making the case for elliptic curves in dnssec
play

Making the Case for Elliptic Curves in DNSSEC an analysis of the - PowerPoint PPT Presentation

Dec 26, 2022 •233 likes •408 views

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

  1. Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org

  2. Introduction • DNSSEC deployment has taken off, but there are still operational issues • Fragmentation • Amplification • Complex key management • Root cause of many of these problems: use of RSA • ECDSA standardised in RFC 6605 (2012), but still sees very little use (but is discussed a lot!)

  3. Fragmentation • Well known problem; up to 10% of resolvers may not be able to receive fragmented responses* • Solutions available: • Configure minimal responses • Better fallback behaviour in resolver software • Stricter phrasing of RFC 6891 (EDNS0) *Van den Broek, J., Van Rijswijk-Deij, R., Pras, A., Sperotto, A., “DNSSEC Meets Real World: Dealing with Unreachability Caused by Fragmentation”, IEEE Communications Magazine, volume 52, issue 4 (2014).

  4. Fragmentation • Setting minimal responses pays off: • But fragmentation still occurs!

  5. Amplification • DNSSEC is a potent amplifier* without DNSSEC combined 30% .com .net 25% .org percentage of domains with DNSSEC .uk .se 20% .nl 15% theoretical maximum amplification of regular DNS 10% 5% 0% 0 10 20 30 40 50 60 70 80 Amplification factor [bin=0.1] * Van Rijswijk-Deij, R., Sperotto, A., & Pras, A. (2014). DNSSEC and its potential for DDoS attacks. In Proceedings of ACM IMC 2014. Vancouver, BC, Canada: ACM Press

  6. Amplification • While ANY could be suppressed, DNSKEY cannot! com 14% net org 12% theor. maximum uk amplification percentage of domains of regular DNS se 10% nl 8% 6% 4% 2% 0% 0 10 20 30 40 50 Amplification factor [bin=0.1]

  7. Root cause: RSA • RSA keys are large • 1024-bit —> 128 byte signatures, ±132 bytes DNSKEY records • 2048-bit —> 256 byte signatures, ±260 bytes DNSKEY records • Also: striking a balance between signature size and key strength means RSA prevents a switch to simpler key management mechanisms* *don’t have time to explain in detail, see paper

  8. ECC to the rescue • ECC has much smaller keys and signatures with equivalent or better key strength • ECC with 256-bit group ≈ RSA 3072-bit • ECDSA P-256 and P-384 are standardised for use in DNSSEC in RFC 6605 (2012) • Used very little in practice, 99.99% of .com, .net and .org use RSA • But there is a lot of buzz around it (CloudFlare!) • EdDSA based schemes have draft RFCs (Ond ř ej Sur ý )

  9. Measuring ECC impact • We performed a measurement study to quantify the impact of switching to ECC on fragmentation and amplification • Study looks at all signed .com, .net and .org domains • Studies ECC scenarios: ecdsa384csk ecdsa256csk eddsasplit ecdsa384 ecdsa256 eddsacsk implementation choice ECDSA vs. EdDSA ECDSA ECDSA ECDSA ECDSA EdDSA EdDSA Curve P-384 P-256 P-384 P-256 Ed25519 Ed25519 KSK/ZSK vs. CSK KSK/ZSK KSK/ZSK CSK CSK KSK/ZSK CSK most conservative most beneficial ← − − − − − − − −− − − − − − − − → fi fi fi fi

  10. Impact on fragmentation • DNSKEY response sizes dramatically reduced: 100% original ecdsa384 98% percentage of domains ecdsa256 ecdsa256csk 96% eddsacsk 94% IPv6 minimum MTU Ethernet MTU (1280 bytes) (1500 bytes) 92% classic DNS 90% 256 512 1024 2048 4096 response size [bytes, log scale]

  11. Impact on amplification • ANY amplification dampened significantly: 10% current situation ecdsa256 8% percentage of domains ecdsa256csk eddsacsk 6% theoretical maximum ampli fi cation of regular DNS 4% 2% 0% 0 10 20 30 40 50 60 70 80 ampli fi cation factor [bin=0.1]

  12. Impact on amplification • DNSKEY amplification practically solved: 45% original theoretical 40% maximum ampli fi cation ecdsa384 of regular DNS 35% percentage of domains ecdsa256 30% ecdsa256csk eddsacsk 25% 20% 15% 10% 5% 0% 0 5 10 15 20 25 30 35 ampli fi cation factor [bin=0.1]

  13. Back to 512-byte DNS? • A and AAAA responses fit in classic DNS! 100% 80% percentage of domains 60% 40% 20% A queries AAAA queries 0% 128 192 256 320 384 448 512 response size [ecdsa256 with minimal responses]

  14. Conclusions • Switching to ECC is highly beneficial and tackles major issues in DNSSEC • Combined with simpler key management it could even bring “classic” 512-byte DNS back into scope • Impact on resolvers is uncertain! ECC validation speeds are up to an order of magnitude slower than RSA • Improvements are being made (e.g. OpenSSL) • We are working on quantifying the impact of this

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine

Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine

Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine Elliptic Curve Cryptography (ECC) y^2 = x^3 + ax + b http://en.wikipedia.org/wiki/Elliptic_curve

151 views • 13 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Amicable pairs for elliptic curves Katherine E. Stange SFU / PIMS-UBC . joint work with .

Amicable pairs for elliptic curves Katherine E. Stange SFU / PIMS-UBC . joint work with .

Motivations Definitions and growth rates The CM case Aliquot cycles The j = 0 case Final remarks Amicable pairs for elliptic curves Katherine E. Stange SFU / PIMS-UBC . joint work with . Joseph H. Silverman Brown University / Microsoft

658 views • 41 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
Cirrus Logic Mixed-Signal Leadership Mixed-Signal Technologies Explained Analog-to-Digital

Cirrus Logic Mixed-Signal Leadership Mixed-Signal Technologies Explained Analog-to-Digital

Cirrus Logic Mixed-Signal Leadership Mixed-Signal Technologies Explained Analog-to-Digital Converter (ADC) ADC 0001101001 Used for Microphone or other analog inputs in audio systems Digital to Analog Converter (DAC)

197 views • 15 slides
Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By:

Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By:

Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By: Sean Rijs Agenda I am going to do my presentation DNS amplification attacks 2 1 Stub resolver Recursive server Authoritative server

1.42k views • 21 slides
The Arctic Sea Ice Monitoring and Climate Variation Hiroyuki Enomoto National Institute of Polar

The Arctic Sea Ice Monitoring and Climate Variation Hiroyuki Enomoto National Institute of Polar

Monitoring Climate Change from Space COP21 Japan Pavilion, Dec. 4, 2015 The Arctic Sea Ice Monitoring and Climate Variation Hiroyuki Enomoto National Institute of Polar Research Background Arctic warming rate is twice faster than other

440 views • 19 slides
Amplification of Seismic Input due to 1D, 2D and 3D effects, and their Importance for NPP

Amplification of Seismic Input due to 1D, 2D and 3D effects, and their Importance for NPP

Introduction The Issues and Modelling Approaches Simulations Results Summary Amplification of Seismic Input due to 1D, 2D and 3D effects, and their Importance for NPP Structures B. Jeremi c, N. Tafazzoli, N. Orbovi c, A. Blahoianu

546 views • 20 slides
Basic Mechatronics Workshop Module 2: Sensors LAB-3 Sensor Circuits, Power and Constant voltage,

Basic Mechatronics Workshop Module 2: Sensors LAB-3 Sensor Circuits, Power and Constant voltage,

Basic Mechatronics Workshop Module 2: Sensors LAB-3 Sensor Circuits, Power and Constant voltage, Detector, Amplifier, Display, Output (Conference of Presentation) Dr. Mohamed Abdalbar Lecturer, Mechatronics Department, Egyptian-Korean

639 views • 20 slides
This presentation is given by a group of three students. START (000). The first member of

This presentation is given by a group of three students. START (000). The first member of

This presentation is given by a group of three students. START (000). The first member of the group spends nearly three minutes giving a general description of the chosen real-life situation including the aims and methods of the experiment

266 views • 3 slides
New Mexico Legislative Education Study Committee WIDA Score Changes Presentation September 29,

New Mexico Legislative Education Study Committee WIDA Score Changes Presentation September 29,

New Mexico Legislative Education Study Committee WIDA Score Changes Presentation September 29, 2017 Introduction: Jonathan Gibson WIDA State Relations Specialist (SRS) since October 2016 West Region SRS (9 states and 1 Commonwealth)

279 views • 12 slides
Low-Power RF Integrated Circuit Design Techniques for Short-Range Wireless Connectivity Marvin

Low-Power RF Integrated Circuit Design Techniques for Short-Range Wireless Connectivity Marvin

Low-Power RF Integrated Circuit Design Techniques for Short-Range Wireless Connectivity Marvin Onabajo Assistant Professor Analog and Mixed-Signal Integrated Circuits (AMSIC) Research Laboratory Dept. of Electrical and Computer Engineering

569 views • 28 slides

More recommend