securing the last mile of dns with cga tsig
play

Securing the last mile of DNS with CGA-TSIG Marc Buijsman Master - PowerPoint PPT Presentation

Apr 14, 2023 •194 likes •608 views

Securing the last mile of DNS with CGA-TSIG Marc Buijsman Master System & Network Engineering 19 December 2013 Problem statement last mile not secured internet authoritative name server client recursive authoritative last

  1. Securing the last mile of DNS with CGA-TSIG Marc Buijsman Master System & Network Engineering 19 December 2013

  2. Problem statement � “last mile” not secured internet authoritative name server client recursive authoritative last mile (stub resolver) name server name server authoritative name server 1 / 23

  3. Problem statement � do local resolution � requires local server � DNSSEC � requires root key � validating stub � DNSCurve � not widely deployed � needs server support � TSIG � DNS message authentication � shared key � not scalable 2 / 23

  4. Problem statement � new proposal: CGA-TSIG � research question: Is CGA-TSIG an adequate solution to the last mile problem? � Does CGA-TSIG provide the necessary security? � Is the CGA-TSIG specification correct? specification verification model implementation 3 / 23

  5. TSIG Transaction Signature 4 / 23

  6. TSIG resource record Name Type Class TTL RdLen Algorithm Name Time Signed Fudge MAC Size RDATA MAC Original ID Error Other Len Other Data 5 / 23

  7. TSIG resource record Name used for key ID Type Class TTL RdLen Algorithm Name Time Signed Fudge MAC Size RDATA MAC Original ID Error Other Len Other Data 5 / 23

  8. TSIG resource record Name used for key ID Type "TSIG" Class TTL RdLen Algorithm Name Time Signed Fudge MAC Size RDATA MAC Original ID Error Other Len Other Data 5 / 23

  9. TSIG resource record Name used for key ID Type "TSIG" Class TTL RdLen Algorithm Name "HMAC-MD5" Time Signed Fudge MAC Size RDATA MAC Original ID Error Other Len Other Data 5 / 23

  10. TSIG resource record Name used for key ID Type "TSIG" Class TTL RdLen Algorithm Name "HMAC-MD5" Time Signed Fudge MAC Size RDATA MAC signature Original ID Error Other Len Other Data 5 / 23

  11. TSIG variables Name Type Class TTL RdLen Algorithm Name TSIG variables Time Signed Fudge MAC Size RDATA MAC Original ID Error Other Len Other Data 5 / 23

  12. TSIG signature Name Type Class TTL RdLen DNS message Algorithm Name TSIG variables Time Signed Fudge MAC Size RDATA MAC HMAC shared key Original ID Error Other Len MAC / signature Other Data 5 / 23

  13. CGA Cryptographically Generated Addresses 6 / 23

  14. CGA � public key authentication � binds public key to IPv6 address � comes signed message from that address? � anyone can claim address 7 / 23

  15. modifier rand() CGA generation subnet prefix 0 collision count 0 public key K extension fields E start SHA-1 (112 bits) SHA-1 (64 bits) hash2 hash1 modifier++ 16*sec ~ 0 subnet prefix = P false true sec {0-7} "ID" ID collision count++ "CGA" P yes finish duplicate? P ID no 012 ... 67 subnet prefix sec interface identifier 00 � �� �� �� � 64 bits 64 bits 8 / 23

  16. CGA-TSIG 9 / 23

  17. CGA-TSIG � TSIG’s individual message authentication... � ...but with public-key crypto � scalable � CGA to authenticate public key � recursive name server accepts anonymous queries � clients do not need CGA � authenticated key/address changes � initial address verification? � DHCP configuration maybe spoofed 10 / 23

  18. CGA-TSIG resource record CGA-TSIG Len Name Algorithm Type Type Type Class IP Tag TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields MAC Signature Len RDATA Original ID Signature Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 11 / 23

  19. CGA-TSIG resource record CGA-TSIG Len Name Algorithm Type Type Type Class IP Tag TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix "CGA-TSIG" Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields MAC Signature Len RDATA Original ID Signature Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 11 / 23

  20. CGA-TSIG resource record CGA-TSIG Len "RSA" Name Algorithm Type Type Type Class IP Tag TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix "CGA-TSIG" Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields MAC Signature Len RDATA Original ID Signature Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 11 / 23

  21. CGA-TSIG resource record CGA-TSIG Len "RSA" Name Algorithm Type Type Type "CGA" Class IP Tag TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix "CGA-TSIG" Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields MAC Signature Len RDATA Original ID Signature Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 11 / 23

  22. CGA-TSIG resource record CGA-TSIG Len "RSA" Name Algorithm Type Type Type "CGA" Class IP Tag old IP TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix "CGA-TSIG" Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields MAC Signature Len RDATA Original ID Signature Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 11 / 23

  23. CGA-TSIG resource record CGA-TSIG Len "RSA" Name Algorithm Type Type Type "CGA" Class IP Tag old IP TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix "CGA-TSIG" Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields MAC Signature Len RDATA Original ID Signature instead of MAC Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 11 / 23

  24. CGA-TSIG resource record CGA-TSIG Len "RSA" Name Algorithm Type Type Type "CGA" Class IP Tag old IP TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix "CGA-TSIG" Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields MAC Signature Len RDATA Original ID Signature instead of MAC Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 11 / 23

  25. Proof of concept 12 / 23

  26. Proof of concept � ldns library from NLnet Labs � written in C � already supports TSIG � extended to support CGA-TSIG � CGA verification � public key signature generation/verification � CGA generation tool � uses Scapy6 � written in Python 13 / 23

  27. Results 14 / 23

  28. Results � time signed is digested... � ...but fudge is not CGA-TSIG Len Name Algorithm Type � replay attacks Type Type Class IP Tag � nor other fields in red TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix � blue fields in arbitrary order Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields � does not adhere to TSIG MAC Signature Len RDATA Original ID Signature Error Old Public Key Len � signature fields left out Other Len Old Public Key Other Data Old Signature Len Old Signature 15 / 23

  29. Results � signature in new field � MAC field left unused CGA-TSIG Len Name Algorithm Type Type Type � could save space if used Class IP Tag TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields MAC Signature Len RDATA Original ID Signature Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 16 / 23

  30. Results � one-sided authentication � unlike TSIG � for last mile CGA-TSIG Len Name Algorithm Type Type Type � how to request CGA-TSIG? Class IP Tag � set algorithm name TTL Parameters Len RdLen Modifier � algorithm type too? Algorithm Name Subnet Prefix Time Signed Collision Count Param. � time signed to 0 Fudge Public Key MAC Size Extension Fields � query is not signed MAC Signature Len RDATA Original ID Signature Error Old Public Key Len Other Len Old Public Key Other Data Old Signature Len Old Signature 17 / 23

  31. Results � no CGA type tag defined � related protocol attacks CGA-TSIG Len Name Algorithm Type � what do do with name field? Type Type Class IP Tag � 1-octet length fields TTL Parameters Len RdLen Modifier Algorithm Name Subnet Prefix � parameters length fields? Time Signed Collision Count Param. Fudge Public Key MAC Size Extension Fields � other time signed check MAC Signature Len RDATA Original ID Signature � new CGA for server Error Old Public Key Len Other Len Old Public Key � how will clients know? Other Data Old Signature Len Old Signature � old public key format not specified 18 / 23

  32. Conclusion 19 / 23

  33. Conclusion � CGA-TSIG draft needs improvements � can use any public key size � CGA bit-strength up to 2 171 � only useful in IPv6 � TSIG implementations easy to extend � even though additions required � clients still need to verify CGA somehow... Is CGA-TSIG an adequate solution to the last mile problem? 20 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Connecting People: First Mile, Last Mile Study Bedford 24 th January 2020 How are we defining

Connecting People: First Mile, Last Mile Study Bedford 24 th January 2020 How are we defining

Connecting People: First Mile, Last Mile Study Bedford 24 th January 2020 How are we defining First Mile / Last Mile? First-mile last- mile is typically used to describe the beginning or end of an individual journey to or from a

340 views • 17 slides
Growing broadband - the last mile - the local market From middle mile to last mile Benefits of

Growing broadband - the last mile - the local market From middle mile to last mile Benefits of

Growing broadband - the last mile - the local market From middle mile to last mile Benefits of a Middle Mile Network Connects between communities with a high capacity fiber network Links anchor institutions like schools, hospitals,

924 views • 16 slides
A mile of highway will take you just one mile A mile of highway will take you just one mile

A mile of highway will take you just one mile A mile of highway will take you just one mile

A mile of highway will take you just one mile A mile of highway will take you just one mile but a mile of runway will take you anywhere anywhere ! ! but a mile of runway will take you 2007 Freight Conference 2007

381 views • 16 slides
History of the Per-Mile Charge in the United States 2 What is a Per Mile Charge? A VMT?

History of the Per-Mile Charge in the United States 2 What is a Per Mile Charge? A VMT?

History of the Per-Mile Charge in the United States 2 What is a Per Mile Charge? A VMT? An MBUF? A RUC? A Road Charge? A per mile charge is a light vehicle user fee based on the amount a motorist uses the road system A per mile

526 views • 35 slides
Track sponsored by First Mile or Last Mile an open forum discussion What is a store?

Track sponsored by First Mile or Last Mile an open forum discussion What is a store?

Track sponsored by First Mile or Last Mile an open forum discussion What is a store? Billboard? Last mile? Returns depot? Manufacturing hub? Profit center? Store employees? Customer service? Sales/product

377 views • 8 slides
First Mile/ Last Mile Service Legislative and Strategic Planning Committee February 29, 2016 The

First Mile/ Last Mile Service Legislative and Strategic Planning Committee February 29, 2016 The

First Mile/ Last Mile Service Legislative and Strategic Planning Committee February 29, 2016 The First and Last Mile Problem The extra time and hassle commuters face when theyre going from home to a transit station and then from the

323 views • 15 slides
Four Mile Church 200 th Anniversary Presentation on the First 100 Years The Four Mile Church

Four Mile Church 200 th Anniversary Presentation on the First 100 Years The Four Mile Church

Four Mile Church 200 th Anniversary Presentation on the First 100 Years The Four Mile Church is the first Church of the Brethren or German Baptists in Indiana. It was founded in 1809 by Elders Jacob Miller (of the Great Miami) and John Hart

1.21k views • 93 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
Nauck & Four Mile Run Valley 10 Nauck/Four Mile Run Valley Opportunity Zone Boundary

Nauck & Four Mile Run Valley 10 Nauck/Four Mile Run Valley Opportunity Zone Boundary

Nauck & Four Mile Run Valley 10 Nauck/Four Mile Run Valley Opportunity Zone Boundary Residential Complexes 1. The Macedonian 2. The Shelton 3. Harlowe Apartments 4. Twenty400 5. Dolley Madison Towers 6. Fort Henry Garden

299 views • 7 slides
Mile Gu IPS Meeting 2-23-2012 8/9/2017 FWS-01 Mile Gu C OMPLEX S OCIETY Q UANTUM M ECHANICS IPS

Mile Gu IPS Meeting 2-23-2012 8/9/2017 FWS-01 Mile Gu C OMPLEX S OCIETY Q UANTUM M ECHANICS IPS

Mile Gu IPS Meeting 2-23-2012 8/9/2017 FWS-01 Mile Gu C OMPLEX S OCIETY Q UANTUM M ECHANICS IPS Meeting 2-23-2012 Davisson, C. J.; Germer, L. H. Proceedings of the National Academy of Sciences, 1928 Tonomura, Akira, et al. American Journal of

857 views • 63 slides
M53 Reconstruction 15 Mile to 18 Mile Sterling Heights, MI Joint Project Locate Presentation

M53 Reconstruction 15 Mile to 18 Mile Sterling Heights, MI Joint Project Locate Presentation

M53 Reconstruction 15 Mile to 18 Mile Sterling Heights, MI Joint Project Locate Presentation Owner: Michigan Department of Transportation Contractor: Dans Excavating, Inc. Scope of Project The project consisted of full reconstruction of

641 views • 29 slides
Project Last Mile [PLM] in West Africa: Leveraging private sector expertise to develop effective

Project Last Mile [PLM] in West Africa: Leveraging private sector expertise to develop effective

Jonathan Halse / Project Last Mile Project Last Mile [PLM] in West Africa: Leveraging private sector expertise to develop effective and sustainable route-to-market (RTM) models to bring life-saving medicines to the last mile 11 th Annual

280 views • 15 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
Can UAVs Fill the Delivery Gap for Global Development? Final Mile Logistics Working Group July

Can UAVs Fill the Delivery Gap for Global Development? Final Mile Logistics Working Group July

Can UAVs Fill the Delivery Gap for Global Development? Final Mile Logistics Working Group July 20, 2016 Olivier Defawe, Ph.D. - Senior Manager Final Mile Logistics Working Group Our Approach: Starting at the Last Mile Often, the last mile of

288 views • 15 slides
Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses in Arizona Arizona L. William Staudenmaier One Arizona Center 400 East Van Buren Street, Suite 1900 Phoenix, Arizona 85004 2202 602.382.6000 |

574 views • 32 slides
Corporate Profile September 8, 2017 Corporate Data History Corporate Data as

Corporate Profile September 8, 2017 Corporate Data History Corporate Data as

Corporate Profile September 8, 2017 Corporate Data History Corporate Data as of March 31, 2017 1967 Started the biomedical business at TaKaRa Group Established : April 1, 2002 2002 Established Takara Bio Inc. as a

211 views • 17 slides
Financial Aid 101 Ben Meadows K- 12 Outreach Representative 2018-2019 Agenda GAfutures.org

Financial Aid 101 Ben Meadows K- 12 Outreach Representative 2018-2019 Agenda GAfutures.org

Financial Aid 101 Ben Meadows K- 12 Outreach Representative 2018-2019 Agenda GAfutures.org Basic Information Federal Programs State Programs Filling out the FAFSA Additional Resources 2 GAfutures.org 3 GAfutures.org

874 views • 68 slides
2016/17 Financial Aid High School Presentation Dorothy J Gilliard FASNA LLC Consultant and HESAA

2016/17 Financial Aid High School Presentation Dorothy J Gilliard FASNA LLC Consultant and HESAA

2016/17 Financial Aid High School Presentation Dorothy J Gilliard FASNA LLC Consultant and HESAA Representative WHAT WE WILL COVER The Types/Sources of Aid The Application Process The Financial Aid Package Higher Education Student

801 views • 41 slides
Employee Benefits Open Enrollment 2016 Agenda Employee Benefits Update 2016 Medical Plans

Employee Benefits Open Enrollment 2016 Agenda Employee Benefits Update 2016 Medical Plans

Employee Benefits Open Enrollment 2016 Agenda Employee Benefits Update 2016 Medical Plans 2016 Ancillary Benefit Plans Additional Benefits Next Steps 2 Healthcare Cost Management What is exp doing to help manage

555 views • 27 slides
Welcome to our GSL Project The Diamond Riding Centre The Diamond Centre for Disabled Riders

Welcome to our GSL Project The Diamond Riding Centre The Diamond Centre for Disabled Riders

Welcome to our GSL Project The Diamond Riding Centre The Diamond Centre for Disabled Riders is a registered charity, which provides facilities to benefit disabled children and adults by having regular contact with horses Our Goal:

536 views • 10 slides
Tools For California Title 22 Daily Recording Requirements The Process In December 2015 we

Tools For California Title 22 Daily Recording Requirements The Process In December 2015 we

Tools For California Title 22 Daily Recording Requirements The Process In December 2015 we started speaking to and working with several health agencies across the state to get input on how our systems can help pool owners, operators and

262 views • 12 slides
Sign Language Interpreters: Recognizing Your Place in the Deaf Community by Sarah Hafer, BA, CDI

Sign Language Interpreters: Recognizing Your Place in the Deaf Community by Sarah Hafer, BA, CDI

Sign Language Interpreters: Recognizing Your Place in the Deaf Community by Sarah Hafer, BA, CDI : Street Leverage Live 2017 two-minute video will be inserted in here once i get it from the contributor #WeAreLeverage Five essential things

62 views • 5 slides
Reminding Physicians of their duty when introducing new tech: the fudge factor, conflicts of

Reminding Physicians of their duty when introducing new tech: the fudge factor, conflicts of

Reminding Physicians of their duty when introducing new tech: the fudge factor, conflicts of interest & just culture Ruth Steinholtz www.aretework.com www.critical-issues-congress.com Disclosure Speaker name: Ruth Steinholtz

491 views • 8 slides

More recommend