Securing the Internet's Identifier Systems DNSSec and other short - - PowerPoint PPT Presentation

▶

Mar 20, 2024 314 likes •520 views

Securing the Internet's Identifier Systems DNSSec and other short stories John Crain ICANN john.crain@icann.org 1 Criticality of the Domain Name System Most transactions on the Internet start with a user known name and use the DNS to

SLIDE 1

Securing the Internet's Identifier Systems

DNSSec and other short stories

John Crain ICANN john.crain@icann.org

SLIDE 2

Criticality of the Domain Name System

Most transactions on the Internet start with

a user known name and use the DNS to translate that into machine usable IP addresses

– www.icann.org - a hostname – john.crain@icann.org - an email address – FTP, SIP, etc. etc. etc.

SLIDE 3

Where DNSSEC fits in.

DNS is a non authenticated system!
It is vulnerable to MITM attacks!
DNS Security Extensions (DNSSEC)

introduces digital signatures into DNS to cryptographically protect contents

SLIDE 4

ENTERPRISE ISP / ENTERPRISE / END NODE

The Original Problem: DNS Cache Poisoning Attack

www.major www.majorbank. ank.se se=? =?

DNS DNS Res Resolver

www.major www.majorbank. ank.se se = = 1.2.3.4 1.2.3.4

DNS DNS Serve Server

5.6.7.8 5.6.7.8 Get page Get page Attacke Attacker web webserver www @ www @ 5.6.7.8 5.6.7.8 Username / Username / Password Password Error Error Attacke Attacker www.major www.majorbank. ank.se se = = 5.6.7.8 5.6.7.8 Login page Login page Password database Password database

Animated slide

detailed description at: http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

SLIDE 5

The Bad: DNSChanger –

‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M

Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/ End-2-end DNSSEC validation would have avoided the problems

SLIDE 6

The Bad: Brazilian ISP fall victim to a series of DNS attacks

7 Nov 2011 http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil End-2-end DNSSEC validation would have avoided the problems

SLIDE 7

25 Dec 2010 - Russian e-Payment Giant ChronoPay Hacked
18 Dec 2009 – Twitter – “Iranian cyber army”
13 Aug 2010 - Chinese gmail phishing attack
25 Dec 2010 Tunisia DNS Hijack
2009-2012 google.*

– April 28 2009 Google Puerto Rico sites redirected in DNS attack – May 9 2009 Morocco temporarily seize Google domain name

9 Sep 2011 - Diginotar certificate compromise for Iranian users
7 Jan 2013 – Turktrust / EGO
SSL / TLS doesn't tell you if you've been sent to the correct site, it only

tells you if the DNS matches the name in the certificate. Unfortunately, majority of Web site certificates rely on DNS to validate identity.

DNS is relied on for unexpected things though insecure.

The Bad: Other DNS hijacks*

*A Brief History of DNS Hijacking - Google http://costarica43.icann.org/meetings/sanjose2012/presentation-dns-hijackings-marquis-boire-12mar12-en.pdf

SLIDE 8

The Good: Securing DNS with DNSSEC

www.major www.majorbank. ank.se se=? =? DNS DNS Resolve Resolver with with DNSSEC DNSSEC www.major www.majorbank. ank.se se = = 1.2.3.4 1.2.3.4 DNS DNS Server with Server with DNSSEC DNSSEC 1.2.3.4 1.2.3.4 Get page Get page web webserver www @ www @ 1.2.3.4 1.2.3.4 Username / Username / Password Password Account Data Account Data Login page Login page Attacke Attacker www.major www.majorbank. ank.se se = = 5.6.7.8 5.6.7.8 Attacke Attacker’s ’s re record does not cord does not validate validate – – drop it rop it

Animated slide

SLIDE 9

The Business Case for DNSSEC

Cyber security is becoming a greater concern to

enterprises, government, and end users. DNSSEC is a key tool and differentiator.

DNSSEC is the biggest security upgrade to

Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity).

DNSSEC infrastructure deployment has been

brisk but requires expertise. Getting ahead of the curve is a competitive advantage.

SLIDE 10

NL

SLIDE 11

“More has happened here today than

meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re purposed in a number of different ways. ..” – Vint Cerf (June 2010)

Game changing Internet Core Infrastructure Upgrade

SLIDE 12

DNSSEC as a global “free” PKI

We are just starting to see the
pportunities that DNSSEC could bring.
DNSSEC itself is something that we can

build on.

Simple examples.

SLIDE 13

The Diginotar SSL problem?

Imagine if you could identify which CA

should be used for a specific name/host?

Now it doesn’t matter if someone else issues a cert by mistake, the application could know it is incorrect. DNS-based Authentication of Named Entities (DANE)

SLIDE 14

Secure your mail?

Imagine if you knew which key to use to

establish a tunnel with any mail server on the Internet?

Secure mail transport!
DKIM RFC4871!

SLIDE 15

So what’s the problem?

Like all new technologies there is a curve to

deployment.

There is a lack of awareness.
Chicken or Egg? There is a classic chicken and

egg issue. Technologies like DANE may break that at some point.

SLIDE 16

For Companies:

– Sign your corporate domain names – Just turn on validation on corporate DNS resolvers

For Users:

– Ask ISP to turn on validation on their DNS resolvers

For All:

– Take advantage of ICANN, ISOC and other

rganizations offering DNSSEC education and

training

What you can do

SLIDE 17

Read me…

http://www.dnssec-deployment.org
http://www.internetsociety.org/deploy360/d

nssec

http://www.dns-school.org/

SLIDE 18