slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Earl Crane Department of Homeland Security Office of the CIO PowerPoint Presentation
Download Presentation
Earl Crane Department of Homeland Security Office of the CIO

Loading in 2 Seconds...

play fullscreen
1 / 8

Earl Crane Department of Homeland Security Office of the CIO - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC). Earl Crane Department of Homeland Security Office of the CIO. Scott Rose National Institute of Standards and Technology. Technology Background.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Earl Crane Department of Homeland Security Office of the CIO' - chester-andrews


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

DNSSEC & Email Validation Tiger TeamDHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC)

Earl Crane

Department of Homeland Security

Office of the CIO

Scott Rose

National Institute of Standards and Technology

technology background
Technology Background
  • DNSSEC Overview
    • OMB M-08-23 “Securing the Federal Government's Domain Name System Infrastructure”. All agencies must deploy DNSSEC by December 2009.
    • Internet Systems Consortium: DNSSEC “only full solution” to DNS attacks
      • Considered more viable long-term solution
    • Cryptographic signatures over DNS data (not messages)
      • Assures integrity of results returned from DNS queries
    • Users can validate source authenticity and data integrity
      • Checks chain of signatures up to root
    • Protects against tampering in caches, during transmission
  • Email Validation overview
    • Detects and Blocks spoofed/forged mail
    • Sender Policy Framework (SPF) for domains that do not send email
      • “Path Based” - Senders publish acceptable message paths (IP) for domain
      • Near-zero deployment requirements for senders
        • DNS records only, no change to outbound servers
    • Domain Keys Identified Mail (DKIM) for domains authorized to send mail
      • “Signature based” - Senders insert digital cryptographic signature in emails for domain
      • Requires cryptographic operation by sender and receiver’s gateway infrastructure
the kaminsky bug
The “Kaminsky Bug”
  • Rapid, widespread and resilient
  • Reduces time required to poison recursive name server's cache
  • All known name server implementations are affected
    • Some more than others (took < 10s to poison the cache)
    • Most implementations patched; now as easy/difficult to poison as any other implementation
  • Even patched software vulnerable
    • cache poisoning attempt possible in < 10 hours
what dnssec provides
What DNSSEC Provides

Cryptographic signatures over DNS data (not messages)

Assures integrity of results returned from DNS queries:

Users can validate source authenticity and data integrity

Checks chain of signatures up to root

Chain completely contained within DNS (no PKI or X.509 certs needed)

Protects against tampering in caches, during transmission

Not provided: message encryption, security for denial-of-service attacks

slide6

DNSSEC Chain of Trust

“.” – DNS root.

Trust Anchors installed on client resolvers.

KSK

ZSK

KSK

KSK

se.

gov.

KSK

KSK

KSK

ZSK

ZSK

ZSK

KSKs

KSKs

KSK

KSK

nist.gov.

opm.gov.

  • KSK’s often serve as the “anchor” of authentication chain.
  • The higher up in the tree, the more useful the trust anchor

KSK

KSK

ZSK

ZSK

Data

Data

slide7

FNS Tiger Team: DNSSEC and E-Mail ValidationNetwork and Infrastructure Security Subcommittee, ISIMC, Federal CIO Council

  • FY11 FISMA Metrics for DNSSEC and Email Validation:
  • Network Security Protocols: DNSSEC:
    • % of external-facing second-level DNS Names signed;
    • % of external-facing DNS hierarchies with all sub-domains (second-level and below) signed
  • Boundary Protection: Email Validation:
    • % of agency email systems that implement sender verification (anti-spoofing) technologies when sending messages from/to government agencies or the public such as S/MIME, DKIM, and SPF.