Securing the Internet's Identifier Systems DNSSec and other short - PowerPoint PPT Presentation

Securing the Internet's Identifier Systems DNSSec and other short stories John Crain ICANN john.crain@icann.org 1

Criticality of the Domain Name System • Most transactions on the Internet start with a user known name and use the DNS to translate that into machine usable IP addresses – www.icann.org - a hostname – john.crain@icann.org - an email address – FTP, SIP, etc. etc. etc. 2

Where DNSSEC fits in. • DNS is a non authenticated system! • It is vulnerable to MITM attacks! • DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents 3

The Original Problem: DNS Cache Poisoning Attack www.major www.majorbank. ank.se se = = 1.2.3.4 1.2.3.4 www.majorbank. www.major ank.se se=? =? DNS DNS DNS DNS Res Resolver Serve Server 5.6.7.8 5.6.7.8 ENTERPRISE Attacke Attacker www.majorbank. www.major ank.se se = = 5.6.7.8 5.6.7.8 Get page Get page Attacker Attacke Login page Login page web webserver www @ www @ Username / Password Username / Password 5.6.7.8 5.6.7.8 Error Error ISP / ENTERPRISE / END NODE Password database Password database Animated slide detailed description at: http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html 4

The Bad: DNSChanger – ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/ End-2-end DNSSEC validation would have avoided the problems 5

The Bad: Brazilian ISP fall victim to a series of DNS attacks 7 Nov 2011 http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil 6 End-2-end DNSSEC validation would have avoided the problems

The Bad: Other DNS hijacks* • 25 Dec 2010 - Russian e-Payment Giant ChronoPay Hacked • 18 Dec 2009 – Twitter – “Iranian cyber army” 13 Aug 2010 - Chinese gmail phishing attack • • 25 Dec 2010 Tunisia DNS Hijack 2009-2012 google.* • – April 28 2009 Google Puerto Rico sites redirected in DNS attack – May 9 2009 Morocco temporarily seize Google domain name • 9 Sep 2011 - Diginotar certificate compromise for Iranian users 7 Jan 2013 – Turktrust / EGO • • SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you if the DNS matches the name in the certificate. Unfortunately, majority of Web site certificates rely on DNS to validate identity. DNS is relied on for unexpected things though insecure. • *A Brief History of DNS Hijacking - Google http://costarica43.icann.org/meetings/sanjose2012/presentation-dns-hijackings-marquis-boire-12mar12-en.pdf 7

The Good: Securing DNS with DNSSEC Attacke Attacker’s ’s re record does not cord does not validate – validate – drop it rop it www.major www.majorbank. ank.se se = = 1.2.3.4 1.2.3.4 www.majorbank. www.major ank.se se=? =? DNS DNS DNS DNS Resolver Resolve Server with Server with 1.2.3.4 1.2.3.4 with with DNSSEC DNSSEC DNSSEC DNSSEC Attacker Attacke www.majorbank. www.major ank.se se = = 5.6.7.8 5.6.7.8 Get page Get page Login page Login page webserver web www @ www @ Username / Password Username / Password 1.2.3.4 1.2.3.4 Account Data Account Data Animated slide 8

The Business Case for DNSSEC • Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differentiator. • DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity). • DNSSEC infrastructure deployment has been brisk but requires expertise. Getting ahead of the curve is a competitive advantage. 9

10 NL

Game changing Internet Core Infrastructure Upgrade • “More has happened here today than meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re purposed in a number of different ways. ..” – Vint Cerf (June 2010) 11

DNSSEC as a global “free” PKI • We are just starting to see the opportunities that DNSSEC could bring. • DNSSEC itself is something that we can build on. • Simple examples. 12

The Diginotar SSL problem? • Imagine if you could identify which CA should be used for a specific name/host? Now it doesn’t matter if someone else issues a cert by mistake, the application could know it is incorrect. DNS-based Authentication of Named Entities (DANE) 13

Secure your mail? • Imagine if you knew which key to use to establish a tunnel with any mail server on the Internet? • Secure mail transport! • DKIM RFC4871! 14

So what’s the problem? • Like all new technologies there is a curve to deployment. • There is a lack of awareness. • Chicken or Egg? There is a classic chicken and egg issue. Technologies like DANE may break that at some point. 15

What you can do • For Companies: – Sign your corporate domain names – Just turn on validation on corporate DNS resolvers • For Users: – Ask ISP to turn on validation on their DNS resolvers • For All: – Take advantage of ICANN, ISOC and other organizations offering DNSSEC education and training 16

Read me… • http://www.dnssec-deployment.org • http://www.internetsociety.org/deploy360/d nssec • http://www.dns-school.org/ 17

Thank You! 18