securing dnssec keys via threshold ecdsa from generic mpc
play

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris - PowerPoint PPT Presentation

Aug 03, 2023 •144 likes •775 views

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany November 6, 2020 NIST Workshop on Multi-Party Threshold Schemes 2020 Based on work published at ESORICS20 with Anders Dalskov, Marcel Keller,

  1. Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany November 6, 2020 NIST Workshop on Multi-Party Threshold Schemes 2020 Based on work published at ESORICS’20 with Anders Dalskov, Marcel Keller, Claudio Orlandi and Haya Shulman

  2. This work Threshold ECDSA for DNS zone signing 1 / 20

  3. This work Threshold ECDSA for DNS zone signing - Key security for DNSSEC - Generic way of doing threshold ECDSA (signing and key gen) - Support for lots of different threat models - As fast, or faster, than previous work 1 / 20

  4. Outline DNS and DNSSEC Threshold signatures for DNSSEC

  5. Outline DNS and DNSSEC Threshold signatures for DNSSEC

  6. DNS DNS is a protocol for mapping names to addresses “It’s at 198.51.100.43 ” “Where is ducks.de. ?” Client DNS Server HTTP GET / Host: ducks.de https://ducks.de 198.51.100.43 2 / 20

  7. DNS DNS is a protocol for mapping names to addresses “It’s at 198.51.100.43 ” “Where is ducks.de. ?” Client DNS Server HTTP GET / Host: ducks.de https://ducks.de 198.51.100.43 2 / 20

  8. DNS DNS is a protocol for mapping names to addresses “It’s at 198.51.100.43 ” “Where is ducks.de. ?” Client DNS Server HTTP GET / Host: ducks.de https://ducks.de 198.51.100.43 2 / 20

  9. DNS DNS is a protocol for mapping names to addresses “It’s at 198.51.100.43 ” “Where is ducks.de. ?” Client DNS Server HTTP GET / Host: ducks.de https://ducks.de 198.51.100.43 2 / 20

  10. DNS Insecurity Poisoning/Spoofing is possible 3 / 20

  11. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted 3 / 20

  12. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  13. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  14. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  15. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  16. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  17. DNSSEC DNSSEC fixes this problem - Data integrity: data was not changed in transit - Origin authentication: data originated from the owner 4 / 20

  18. DNS in practice DNS Operators Domains Cloudflare ducks.de Azure DNS cuteswans.de UltraDNS 5 / 20

  19. DNSSEC deployment issues Studies 12 have found that - Some operators use the same key for all domains - E.g., one key shared by > 132 000 domains 1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem (USENIX ’17) 2 One Key to Sign Them All Considered Vulnurable: Evaluation of DNSSEC in the Internet (NSDI ’17) 6 / 20

  20. DNSSEC deployment issues Studies 12 have found that - Some operators use the same key for all domains - E.g., one key shared by > 132 000 domains 1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem (USENIX ’17) 2 One Key to Sign Them All Considered Vulnurable: Evaluation of DNSSEC in the Internet (NSDI ’17) 6 / 20

  21. DNSSEC deployment issues Studies 12 have found that - Some operators use the same key for all domains - E.g., one key shared by > 132 000 domains - Default is 1024-bit RSA - Most keys 1024-bit, with ∼ 10K domains use 512-bit RSA - The majority of keys were not rotated in a 21-month period - Some providers use different keys but share the modulus 1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem (USENIX ’17) 2 One Key to Sign Them All Considered Vulnurable: Evaluation of DNSSEC in the Internet (NSDI ’17) 6 / 20

  22. DNSSEC in practice DNSSEC - Should use ECDSA instead of RSA - Shorter signatures reduce the chance of packet fragmentation 1 1 RFC 6781 recommends 1024-bit RSA for this reason 2 See 2016 Dyn attacks 3 RFC 8901: Multi-Signer DNSSEC Models 7 / 20

  23. DNSSEC in practice DNSSEC - Should use ECDSA instead of RSA - Shorter signatures reduce the chance of packet fragmentation 1 - Support multiple name servers - better availability and DDoS protection 2 - new standard 3 requires zone owner interaction while relinquishing key control 1 RFC 6781 recommends 1024-bit RSA for this reason 2 See 2016 Dyn attacks 3 RFC 8901: Multi-Signer DNSSEC Models 7 / 20

  24. Outline DNS and DNSSEC Threshold signatures for DNSSEC

  25. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) 8 / 20

  26. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC 8 / 20

  27. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC 8 / 20

  28. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC 8 / 20

  29. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC 8 / 20

  30. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC Threshold signing should not be much more expensive than regular DNSSEC 8 / 20

  31. ECDSA s = k − 1 ( H ( M ) + sk · r x ) 9 / 20

  32. ECDSA s = k − 1 ( H ( M ) + sk · r x ) 9 / 20

  33. Threshold ECDSA s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x 10 / 20

  34. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] Message independent s , r x Online phase MPC 11 / 20

  35. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] Message independent s , r x Online phase MPC 11 / 20

  36. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] [ k − 1 ] Message independent s , r x Online phase [ k − 1 ] [ k − 1 ] MPC 11 / 20

  37. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] [ k − 1 ], [sk − 1 ] Message independent s , r x Online phase [ k − 1 ], [sk − 1 ] [ k − 1 ], [sk − 1 ] MPC 11 / 20

  38. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] [ k − 1 ], [sk − 1 ], M Message independent s , r x Online phase [ k − 1 ], [sk − 1 ], M [ k − 1 ], [sk − 1 ], M MPC 11 / 20

  39. Threshold ECDSA signing s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x Problems: How do we compute 1. [ k − 1 ] 2. r x 12 / 20

  40. Threshold ECDSA signing Need to compute s = [ k − 1 ]( H ( M ) + [sk] · r x ) 13 / 20

  41. Threshold ECDSA signing Need to compute s = [ k − 1 ]( H ( M ) + [sk] · r x ) Problem how do we compute [ k − 1 ]? Main difficulty with threshold ECDSA 13 / 20

  42. Threshold ECDSA signing From [ k ] to [ k − 1 ] using a trick due to Bar-Ilan and Beaver 4 4 Non-cryptographic fault-tolerant computing in constant number of rounds of interaction (PODC ’89) 14 / 20

  43. Threshold ECDSA signing From [ k ] to [ k − 1 ] using a trick due to Bar-Ilan and Beaver 4 1. Suppose we have ([ k ] , [ b ] , [ c ]) with c = k · b 4 Non-cryptographic fault-tolerant computing in constant number of rounds of interaction (PODC ’89) 14 / 20

  44. Threshold ECDSA signing From [ k ] to [ k − 1 ] using a trick due to Bar-Ilan and Beaver 4 1. Suppose we have ([ k ] , [ b ] , [ c ]) with c = k · b 2. Open [ c ] 4 Non-cryptographic fault-tolerant computing in constant number of rounds of interaction (PODC ’89) 14 / 20

  45. Threshold ECDSA signing From [ k ] to [ k − 1 ] using a trick due to Bar-Ilan and Beaver 4 1. Suppose we have ([ k ] , [ b ] , [ c ]) with c = k · b 2. Open [ c ] 3. Compute c − 1 [ b ] = [( k · b ) − 1 b ] = [ k − 1 ] 4 Non-cryptographic fault-tolerant computing in constant number of rounds of interaction (PODC ’89) 14 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016 ECDSA Elliptic Curve Cryptography allows for the construction of strong public/private key pairs with key lengths that are far shorter than

416 views • 27 slides
Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa Lee , and abhi shelat j@ckdoerner.net ykondi@ccs.neu.edu eysa@ccs.neu.edu abhi@neu.edu Northeastern University Traditional Signature

868 views • 57 slides
A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key Management Implementations Back to ICANN 40 2 Key Management Implementations Needs Zones need to be re-signed PKCS#11 periodically. Keys

507 views • 14 slides
Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City

Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City

UC Non-Interactive, Proactive, Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City College, CUNY), Steven Goldfeder (Cornell Tech), Nikolaos Makriyannis (Fireblocks), Udi Peled (Fireblocks) To appear

1.18k views • 41 slides
*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a

*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a

New DNSSEC Technologies Paul Wouters Senior software engineer, Red Hat February 9, 2015 1 Paul Wouters <pwouters@redhat.com> *.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a user@fedoraproject.org

380 views • 12 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com

Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com

Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com Disclaimer: we have done this First major DNSSEC user of ECDSA P256 Working on getting others to support it ICANN Registration model is

981 views • 9 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

375 views • 36 slides
A Full CryptoCurrency Custody Solution Based on MPC and Threshold ECDSA Yehuda Lindell,

A Full CryptoCurrency Custody Solution Based on MPC and Threshold ECDSA Yehuda Lindell,

A Full CryptoCurrency Custody Solution Based on MPC and Threshold ECDSA Yehuda Lindell, Bar-Ilan University and Unbound Tech Ariel Nof, Bar-Ilan University Samuel Ranellucci, Unbound Tech Motivation 2 Custody and Protection

325 views • 21 slides
Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic,

1.51k views • 92 slides
DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why DNSSEC ? Securing the DNS system is both necessary and, right now, doable Root signed since 2010 No

473 views • 10 slides
DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse University of Costa Rica & Namibian Network Information Centre 2015-02-09 Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

202 views • 19 slides
Securing the Internet's Identifier Systems DNSSec and other short stories John Crain ICANN

Securing the Internet's Identifier Systems DNSSec and other short stories John Crain ICANN

Securing the Internet's Identifier Systems DNSSec and other short stories John Crain ICANN john.crain@icann.org 1 Criticality of the Domain Name System Most transactions on the Internet start with a user known name and use the DNS to

514 views • 18 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
Briefing on the Status of Near-Term Task Force Recommendation 2 for Seismic Hazard Re- Evaluations

Briefing on the Status of Near-Term Task Force Recommendation 2 for Seismic Hazard Re- Evaluations

Briefing on the Status of Near-Term Task Force Recommendation 2 for Seismic Hazard Re- Evaluations Martin W. McCann Jack R. Benjamin & Associates, Inc. Menlo Park, CA U.S. Nuclear Regulatory Commission Rockville, MD October 7, 2014

287 views • 12 slides
Module 9: Virtual Memory Background Demand Paging Performance of Demand Paging Page

Module 9: Virtual Memory Background Demand Paging Performance of Demand Paging Page

' $ Module 9: Virtual Memory Background Demand Paging Performance of Demand Paging Page Replacement Page-Replacement Algorithms Allocation of Frames Thrashing Other Considerations Demand Segmentation & %

576 views • 28 slides
Chapter 10: Virtual Memory Questions? What is virtual memory and when is it useful? CSCI

Chapter 10: Virtual Memory Questions? What is virtual memory and when is it useful? CSCI

Chapter 10: Virtual Memory Questions? What is virtual memory and when is it useful? CSCI [4|6] 730 What is demand paging? Operating Systems When should pages in memory be replaced? When should pages be put on disk?

399 views • 9 slides
15-410 My other car is a cdr -- Unknown Exam #1 Mar. 16, 2009 Dave Eckhardt Dave

15-410 My other car is a cdr -- Unknown Exam #1 Mar. 16, 2009 Dave Eckhardt Dave

15-410 My other car is a cdr -- Unknown Exam #1 Mar. 16, 2009 Dave Eckhardt Dave Eckhardt 1 15-410, S'09 L23_Exam Synchronization Checkpoint 2 Friday Checkpoint 2 Friday Please read the handout warnings about context

422 views • 18 slides
CSci 5271 Software-based Fault Isolation Navid Emamdoost navid@cs.umn.edu Oct-16-2014 Need for

CSci 5271 Software-based Fault Isolation Navid Emamdoost navid@cs.umn.edu Oct-16-2014 Need for

CSci 5271 Software-based Fault Isolation Navid Emamdoost navid@cs.umn.edu Oct-16-2014 Need for extensibility Problem with extensions UNIX vnode interface Security! Extensions may be o Add new file system Postgres database o

583 views • 6 slides
The Peruvian Amazon Forestry Dataset: A Leaf Image Classification Corpus Gerson Vizcarra 1 ,

The Peruvian Amazon Forestry Dataset: A Leaf Image Classification Corpus Gerson Vizcarra 1 ,

The Peruvian Amazon Forestry Dataset: A Leaf Image Classification Corpus Gerson Vizcarra 1 , Danitza Bermejo 1,2 , Antoni Mauricio 1 , Ricardo Zarate 1 , Erwin Dianderas 1 1 GESCON, Instituto de Investigaciones de la Amazona Peruana 2 Universidad

419 views • 27 slides
Welcome back Lots of logistics to take care of: Readings Grad Report Assignments

Welcome back Lots of logistics to take care of: Readings Grad Report Assignments

Material Properties 2 Welcome back Lots of logistics to take care of: Readings Grad Report Assignments Projects 1 Readings All readings up to week 3 graded Comments/grades on mycourses Remember to place this weeks

488 views • 20 slides
L = C L (1) aerodynamic characteristics of the aircraft model by 1 2 V S controlling

L = C L (1) aerodynamic characteristics of the aircraft model by 1 2 V S controlling

International Journal of Aerospace and Mechanical Engineering 5:4 2011 Application of Fuzzy Logic Approach for an Aircraft Model with and without Winglet Altab Hossain, Ataur Rahman, Jakir Hossen, A.K.M. P. Iqbal, and SK. Hasan the tip and

484 views • 9 slides

More recommend