internet security 1 intsi1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Internet Security 1 ( IntSi1 ) PowerPoint Presentation
Download Presentation
Internet Security 1 ( IntSi1 )

Loading in 2 Seconds...

play fullscreen
1 / 21

Internet Security 1 ( IntSi1 ) - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Internet Security 1 ( IntSi1 ). 12 DNS Security Extensions DNSSEC. Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). DNS Resolution via Recursive Nameserver. DNS Request. DNS Response. Simple DNS Cache Poisoning.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Internet Security 1 ( IntSi1 )' - arnoldo-cobelo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
internet security 1 intsi1
Internet Security 1 (IntSi1)

12 DNS Security ExtensionsDNSSEC

Prof. Dr. Andreas SteffenInstitute for Internet Technologies and Applications (ITA)

dns root servers
DNS Root Servers

IPv4

IPv6

Operator

#

198.41.0.4

A

VeriSign Inc.

2001:503:BA3E::2:30

4

B

192.228.79.201

2001:478:65::53

1

Information Sciences Institute, USC

C

192.33.4.12

-

Cogent Communications

6

D

128.8.10.90

-

University of Maryland

1

E

192.203.230.10

-

NASA Ames Research Center

1

F

192.5.5.241

2001:500:2F::F

Internet Systems Consortium Inc.

49

G

192.112.36.4

-

US DoDNetwork Information Center

6

H

128.63.3.53

2001:500:1::803F:235

US Army Research Lab

1

I

192.36.148.17

2001:7FE::53

Autonomica/NORDUnet

34

J

192.58.128.30

2001:503:C27::2:30

VeriSign Inc.

70

K

193.0.14.129

2001:7FD::1

RIPE NCC

18

199.7.83.42

L

2001:500:3::42

ICANN

3

M

202.12.27.33

2001:DC3::35

WIDE Project

6

Total number of servers:

200

dnssec chain of trust
DNSSEC Chain of Trust

root

ch.

switch.ch.

root DNSKEY (KSK)

*

root DNSKEY (ZSK)

KSK/ZSK

ch. DNSKEY (KSK)

ch. DS

ch. DNSKEY (ZSK)

ZSK

KSK/ZSK

switch.ch. DS

switch.ch. DNSKEY (KSK)

ZSK

switch.ch. DNSKEY (ZSK)

KSK/ZSK

switch.ch. NS ns1/ns2

ZSK

www.switch.ch. A x.x.x.x

* explicit import e.g. via trusted web site

ZSK

dnssec resource records i dnskey
DNSSEC Resource Records I - DNSKEY
  • DNSKEY - DNS Public Key
  • Contains a public key used to sign the RRsets of a zoneswitch.ch. 81154 IN DNSKEY 256 3 5 AwEAAeCDWwjJO4mXBzayiKf4p7waJ7Ew eUnsTsAWkxpfELci4iaVdBugzYPfsZIg 9R6TIPky3LoPAPmIjCc2fbFkKnrGI7hJ jXAGMRwRJIBprFx4BXZSsjsvGb6MGC+exHSlXw== ;{id = 64608 (zsk), size = 768b}
  • Flags field
    • 256 -> Zone Signing Key (ZSK)
    • 257 -> Key Signing Key (KSK) with secure entry point (SEP) flag set
  • Algorithm field
    • 5 -> SHA-1 with RSA
    • 7 -> SHA-1 with RSA & NSEC3 with SHA-1
    • 8 -> SHA-256 with RSA
    • 10 -> SHA-512 with RSA
dnssec resource records ii rrsig
DNSSEC Resource Records II - RRSIG
  • RRSIG - Resource Record Signature
  • Contains a public key signature over a resource record set (RRset)merapi.switch.ch. 172800 IN A 130.59.211.10merapi.switch.ch. 172800 IN RRSIG A 5 3 172800200911282310332009102923103364608 switch.ch. 3KW9YjxdL08FqVYKFSn9 Q4+8U1iYrVCun+J1Ny8Y IiMC+6oQS/GZwRn2mr+H MruwEjNB9s7bWGzRmRiR TATPvS67gxjCiJkSP58P kGJ1dW3wBaz6r1feGNvz KhHLhvRe ;{id = 64608}
  • Signature Expiration and Inception Fields
    • The signature is not valid before Inception and after Expiration date.
  • Key Tag Field
    • Contains the key tag of the key which signed the RRset.
dnssec resource records iii ds
DNSSEC ResourceRecords III - DS
  • DS - Delegation Signer
  • Signed hash computed over KSK of child zoneswitch.ch. 3364 IN DS 43837 5 1 91dcfca519cf8b038441869878cc3610 60200534switch.ch. 3364 IN DS 43837 5 2 838cef7635952df83311a92b48ae7f19 1ae29484534e38b1ab7b3d0966b9ee55switch.ch. 3416 IN RRSIG DS 7 2 3600 20091123183442 20091117220724 31034 ch. LPh8RgXQSqPcdQz6s1PJOjTuopO9RxQg s1YYCY/CnhYaHxb6ndNBJ7QP20eKN+91 /ULjN4Ep/k9Pgtos979i5OfEXpfLcWcv rKP1xGvqW4PjP+MT1PDs6uKisEUqGBoQ p7+nkkzjY+YsDbxtTV+/8uHcSnNmXoMm SqPms3G0aw4= ;{id = 31034}
dnssec resource records iv nsec
DNSSEC Resource Records IV - NSEC
  • NSEC – Next Owner Name
  • Authenticated denial of existence of an owner namemerapi.switch.ch. 180 IN NSEC mercury.switch.ch. A PTR AAAA LOC RRSIG NSECmerapi.switch.ch. 180 IN RRSIG NSEC 5 3 180 20091128231033 20091029231033 64608 switch.ch. kW1SnXWoJKwOHEG1P3INI83EOGuQGujwvBT/MSWVQ+ms/2DXxjQcpt1Z P07+XI51cc0t7erUUG31KZdmUpXZ tQzPUJh49jjLh9aTjRiH1xGhlxv5 af+N95JDykRGSOAq ;{id = 64608}
  • Proof that there is no name between merapi.switch.ch. and mercury.switch.ch.
  • Allows enumeration of complete zone data!!!
dnssec resource records v nsec3
DNSSEC Resource Records V - NSEC3
  • NSEC3 – Next Owner Name in Hashed Order
  • Hashed Authenticated Denial of Existenceh9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN NSEC3 1 1 1 d399eaabh9rsfb7fpf2l8hg35cmpc765tdk23rp6 NS SOA RRSIG DNSKEY NSEC3PARAM ; flags: optouth9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN RRSIG NSEC3 7 2 86400 20091202211702 20091118201702 5273 org. a+CC37hRM7yCFBaZn2SeRgY9h247GXptCuBYf45TwaoRxvBwTAXPT+UwZ/4hxwc2v7AR7ZZ8UOMiNJvYsl59eFW8 Xtgws4/Aih0fJ2/O8yUHwI695fRf9PrpxXEpqzStjSZP 5arJ1oldDAHcnxgLqdAMW6wnK1FNrslfJblJlmU= ;{id = 5273}
  • Proof that there is no name between org. and ???.org.
  • Does not allow straight enumeration of zone data!
  • Dictionary attacks are possible but expensive.
dnssec root zone signing process
DNSSEC Root Zone SigningProcess

TLD Operator

DS

Records

ICANN

Vetting and Processing

DS

Records

DoC NTIA

Authorization of Changes

DS

Records

VeriSign

Editing and Signing of Root Zone

Root ZSK

DS

Records

ZSK

Root Servers (A, ... , M)

dnssec root zone signing key signing process

ZSK

KSK

ZSK

ZSK

KSK

KSK

DNSSEC Root Zone Signing Key SigningProcess

ZSK Private Key

VeriSignZSK Management

KSR

Key SigningRequest

SKR

Signed Key Response

ICANNKSK Management

Published on Web Site

KSK Private Key

icann key ceremonies
ICANN Key Ceremonies

Tier 1 – Facility – Access Controlby Data Center

Tier 2 – Facility – Access Control by Data Center

Tier 3 – Facility – Access Control by Data Center

Tier 4 – Cage – Access Control by Data Center

Tier 5 – Safe Room – Access Control by ICANN

Tier 6 – Safe #1

Tier 6 – Safe #2

Tier 7 – HSM

Tier 7 – Safe Deposit Box

Key CeremonyComputer

KSK Private Keys

Crypto Officers‘Credentials

periodic key rollover
Periodic Key Rollover

T-10

T+0

T+10

T+20

T+30

T+40

T+50

T+60

T+70

T+80

T+90

ZSK Rollover (every 90 days)

ZSK

ZSK

post-publish

ZSK

pre-publish

ZSK

ZSK

ZSK

ZSK

ZSK

ZSK

ZSK

ZSK

ZSK

ZSK

post-publish

ZSK

pre-publish

ZSK

Optional KSK Rollover (every 2-5 yearsor on demand)

KSK

publish+sign

KSK

publish+sign

KSK

publish+sign

KSK

publish+sign

KSK

publish+sign

KSK

publish+sign

KSK

publish+sign

KSK

revoke+sign

KSK

revoke+sign

KSK

publish

KSK

publish

KSK

publish

KSK

publish

KSK

publish

KSK

publish+sign

KSK

publish+sign

KSK

publish+sign

KSK

publish+sign

RRSIG ValidityPeriod (10 days + 50% overlap)

dnssec deployment november 28 2011
DNSSEC Deployment (November 28 2011)
  • TLDs signed by root zone:
    • 11 gTLDs: arpaasiabizcatcomedugovinfomuseumnetorg
    • 54 ccTLDS: acag am bebgbrbzch cl cocz de dkeufifrgiglgrhn in iojpkg krla lclilklumemnmy na ncnl nu pmprptrescse shsutfthtmtwugukuswfyt
    • 2 IDN ccTLDS: xn--kprw13d xn--kpry57d (台湾 Taiwan)
  • TLDs with DNSKEY set:
    • 1 gTLD: mil
    • 3 ccTLDs: mm nzvc
    • 2 IDN ccTLDs: xn--fzc2c9e2c (ලංකා Sinhala Sri Lanka)xn--xkc2al3hye2a (இலங்கைTamil Sri Lanka)
  • Signing of major gTLDs:
    • net: December 9, 2010
    • com: March 2011