solutions (2)
validation)
1Note the security implications of this [2, p. 8]
Stefan Fochler – Is DANE the Future of Secure Mail? 15
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
DNSSEC Requirements (3) [2]
Stefan Fochler – Is DANE the Future of Secure Mail? 16
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
DNSSEC Requirements (3) [2]
Solutions (3)
use of DNSSEC where required
use DNSSEC to validate DNS hierarchy
Stefan Fochler – Is DANE the Future of Secure Mail? 16
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Summary: Modes of Operation
2Actually is required to gain security advantage, but does not introduce risk otherwise [2, p. 5-6]
Stefan Fochler – Is DANE the Future of Secure Mail? 17
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Summary: Modes of Operation
Assert by stating complete certificate, SHA-256 or SHA-512 in DNS record.
2Actually is required to gain security advantage, but does not introduce risk otherwise [2, p. 5-6]
Stefan Fochler – Is DANE the Future of Secure Mail? 17
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Summary: Modes of Operation
Assert by stating complete certificate, SHA-256 or SHA-512 in DNS record. Valid Certificate Requires DNSSEC
✓ ✗2
✓ ✗2
2Actually is required to gain security advantage, but does not introduce risk otherwise [2, p. 5-6]
Stefan Fochler – Is DANE the Future of Secure Mail? 17
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Summary: Modes of Operation
Assert by stating complete certificate, SHA-256 or SHA-512 in DNS record. Valid Certificate Requires DNSSEC
✓ ✗2
✓ ✗2
✗ ✓
✗ ✓
2Actually is required to gain security advantage, but does not introduce risk otherwise [2, p. 5-6]
Stefan Fochler – Is DANE the Future of Secure Mail? 17
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 18
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Fulfillment of Security Goals Confidentiality
◮ No protection of privacy against mail operators
◮ Needs end-to-end encryption
◮ Greatly improved confidentiality for inter-MTA transport iff
both sides support DANE
◮ DNSSEC-validated TSLA records indicate servers with TLS
support, enforcement use of secure connection [4, p. 13]
Stefan Fochler – Is DANE the Future of Secure Mail? 19
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Fulfillment of Security Goals Confidentiality
◮ No protection of privacy against mail operators
◮ Needs end-to-end encryption
◮ Greatly improved confidentiality for inter-MTA transport iff
both sides support DANE
◮ DNSSEC-validated TSLA records indicate servers with TLS
support, enforcement use of secure connection [4, p. 13]
Integrity & Authenticity
◮ No protection against malicious mail operators
◮ Needs end-to-end encryption with cryptographic signatures
◮ Greatly improved integrity protection for inter-MTA
transport iff both sides support DANE
◮ No improvements in authenticity
◮ Malicious sources can still connect to MTAs correctly Stefan Fochler – Is DANE the Future of Secure Mail? 19
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Fulfillment of Security Goals Availability
◮ Use of TLS increases server workload ◮ No protection against unsolicited commercial email ◮ Availability not considered by DANE specification
Stefan Fochler – Is DANE the Future of Secure Mail? 20
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Fulfillment of Security Goals Availability
◮ Use of TLS increases server workload ◮ No protection against unsolicited commercial email ◮ Availability not considered by DANE specification
Newly Introduced Security Risks
◮ Avoided by careful consideration ◮ Requirement of DNSSEC for critical modes of operation
Stefan Fochler – Is DANE the Future of Secure Mail? 20
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Ease of Deployment DNSSEC
◮ Fundamental requirement for effective use of DANE ◮ Requires zone with deployment ◮ 1108 of 1269 (87,31 %) domains in root zone are signed [1]
Stefan Fochler – Is DANE the Future of Secure Mail? 21
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Ease of Deployment DNSSEC
◮ Fundamental requirement for effective use of DANE ◮ Requires zone with deployment ◮ 1108 of 1269 (87,31 %) domains in root zone are signed [1]
DANE
◮ Requires changes to DNS zone ◮ Needs to follow certificate renewals, otherwise service can
be rendered unusable
Stefan Fochler – Is DANE the Future of Secure Mail? 21
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 22
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Conclusion
◮ DANE brings great security improvement for TLS
connections
Stefan Fochler – Is DANE the Future of Secure Mail? 23
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Conclusion
◮ DANE brings great security improvement for TLS
connections
◮ MTA-to-MTA SMTP connections benefit from improved
TLS reliability in terms of integrity and confidentiality
Stefan Fochler – Is DANE the Future of Secure Mail? 23
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Conclusion
◮ DANE brings great security improvement for TLS
connections
◮ MTA-to-MTA SMTP connections benefit from improved
TLS reliability in terms of integrity and confidentiality
◮ Rollout of new technology in mail sector is long-winded,
need strong commercial supporters
Stefan Fochler – Is DANE the Future of Secure Mail? 23
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 24
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 24
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Stefan Fochler – Is DANE the Future of Secure Mail? 24
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Bibliography I
[1] ICANN TLD DNSSEC Report. http://stats.research.icann.org/dns/tld_report/. Accessed: 2016-04-01. [2] R. Barnes. Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE). RFC 6394 (Informational), Oct. 2011. [3] D. Crocker, T. Hansen, and M. Kucherawy. DomainKeys Identified Mail (DKIM)
[4] V. Dukhovni and W. Hardaker. SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS). RFC 7672 (Proposed Standard), Oct. 2015. [5] V. Dukhovni and W. Hardaker. The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance. RFC 7671 (Proposed Standard), Oct. 2015. [6] Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski,
mitm...: An empirical analysis of email delivery security. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference, IMC ’15, pages 27–39, New York, NY, USA, 2015. ACM.
Stefan Fochler – Is DANE the Future of Secure Mail? 25
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Bibliography II
[7] S. Kitterman. Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208 (Proposed Standard), Apr. 2014. Updated by RFC 7372. [8] M. Kucherawy and E. Zwicky. Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489 (Informational), Mar. 2015. [9] B. Ramsdell and S. Turner. Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification. RFC 5751 (Proposed Standard),
[10] D. Shaw. The Camellia Cipher in OpenPGP. RFC 5581 (Informational), June 2009. [11] A. Whitten and J. D. Tygar. Why johnny can’t encrypt: A usability evaluation of pgp 5.0. In G. W. Treese, editor, USENIX Security. USENIX Association, 1999.
Stefan Fochler – Is DANE the Future of Secure Mail? 26
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecyle Creation & Submission
◮ Mail User Agent (MUA) create email on local client ◮ Submits email to his Mail Submission Agent (MSA) using
SMTP
◮ Durable connection: Secure settings can be configured in
advance
Stefan Fochler – Is DANE the Future of Secure Mail? 27
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecyle Creation & Submission
◮ Mail User Agent (MUA) create email on local client ◮ Submits email to his Mail Submission Agent (MSA) using
SMTP
◮ Durable connection: Secure settings can be configured in
advance Transfer
◮ Mail Transfer Agent (MTA) connects to Mail Retrieval Agent
(MRA) on different host
◮ Transient connection: Security has to be negotiated first ◮ Focus point for email transport security
Stefan Fochler – Is DANE the Future of Secure Mail? 27
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecyle Storage
◮ Recipient field of emails have to be in clear for processing ◮ Contents can be protected by end-to-end encryption ◮ In general: storage & backups of emails in plaintext
Stefan Fochler – Is DANE the Future of Secure Mail? 28
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Email Lifecyle Storage
◮ Recipient field of emails have to be in clear for processing ◮ Contents can be protected by end-to-end encryption ◮ In general: storage & backups of emails in plaintext
Retrieval
◮ Destination MRA uses Mail Delivery Agent (MDA) to
distribute incomming mail
◮ Multiple methods for mail retrieval:
◮ Post Office Protocol (POP) ◮ Internet Message Access Protcol (IMAP) ◮ Web Interface ◮ CLI mail clients over SSH Stefan Fochler – Is DANE the Future of Secure Mail? 28
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
End-to-End Encryption S/MIME (RFC 5751 [9])
◮ Secure/Multipurpose Internet Mail Extensions ◮ Signatures and encryption based on certificates ◮ Trust comes from certificate authorities (known to all
parties)
◮ Private keys have to be generated and distributed to all
users
Stefan Fochler – Is DANE the Future of Secure Mail? 29
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
End-to-End Encryption S/MIME (RFC 5751 [9])
◮ Secure/Multipurpose Internet Mail Extensions ◮ Signatures and encryption based on certificates ◮ Trust comes from certificate authorities (known to all
parties)
◮ Private keys have to be generated and distributed to all
users OpenPGP (RFC 4880 [10])
◮ Self-created cryptogrraphic identities ◮ Trust comes from building a network of cross-signed keys ◮ Does not rely on certificate authorities ◮ Requires understanding of trust mechanism ◮ Failed to gain wide adoption [11]
Stefan Fochler – Is DANE the Future of Secure Mail? 29
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Mail Origin Safeguarding SPF & DMARC (RFC 7208 [7] & 7489 [8])
◮ Sender Policy Framework
◮ DNS entry that whitelists hosts and IP ranges for sending
mail under respective domain
◮ boinx.com. TXT "v=spf1
include:spf.mandrillapp.com ?all"
◮ spf.mandrillapp.com. TXT "v=spf1
ip4:198.2.128.0/24 ..."
◮ Domain-based Message Authentication, Reporting and
Conformance
◮ Specify policy for origin-invalid emails ◮ Request periodic reports Stefan Fochler – Is DANE the Future of Secure Mail? 30
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen
Mail Origin Safeguarding DKIM (RFC 6376 [3])
◮ DomainKeys Identified Mail ◮ Asymmetric cryptography for email signatures
◮ Using DomainKey signature header field
DKIM-Signature: ...
◮ DNS entry that binds RSA key to domain
◮ boinx. domainkey.boinx.com. TXT "v=DKIM1;
k=rsa; p=MIGfMA0GCSqGSIb3DEBAQU..."
◮ Allows identification of IP-spoofed UCE (SPAM) ◮ Requires cryptographic checks on the recipient mail server
Stefan Fochler – Is DANE the Future of Secure Mail? 31