Securing the last mile of DNS with CGA-TSIG Marc Buijsman Master - - PowerPoint PPT Presentation

securing the last mile of dns with cga tsig
SMART_READER_LITE
LIVE PREVIEW

Securing the last mile of DNS with CGA-TSIG Marc Buijsman Master - - PowerPoint PPT Presentation

Apr 14, 2023 194 likes •611 views

Securing the last mile of DNS with CGA-TSIG Marc Buijsman Master System & Network Engineering 19 December 2013 Problem statement last mile not secured internet authoritative name server client recursive authoritative last

slide-1
SLIDE 1

Securing the last mile of DNS with CGA-TSIG

Marc Buijsman

Master System & Network Engineering

19 December 2013

slide-2
SLIDE 2

Problem statement

“last mile” not secured

internet

client (stub resolver) recursive name server

last mile

authoritative name server authoritative name server authoritative name server

1 / 23

slide-3
SLIDE 3

Problem statement

do local resolution requires local server DNSSEC requires root key validating stub DNSCurve not widely deployed needs server support TSIG DNS message authentication shared key not scalable 2 / 23

slide-4
SLIDE 4

Problem statement

new proposal: CGA-TSIG research question:

Is CGA-TSIG an adequate solution to the last mile problem?

Does CGA-TSIG provide the necessary security? Is the CGA-TSIG specification correct?

specification model implementation

verification

3 / 23

slide-5
SLIDE 5

TSIG

Transaction Signature

4 / 23

slide-6
SLIDE 6

TSIG resource record

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data

5 / 23

slide-7
SLIDE 7

TSIG resource record

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data

used for key ID

5 / 23

slide-8
SLIDE 8

TSIG resource record

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data

used for key ID "TSIG"

5 / 23

slide-9
SLIDE 9

TSIG resource record

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data

used for key ID "TSIG" "HMAC-MD5"

5 / 23

slide-10
SLIDE 10

TSIG resource record

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data

used for key ID "TSIG" "HMAC-MD5" signature

5 / 23

slide-11
SLIDE 11

TSIG variables

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data TSIG variables

5 / 23

slide-12
SLIDE 12

TSIG signature

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data DNS message TSIG variables HMAC

MAC / signature

shared key

5 / 23

slide-13
SLIDE 13

CGA

Cryptographically Generated Addresses

6 / 23

slide-14
SLIDE 14

CGA

public key authentication binds public key to IPv6 address comes signed message from that address? anyone can claim address 7 / 23

slide-15
SLIDE 15

CGA generation

start SHA-1 modifier

rand()

subnet prefix collision count public key

K

extension fields

E

modifier++

(112 bits)

hash2 finish

duplicate?

no

16*sec ~ 0

SHA-1 false sec {0-7} subnet prefix = P true collision count++ yes P

(64 bits)

hash1 "ID" ID "CGA" P ID 012 ... 67

subnet prefix sec

00

interface identifier

  • 64 bits

64 bits

8 / 23

slide-16
SLIDE 16

CGA-TSIG

9 / 23

slide-17
SLIDE 17

CGA-TSIG

TSIG’s individual message authentication... ...but with public-key crypto scalable CGA to authenticate public key recursive name server accepts anonymous queries clients do not need CGA authenticated key/address changes initial address verification? DHCP configuration maybe spoofed 10 / 23

slide-18
SLIDE 18

CGA-TSIG resource record

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

11 / 23

slide-19
SLIDE 19

CGA-TSIG resource record

"CGA-TSIG"

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

11 / 23

slide-20
SLIDE 20

CGA-TSIG resource record

"CGA-TSIG"

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

"RSA" 11 / 23

slide-21
SLIDE 21

CGA-TSIG resource record

"CGA-TSIG"

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

"RSA" "CGA" 11 / 23

slide-22
SLIDE 22

CGA-TSIG resource record

"CGA-TSIG"

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

"RSA" "CGA"

  • ld IP

11 / 23

slide-23
SLIDE 23

CGA-TSIG resource record

"CGA-TSIG"

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

"RSA" "CGA"

  • ld IP

instead of MAC 11 / 23

slide-24
SLIDE 24

CGA-TSIG resource record

"CGA-TSIG"

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

"RSA" "CGA"

  • ld IP

instead of MAC 11 / 23

slide-25
SLIDE 25

Proof of concept

12 / 23

slide-26
SLIDE 26

Proof of concept

ldns library from NLnet Labs written in C already supports TSIG extended to support CGA-TSIG CGA verification public key signature generation/verification CGA generation tool uses Scapy6 written in Python 13 / 23

slide-27
SLIDE 27

Results

14 / 23

slide-28
SLIDE 28

Results

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

time signed is digested... ...but fudge is not replay attacks nor other fields in red blue fields in arbitrary order does not adhere to TSIG signature fields left out 15 / 23

slide-29
SLIDE 29

Results

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

signature in new field MAC field left unused could save space if used 16 / 23

slide-30
SLIDE 30

Results

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

  • ne-sided authentication

unlike TSIG for last mile how to request CGA-TSIG? set algorithm name algorithm type too? time signed to 0 query is not signed 17 / 23

slide-31
SLIDE 31

Results

Name Type Class TTL RdLen

RDATA

Algorithm Name Time Signed Fudge MAC Size MAC Original ID Error Other Len Other Data CGA-TSIG Len Algorithm Type Type IP Tag Parameters Len Modifier

Param.

Subnet Prefix Collision Count Public Key Extension Fields Signature Len Signature Old Public Key Len Old Public Key Old Signature Len Old Signature

no CGA type tag defined related protocol attacks what do do with name field? 1-octet length fields parameters length fields?

  • ther time signed check

new CGA for server how will clients know?

  • ld public key format not specified

18 / 23

slide-32
SLIDE 32

Conclusion

19 / 23

slide-33
SLIDE 33

Conclusion

CGA-TSIG draft needs improvements can use any public key size CGA bit-strength up to 2171

  • nly useful in IPv6

TSIG implementations easy to extend even though additions required clients still need to verify CGA somehow...

Is CGA-TSIG an adequate solution to the last mile problem?

20 / 23

slide-34
SLIDE 34

CGA security

cost to find hash1 collision: O(259) sec increases bit-strength by factor 216×sec to find hash2 collision total cost: O(259+16×sec) sec cannot be spoofed 21 / 23

slide-35
SLIDE 35

Demo

Demolition time!

22 / 23

slide-36
SLIDE 36

Q&A

?

23 / 23

slide-37
SLIDE 37

Demo

slide-38
SLIDE 38

Demo

slide-39
SLIDE 39

Demo

slide-40
SLIDE 40

Demo