ION Santiago - DNSSEC and DANE Based Security for TLS

DNSSEC and DANE BasedSecurity For TLS

An Introduction

Wes HardakerParsons

<wes.hardaker@parsons.com>

Who is Wes Hardaker?

● Work for PARSONS– Cyber securty parsons.com/cyber

● Network Security Research Group– Technical Director

– Infrastructure security specialists● DNSSEC, RPKI, BGPSEC, SNMP, IPSec, …● DNS and DNSSEC monitoring services

– Open Source Software● Net-SNMP● DNSSEC-Tools

● IETF Participant DNS-Sentinel

wes.hardaker@parsons.com

Overview

● Current TLS Trust Anchoring Problems● What is DANE? How does it help?● DANE & The Web● DANE & SMTP● DANE & XMPP

TLS Overview

● TLS is:– An application-layer security tunnel

– A TCP-based security protocol to secure TCP● DTLS secures datagram protocols (eg, UDP)

– Can provide authentication and encryption● Typically based on X.509 Certificate bootstrapping

User ServerTLS Protection “Tunnel”

TLS Properties

● TLS ensures that:– Eves-dropping is impossible

– The client connected to the correct server

– But, this only works when properly anchored

● TLS certificates and trust anchors– A server must present a X.509 certificate

– The client checks this certificate● Did it present one with the right name?● Did it present one with the right IP address?● Was it signed by a CA I trust?

PKIX / X.509 Certificate Trees

● Certificate Authorities (CAs)– Sign child certificates

– Should verify the child's identity● Domain ownership● Or their legal business name

– Can be “Trust Anchors” (TAs)

● TLS clients– Trust their trust anchors

● All is good? CAs are trustworthy?

ICANN.ORG

Root CertificateAKA “Trust Anchor”

The “Too Many CAs” Problem

● TLS clients often have an abundance of TAs– Modern web browsers have 1300+ TAs

– Any of them can issue a certificate for example.com

example.com

The TLS Client Accepts Them Both!!!This has happened multiple times!

DANE To The Rescue!

● DNS-Based Authentication of Named Entities– A new DNS resource record: “TLSA”

– Indicates the correct server certificate

– MUST be DNSSEC signed to be valid

– Marries the DNSSEC tree to the X.509 tree

– Defined in RFC6698● Updated by RFC7218

DNSSEC, DANE and X.509

example.com

. (DNS root)

TLSArecord

AcceptONLY

this one

Dane allows DNS, secured by DNSSEC, to indicate whichTLS/X.509 certificate is the right one to use.

This reduces the attack footprint of TLS significantly.

What does a TLSA record look like?

_25._tcp.example.com.

FA2AE51F6831B10CE2EFC

933D860579ED1E0FA7974

AF964F02AC3BC4093C0404

TLSA Parameters

port protocol

TLSA Parameters

● Certificate Usage Field– What certificate should we match against

● (where in the chain is the TLSA record pointing at)

● Selector Field– Match the full certificate, or just the key (SPKI)?

● Matching Type Field– What type of match? SHA1, SHA256, or full?

TLSA Matching Types

Value Acronym Description

0 Full No hash used; DATA is the Cert or SPKI

1 SHA-256 DATA is the SHA-256 of the Cert or SPKI

2 SHA-512 DATA is the SHA-256 of the Cert or SPKI

… IN TLSA 3 1 1 DATA

TLSA Selector

0 Cert Data is based on the full certificate

1 SPKI Data is based on the public key

Certificate

Name: example.comKey Info: public key...

Certificate Usage Field

0 PKIX-TA Public CA from X.509 tree

1 PKIX-EE End-Certificate plus X.509 validation

2 DANE-TA Private CA from X.509 tree

3 DANE-EE End-Entity Certificate

Certificate Usage Field

Value Acronym

0 PKIX-TA

1 PKIX-EE

2 DANE-TA

3 DANE-EE

ICANN.ORG

Public“Trust Anchor”

Private“Trust Anchor”

Using and Deploying DANE

● Creating TLSA Records● HTTPS● SMTP● XMPP●SIP

Creating a TLSA Record

● Useful package: hashslinger– Contains a “tlsa” script to generate records

● From a certificate file:

# tlsa usage 3 selector 1 mtype 1 \ certificate /path/to/cert.crt \ example.com

_443._tcp.example.com. IN TLSA 3 1 1 152d75a2d529e3035760125be0560741f58fee7af18e20c1ace7d2cabc04277c

Creating a TLSA Record

● Connect to a port:

# tlsa usage 3 selector 1 \ mtype 1 port 443 example.com

_443._tcp.example.com. IN TLSA 3 1 1 152d75a2d529e3035760125be0560741f58fee7af18e20c1ace7d2cabc04277c

DANE and HTTPS

HTTPS suffers the most fromthe “too many CAs problem”

HTTPS and DANE

● Deploying DANE requires:– Serving TLSA records

● Easy for HTTPS: defined in RFC6698● Not many publishers yet; people are watching though!

– A client that can make use of them● Google Chome: NO● Mozilla Firefox: NO● Safari: NO● … NO● Some plugins: Yes, but...

HTTPS and DANE

● Deploying DANE requires:– Serving TLSA records

● Easy for HTTPS: defined in RFC6698● Not many publishers yet; people are watching though!

– A client that can make use of them● Google Chome: NO● Mozilla Firefox: NO● Safari: NO● … NO● Some plugins: Yes, but...● Bloodhound: YES!

Bloodhound

● A derivative of the Firefox code– Developed by Parsons

– All DNS requests are validated via DNSSEC

● DANE support mostly complete– DANE-EE(3) DANE-SPKI(1) SHA-256(1)

● Works on:– OS X

– Linux

– Microsoft Windows needs some work

DANE and SMTP

SMTP can't be secured withoutDNSSEC and DANE!

Server-to-Server Email

1: Alice'sMail User Agent (MUA)sends the emailvia the configured SMTP server

3: Bob's MUAdownloadsthe message via IMAP

2: Alice's ISPforwards themessage toBob's ISP

Mail TransferAgent

Simple MailTransport Protocol

(SMTP)

Mail TransferAgent

(SMTP)

Mail TransferAgent

(SMTP)

Mail TransferAgent

We're talking aboutthis part today

Largely secured today throughManual configuration parameters

Server-to-Server Emailwith DNS

DNS Server

1: Where should I send mail for @bobsISP.com?

2: You should send it to mail.bobsISP.com

3: I've got mail for Bob

Mail TransferAgent

(and the address for it is ….)

I Wish It Were So Simple

● There can be multiple DNS servers– Every domain should have at least two

● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server

– There may be multiple resolvers

● There can be multiple mail servers

Server-to-Server EmailReality Sets In

DNS Server

1: Where should I send mail for @bobsISP.com?

2: You should send it to mail1, mail2 or mail3

3: Do you have an address for mail1?

Mail TransferAgent

DNS Server

4: Yep, it's 192.0.2.3

5: Hi, I'm representing Alice, I have mail for Bob

6: Hi, I'll take mail for Bob; PS: I don't do security

7: Here's the mail for Bob from Alice

8: Thanks, I'll make sure he gets it

(Actually, reality is even worse but wouldn't fit on this slide)

Back To: I Wish It Were So Simple

● There can be multiple DNS servers– Every domain should have at least two

– There may be multiple resolvers

● There can be multiple mail servers

What could possibly go wrong???

● There can be multiple DNS servers– Compromised?

– Compromised?

● There can be multiple mail servers– Compromised?

● Man In The MiddleDNS Attack

Point!!!NetworkAttack

DANE/DNSSEC To The Rescue

● There can be multiple DNS servers– Compromised?

– Compromised?

● There can be multiple mail servers– Compromised?

● Man In The Middle

UseDNSSEC

UseDANE

SMTP Vulnerabilities

● MX, A and other DNS records can be spoofed– DNS redirects SMTP clients to the...

– DNSSEC detects this, and clients won't proceed

● Eavesdropping is Easy– SMTP is unencrypted by default

– Opportunistic encryption helps● See if they offer a certificate and start encryption● However, you may just be encrypting to the...

SMTP Vulnerabilities

● If DNS is spoofed, you get a...● ...Man In The Middle

– SMTP is unauthenticated by default

– SMTP is unencrypted by default

– They can turn on opportunistic encryption● Server indicates “I do security”● But a man-in-the-middle can just say “I don't do security”

– CA based solutions don't help because:● The man-in-the-middle says “I don't do security”● You've been redirected to a name the attacker controls

DNSSEC/DANE For The Win

● DNSSEC and DANE solves all these problems!● With DNSSEC: you can believe:

– The MX that led you here

– The TLSA is accurately pointing to my certificate

● With DANE's TLSA record:– “This is my certificate” or “This is my CA”

● (accept no others)

– You MUST expect security!!! (i.e., must do TLS)

– You connected to the right place

Deployment Options

● Postfix 2.11– Server side (receiving mail):

● Publish a TLSA record: _25._tcp.smtp.example.com● smtpd_tls_cert_file = /path/to/mycert.crt● smtpd_tls_key_file = /path/to/mycert.key

– Client side (sending mail):● smtp_tls_security_level = dane● smtp_dns_support_level = dnssec● CAVEAT: MUST use a secure local resolver

● Exim: Implementation underway (~ 2015)

DANE and XMPP

XMPP also uses STARTTLS

DANE and XMPP

● XMPP– The recommended security solution:

● Check the PKI● If that fails, use DANE● STARTTLS is required

– Being defined now in the IETF● draft-ietf-xmpp-dna● draft-ietf-dane-srv

● Deployed and running code!– Prosody & more ???

DANE and SIP

Another level of indirection!

DANE and SIP

● Just getting started!● Not an official WG item yet

– There is interest in making it one

– One personal draft discussing it

Questions?

The Future of TLS SecurityIs Looking Up!

IETF 90IETF 90TorontoToronto

July, 2014July, 2014

Resources

● RFC6698 DANE

● RFC7218 Acronyms

● draft-ietf-dane-smtp-with-dane SMTP

● draft-ietf-dane-ops Guidance

● draft-ietf-xmpp-dna XMPP

● draft-ietf-dane-srv SRV

● http://www.dnssec-tools.org/

– (bloodhound!)● http://postfix.org/

Known Large Early SMTP Adopters

● posteo.de● mailbox.org● bund.de● denic.de● umkbw.de● freebsd.org

● unitybox.de● debian.org● ietf.org● nlnet.nl● nic.cz

ION Santiago - DNSSEC and DANE Based Security for TLS

Technology

DANE veri cation test suite report · 2016-07-11 · DANE is a protocol that allows certi cates used for TLS to be coupled to DNS domain names requiring DNSSEC. This paper describes

An Introduction to DANE - Securing TLS using DNSSEC

ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab

Introduction to DNSSEC & DANE - DeepDive Networking › files › Interop... · DNSSEC & DANE DeepDive Networking How Do I Know I Have DNSSEC? 22! Recursive servers, look for ad ﬂag

Introduction to the DANE Protocol And Updates From IETF 88 fileA browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's

DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:

DANE/DNSSEC/TLS Testing in the Go6lab

D4 - LIGHTest · API Application Programming Interface ATV Automated Trust Verifier DANE DNS-based Authentication of Named Entities DNS Domain Name System DNSSEC Domain Name System

ION Bucharest - DANE-DNSSEC-TLS

ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab

Domain Name Basics - DNS, DNSSEC and DANE

Living on the Edge · 2018-02-14 · Strengthen TLS with stub: DANE ... stub use system stub which uses stub server server Stubby Dnsmasq Dnssec-Trigger Application Interface - versatile

DANE & Application Uses of DNSSEC - ICANN | …...DANE & Application Uses of DNSSEC! Shumon Huque, Duane Wessels! ICANN 52, Singapore, Singapore! February 11th, 2015! Verisign Public!

DANE & Application Uses of DNSSEC - Internet2 · Verisign Public! DNSSEC at a glance! • Original DNS protocol wasn’t built with security in mind! • No way to verify the authenticity

Willem Toorop - NLnet Labs€¦ · by and for application developers (for application) ... from DNSSEC authenticated keys (DANE) especially applicable/suitable to system software!

Measuring DANE TLSA Deploymentjohnh/PAPERS/Zhu15a.pdfDANE (DNS-based Authentication of Named Entities) takes advantage of the DNSSEC-provided root of trust to authenticate TLS (Transport

The IANA Stewardship Transition The role of the Internet ...ronog3.ronog.ro/wp-content/uploads/2016/11/Deploying-DNSSEC.pdf · An application that understand DNSSEC and DANE will

Research Report - Implementing DANE · considered valid by the application initiating a TLS connection. 2.2 DANE speciﬁcation The DANE speciﬁcation [8] describes a new DNS record