towards set and forget dnssec
play

Towards Set and Forget DNSSEC The beginning of the end of key - PowerPoint PPT Presentation

Sep 18, 2022 •266 likes •463 views

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM Part 2) ccNSO Tech Day, 15 July 2013, Durban, ZA, Richard Lamb, slamb@xtcn.com Typical Signer (I am not a graphic artist!) time signer zone

  1. Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Man’s HSM Part 2) ccNSO Tech Day, 15 July 2013, Durban, ZA, Richard Lamb, slamb@xtcn.com

  2. Typical Signer (I am not a graphic artist!) time signer zone [Pre-gen data s/w signed DNSKEY RRsets] digital hash(inception/ ZSK signature expiration time, [KSK] valid for RRset data…) (HSM) ~week validity=~week (RRSIG)

  3. Compromise: not if but when time signer zone [Pre-gen data s/w signed DNSKEY RRsets] hash(10 years ZSK digital from now, signature [KSK] RRset data…) (HSM) good for 10 years!

  4. Safe Signer signer zone data s/w inception/ digital time source, expiration time, signature maximum RRset data… valid for < validity ~week ~week, ZSK, KSK

  5. Can always recover w/o dealing with parent (no KSK roll) signer zone data s/w 10 years from digital now, RRset time source, signature maximum data… valid for < validity ~week ~week, ZSK, KSK

  6. Further simplification signer zone s/w ZSK data s/w “Push button to roll zsk” inception/ digital time source, expiration time, signature maximum RRset data… valid for < validity ~week ~week, KSK, RNG

  7. Problem: HSM’s do not work this way • Nothing stopping me from building it – we have the technology precision RTC wire mesh /w LP SRAM battery tamper IC /w for keys temp and 3.3V reg voltage det TPM 32bit-ARM (ATSC3204 ) (128K/64K ) photo vibration detector sensor card magnetometer usb reader

  10. Features • Tamper IC (STM1404) “supports” FIPS 140-2 level 4 • TPM ~20 1024 RSA/sec • RNG • 2-factor M-of-N using built-in card reader or Google Authenticator Token for setting parameters (e.g., max validity), key generation, backup/migration • Remote M-of-N capability • modified BIND 9.9.2 RRSIG interface or pkcs11 driver • 2048bit RSA keyed firmware loader • Tamper protected precision temperature compensated RTC (PCF2127) • Low cost

  11. Authentication example # screen /dev/ttyUSB0 115200 > version Cryptobat firmware version 0.60.51D8207C (c) KLW rst:software rtt:2296/4294967295 rstc: sr:00010300 mr:00000001 > date Y:13 M:07 D:06 h:14 m:14 s:02 ok 1373120042 > colist > coadd lamb ***write***read Added CO: lamb Secret: HZ5KNVA3KA3UYD2U https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/lamb?secret=HZ5KNVA 3KA3UYD2U > colist |lamb| not present > cologin lamb 192498 checkpin: del=0 CO lamb Ok > colist |lamb| present > setmaxval 3600 Configuration disabled

  12. Cont.. > coadd jakob ***write***read Added CO: jakob Secret: 7MZDTPOU4JWESYFO .... > colist |lamb| present |jakob| not present > cologin jakob 061612 Failed > cologin jakob 107712 CO jakob Ok > colist |lamb| present |jakob| present > setmaxval 3600 Maximum validity period set to +3600 seconds > coreset > colist |lamb| not present |jakob| not present > date Y:13 M:07 D:06 h:14 m:20 s:07 ok 1373120407

  13. Signing using modified dnssec-signzone # bind-9.9.2-P2/bin/dnssec/dnssec-signzone -s now -e +300 -v 5 -x -o testzone -k Ktestzone.+008+35407 testzone Ktestzone.+008+58968 dnssec-signzone: debug 3: pkcs11_parse: Start dnssec-signzone: debug 3: pkcs11: pkcs11_login: start dnssec-signzone: debug 3: pkcs11: pkcs11_initlib Start C_GetFunctionList+1636: C_Initialize+1519: serial_init+1872:Openned /dev/ttyUSB0 |> v2on| |TWI_ConfigureMaster()| |Using CKDIV = 1 and CLDIV/CHDIV = 158 CWGR=00019E9E| C_GetSlotList+1414: C_OpenSession+1430: dnssec-signzone: debug 3: pkcs11: C_Login 1 C_Login+1394: dnssec-signzone: debug 3: pkcs11: pkcs11_parse Ktestzone.+008+35407 C_FindObjectsInit+816: C_FindObjects+943: MATCHED 00000002 C_FindObjectsFinal+844: C_FindObjectsInit+816: C_FindObjects+943: MATCHED 00000003 C_FindObjectsFinal+844: C_GetAttributeValue+1014: C_GetAttributeValue+1014: dnssec-signzone: testzone/NSEC: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: testzone/DNSKEY: dnssec-signzone: signing with dnskey testzone/RSASHA256/35407 dnssec-signzone: debug 3: pkcs11: rick_thsm doing pkcs11_RSA_sign TIMED C_SignInit+673: writecryptolcmd: |tpmloadkey| 559

  14. Cont… |> tpmloadkey| |***write| |***read| |***write| |***read| |tpm_loadkey: handle = 3285047210 hex: 0xC3CDD7AA| |ok: key loaded handle=C3CDD7AA| C_SignInit+728:|ok: key loaded handle=C3CDD7AA| C_SignInit+736:tpmhandle:C3CDD7AA hsmhandle:00000003 dnssec-signzone: debug 3: pkcs11: pkcs11_RSA_sign TimedSign C_Sign 1 C_Sign+748: |> tpmtimedsign| | checking expiration time 1373120022 < 1373123348 and algorithm 8| | computing hash of 468 bytes:| |***write| |***read| |tpm_sign: handle = C3CDD7AA| |***write| |***read| |ok: signature| | 69 35 47 56 E5 0E A6 B2 26 29 50 59 40 1C FD 4E |… |DONE| C_Sign+782:signature:

  15. Cont… dnssec-signzone: testzone/SOA: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: testzone/NS: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: www.testzone/NSEC: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: www.testzone/A: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 present, 0 revoked testzone.signed dnssec-signzone: debug 3: pkcs11: pkcs11_logout: C_Logout 1 C_Logout+1402: C_CloseSession+1470: |> tpmflush C3CDD7AA| |***write| |***read| |> tpmreset| |***write| |***read| C_CloseSession: done dnssec-signzone: debug 3: pkcs11: pkcs11_logout: done C_Finalize+1504

  16. Cont…validity period too long # bind-9.9.2-P2/bin/dnssec/dnssec-signzone -s now -e +3700 -v 5 -x -o testzone -k Ktestzone.+008+35407 testzone Ktestzone.+008+58968 dnssec-signzone: debug 3: pkcs11: pkcs11_login: start dnssec-signzone: debug 3: pkcs11: pkcs11_initlib Start C_GetFunctionList+1636: C_Initialize+1519: serial_init+1872:Openned /dev/ttyUSB0 |> v2on| |TWI_ConfigureMaster()| |Using CKDIV = 1 and CLDIV/CHDIV = 158 CWGR=00019E9E| C_GetSlotList+1414: C_OpenSession+1430: dnssec-signzone: debug 3: pkcs11: C_Login 1 C_Login+1394: dnssec-signzone: debug 3: pkcs11: pkcs11_parse Ktestzone.+008+35407 C_FindObjectsInit+816: C_FindObjects+943: MATCHED 00000002 C_FindObjectsFinal+844: C_FindObjectsInit+816: C_FindObjects+943: MATCHED 00000003 C_FindObjectsFinal+844: C_GetAttributeValue+1014: C_GetAttributeValue+1014: dnssec-signzone: testzone/NSEC: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: testzone/DNSKEY: dnssec-signzone: signing with dnskey testzone/RSASHA256/35407 dnssec-signzone: debug 3: pkcs11: rick_thsm doing pkcs11_RSA_sign TIMED C_SignInit+673: writecryptolcmd: |tpmloadkey| 559 |> tpmloadkey| |***write| |***read| |***write| |***read| |tpm_loadkey: handle = 1815518807 hex: 0x6C369E57| |ok: key loaded handle=6C369E57|

  17. Cont… C_SignInit+728:|ok: key loaded handle=6C369E57| C_SignInit+736:tpmhandle:6C369E57 hsmhandle:00000003 dnssec-signzone: debug 3: pkcs11: pkcs11_RSA_sign TimedSign C_Sign 1 C_Sign+748: |> tpmtimedsign| | checking expiration time 1373123496 < 1373123422 and algorithm 8| |fail: RRSIG expiration time exceeds HSM policy| C_Sign+782:signature: dnssec-signzone: fatal: dnskey 'testzone/RSASHA256/35407' failed to sign data: ran out of space C_Finalize+1504: C_CloseSession+1470: |> tpmflush 6C369E57| |***write| |***read| |> tpmreset| |***write| |***read| C_CloseSession: done

  18. I’ll have some ZnS with that please (gamma ray scintillation detector)

  19. Thanks to Jakob Schlyter, Frederico Neves, Roy Arends, David Miller, and so many others

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
They may forget what you said, but they will never forget how you made them feel .

They may forget what you said, but they will never forget how you made them feel .

They may forget what you said, but they will never forget how you made them feel . @ModestRobert @BunnyfootSays 1 Emotional Design 2 Technology moves from utilitarian to higher needs including emotion 3 Technology moves from

918 views • 55 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
1 The Canadian Radiation Protection Association (CRPA) is a not for profit professional

1 The Canadian Radiation Protection Association (CRPA) is a not for profit professional

Thank you to the Canadian Nuclear Safety Commission for the opportunity to present in front of you today. My name is Tanya Neretljak, current President of the Canadian Radiation Protection Association, and with me is Ali Shoushtarian, Director of

513 views • 24 slides
Update on IA IAEA profic iciency te test exe xercises Arend Harms and Iolanda Osvath IAEA

Update on IA IAEA profic iciency te test exe xercises Arend Harms and Iolanda Osvath IAEA

Update on IA IAEA profic iciency te test exe xercises Arend Harms and Iolanda Osvath IAEA Environment Laboratories Monaco IAEA International Atomic Energy Agency 2015 IA IAEA pro roficiency test exe xercise (in (introduction) 2015

433 views • 27 slides
SNO+ Double Beta SNO+ Double Beta Decay with Nd Nd Decay with M. Chen M. Chen Queen

SNO+ Double Beta SNO+ Double Beta Decay with Nd Nd Decay with M. Chen M. Chen Queen

SNO+ Double Beta SNO+ Double Beta Decay with Nd Nd Decay with M. Chen M. Chen Queen s University s University Queen Sudbury Neutrino Observatory 1000 tonnes D 2 O 12 m diameter Acrylic Vessel 18 m diameter support structure;

768 views • 35 slides
A Summary of the CMS ECAL with Applications to HEP Analysis Daniel Klein Thursday Pizza Lecture

A Summary of the CMS ECAL with Applications to HEP Analysis Daniel Klein Thursday Pizza Lecture

A Summary of the CMS ECAL with Applications to HEP Analysis Daniel Klein Thursday Pizza Lecture 11/7/2013 Outline I. Motivation 1. What is an ECAL? 2. Design requirements for CMS ECAL II. Design 1. Materials 2. Crystal geometry 3.

367 views • 17 slides
Space Weather Enterprise -- Building a Committed Partnership Space Weather Workshop Boulder, CO

Space Weather Enterprise -- Building a Committed Partnership Space Weather Workshop Boulder, CO

Growing the Space Weather Enterprise -- Building a Committed Partnership Space Weather Workshop Boulder, CO April 15, 2015 Conrad C Lautenbacher, Jr CEO, GeoOptics, Inc 1 Agenda Committed Partnership Policy Foundation

492 views • 25 slides
Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining,

Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining,

Solutions for industrial applications: Industries : Oil &amp; Gas, Petrochemical, Mining, Steel, Chemical, Cement, Pulp &amp; Paper, Food Environment: Decommissioning, Decontamination, Radiation detection Technical advice and

741 views • 16 slides
REHABILITATION FOLLOWING SCR AND RTSA 2017 Ortho Summit December 9, 2017 Ellen Shanley PhD, PT,

REHABILITATION FOLLOWING SCR AND RTSA 2017 Ortho Summit December 9, 2017 Ellen Shanley PhD, PT,

REHABILITATION FOLLOWING SCR AND RTSA 2017 Ortho Summit December 9, 2017 Ellen Shanley PhD, PT, OCS I (and/or my co-authors) have nothing to disclose. Detailed disclosure information is available through the Orthopedic Summit The Paradigm

559 views • 29 slides
Friday, September 13, 2019 12:30 PM 4:00 PM Location: The Department of Health Care Policy

Friday, September 13, 2019 12:30 PM 4:00 PM Location: The Department of Health Care Policy

Friday, September 13, 2019 12:30 PM 4:00 PM Location: The Department of Health Care Policy &amp; Financing, 303 East 17 th Avenue, Denver, CO 80203. 7 th Floor Rooms B&amp;C. Conference Line: 1-877-820-7831 Passcode: 294442# Topic Suggestions,

459 views • 25 slides

More recommend