NSEC5: Provably Preventing

DNSSEC Zone EnumerationDNS OARC Fall 2014 Workshop, Los Angeles, October 12, 2014

Sharon GoldbergDimitrios

Papadopoulos Leonid ReyzinSachin Vasant

Moni NaorAsaf Ziv

outline• How does DNSSEC deal with denial of existence?

– RFC 4470: Online Signing – RFC 4034: NSEC – RFC 5155: NSEC3

• Zone enumeration in NSEC and NSEC3 • attacker makes a few online queries & enumerates

all names in the zone via offline dictionary attacks

• Demo’d by [nsec3walker; 2011],[Wander-Schwittmann-Boelmann-Weis;2014]

• We introduce NSEC5– NSEC5 is just like NSEC3, replacing the hash with a RSA-based

“keyed hash”– NSEC5 provably prevents zone enumeration.– NSEC5 maintains zone integrity, even if the hash key is leaked.

• We hope to turn NSEC5 into an Internet Draft & want feedback!

how to deal with authenticated denial of existence?

q.com?

NXDOMAIN

Zone File:a.comc.comz.comDNSKEY:

NXDOMAIN

a.comc.comz.comDNSKEY:

generic pre-signed NXDOMAIN violates integrity.

a.com?NXDOMAIN

Integrity: No denial-of-existence for name that exists.

Violate integrity by replaying NXDOMAIN!

Integrity?

DNS X

Generic Signed NXDOMAIN

X

Online Signing ✔

NSEC

NSEC3

NSEC5

online signing for denial of existence (RFC 4470)

q.com?q.com

NXDOMAIN Secret ZSK:

Integrity?

Tolerates bad

nameserver?

DNS X X

Sign Online ✔ X

NSEC

NSEC3

NSEC5

Zone File:a.comc.comz.comDNSKEY:

Trusting every 2ary nameserver with the secret ZSK can be problematic.

NSEC (RFC 4034): precomputed denial of existence

q.com?

a.com c.comN

SEC

Zone File:a.comc.comz.comDNSKEY:

c.com z.comN

SEC

z.com a.comN

SEC

c.com z.comN

SEC

why NSEC maintains integrity

a.com c.comN

SEC

a.comc.comz.comDNSKEY:

c.com z.comN

SEC

z.com a.comN

SEC

a.com?No valid NSEC

record to replay.

!

Integrity?

Tolerates bad

nameserver?

DNS X X

Sign Online ✔ X

NSEC ✔ ✔

NSEC3 ✔ ✔

NSEC5

Integrity: No denial-of-existence for name that exists.

NSEC introduces a new issue: zone enumeration (1)

Zone with n names: ~n online queries enumerate all names.

b.com?

a.com c.comN

SEC

a.comc.comz.comDNSKEY:

c.com z.comN

SEC

z.com a.comN

SEC

a.com c.comN

SEC

Names:a.com c.com

Integrity?

Tolerates bad

nameserver?

DNS X X

Sign Online ✔ X

NSEC ✔ ✔

NSEC3 ✔ ✔

NSEC5

NSEC introduces a new issue: zone enumeration (2)

Names:a.com c.com z.com

d.com?

a.com c.comN

SEC

a.comc.comz.comDNSKEY:

c.com z.comN

SEC

z.com a.comN

SEC

c.com z.comN

SEC

Integrity?

Tolerates bad

nameserver?

No zone enumeratio

n?

DNS X X ✔

Sign Online ✔ X ✔

NSEC ✔ ✔ X

NSEC3 ✔ ✔ ??????

NSEC5

Zone with n names: ~n online queries enumerate all names.

arguments for why zone enumeration can be issue

An enumerated zone• can expose private device names; toehold for other

attacks• is a “source of probable e-mail addresses for spam”

[RFC 5155], thus compromising a registrar’s “attitude towards consumer protection” [Nominet (.uk)]

• can be a “key for WHOIS queries” to “reveal registrant data that many registries may have legal obligations to protect” [RFC 5155]– e.g., “Germany’s Federal Data Protection Act

“[DENIC]– e.g., “Data protection Laws” in the UK [Nominet

(.uk)]• is in conflict with “the registry’s legal rights. The TLD

register database is a key business asset”, “its compilation is protected in law under Database Rights in the UK and copyright in other countries.” [Nominet (.uk)]

NSEC3 (RFC 5155) introduced to limit zone enumeration

trusted authority for zone precomputes NSEC3 records

23ced.com

a1bb5.com

NS

EC

3

a.comc.comz.com

H(a.com) = a1bb5

H(c.com) = 23ced

H(z.com) = dde45

Hash names

sort

23ceda1bb5 dde45

Sign NSEC3 recordswith secret ZSK

a1bb5.com

dde45.com

NS

EC

3

dde45.com

23ced.com

NS

EC

3

Integrity?

Tolerates bad

nameserver?

DNS X X

Sign Online ✔ X

NSEC ✔ ✔

NSEC3 ✔ ✔

NSEC5

NSEC3 in action

q.com?

H(q.com) = c987b

23ced.com

a1bb5.com

NS

EC

3

a1bb5.com

dde45.com

NS

EC

3

dde45.com

23ced.com

NS

EC

3

a.comc.comz.comDNSKEY:a1bb5.co

mdde45.co

mN

SEC

3

Integrity?

Tolerates bad

nameserver?

No zone enumeratio

n?

DNS X X ✔

Sign Online ✔ X ✔

NSEC ✔ ✔ X

NSEC3 ✔ ✔ ??????

NSEC5

but does NSEC3 really prevent zone enumeration?

r.com?

23ced.com

a1bb5.com

NS

EC

3

a1bb5.com

dde45.com

NS

EC

3

dde45.com

23ced.com

NS

EC

3

a.comc.comz.comDNSKEY:23ced.co

ma1bb5.co

mN

SEC

3

Learned:

a1bb5.com

dde45.com

23ced.com

H(r.com) = 33c46

zone enumeration is still possible with NSEC3!

Hashes learned:

a1bb5.com

dde45.com

23ced.com

Names learned:

a.com

z.com

c.com1) Make dictionary of plausible names

a.comb.comc.com

….z.com

2) Hash each name

H(a.com) = a1bb5 H(b.com) = 33333 H(c.com) = 23ced

….H(z.com) = dde45

Offline dictionary attack

• Oversimplified! There’s one salt per zone, many hash iterations, …

NSEC3 zone enumeration has been demonstrated:• [Wander, Schwittmann, Boelmann, Weis 2014]

reversed 64% of NSEC3 hashes in the .com TLD over 4.5 days using a GPU.

• In 2011, nsec3walker guessed 234 hashes/per day on a laptop.

Zone with n names: ~n online queries enumerate all names.

Crack them using an offline dictionary attack!

why is zone enumeration possible with NSEC3?

The fundamental issue :Dictionary attacks possible b/c resolvers can compute

hashes offline.

q.com?

H(q.com) = c987bFind a

matching NSEC3 record

a1bb5.com

dde45.com

NS

EC

3Offline dictionary

attack to crack hashes a1bb5

, dde45

introducing NSEC5

Why NSEC5 prevents zone enumeration:No more dictionary attacks b/c resolvers can’t compute

hashes!

q.com?

H (q.com) = 7a89b

3cd91.com

8cb67.com

NS

EC

5Offline dictionary attack to crack hashes 3cd91 ,

8cb67

Secret Non-Signing Key (NSK):

XCan’t compute hashes without

secret NSK!

Find a matching NSEC5 record

trusted authority for zone precomputes NSEC5 records

3cd91.com

8cb67.com

NS

EC

5

a.comc.comz.com

sort

3cd918cb679ae3e

Sign NSEC5swith secret ZSK

8cb67.com

9ae3e.com

NS

EC

5

9ae3e.com

3cd91.com

NS

EC

5

“Hash” with secret NSK

H(RSASIG

(a.com))=9ae3e

H(RSASIG

(c.com))=8cb67

H(RSASIG

(z.com))=3cd91

* This is deterministic RSA (aka“Full Domain Hash”)

NSEC5 in action

q.com?

RSASIG (q.com)=aa867a

PROOF aa867a

Secret NSK:

3cd91.com

8cb67.com

NS

EC

5

8cb67.com

9ae3e.com

NS

EC

5

9ae3e.com

3cd91.com

NS

EC

5

a.comc.comz.com3cd91.co

m

8cb67.com

NS

EC

5

H(aa867a)=7a89b

Public NSK:

Do NSEC5, PROOF match: 3cd19 < H(aa867a) < 8cb67

RSAVER (q.com, aa867a)

Do query, PROOF match:

How to verify?

PROOF aa867a

why does NSEC5 prevent zone enumeration?

q.com?

PROOF aa867a

Secret NSK:

a.comc.comz.com3cd91.co

m

8cb67.com

NS

EC

5Public NSK:

Offline dictionary attack to crack hashes 3cd91 ,

8cb67?X Can’t compute hashes without

secret NSK!

H(RSASIG (c.com))= 8cb67

why does NSEC5 prevent zone enumeration?

q.com?

PROOF aa867a

Secret NSK:

a.comc.comz.com3cd91.co

m

8cb67.com

NS

EC

5Public NSK:

RSAVER just verifies PROOFs, not hashes!X

Offline dictionary attack to crack hashes 3cd91 , 8cb67? using RSAVER?

RSAVER (q.com, aa867a)

H(RSASIG (c.com))= 8cb67

Secret NSK:

why does NSEC5 maintain integrity?

Resolver rejects b/c RSAVER (a.com,666666) = FALSE

a.comc.comz.com

3cd91.com

8cb67.com

NS

EC

5

8cb67.com

9ae3e.com

NS

EC

5

9ae3e.com

3cd91.com

NS

EC

5

a.com?

3cd91.com

8cb67.com

NS

EC

5Repla

y

Integrity: No denial-of-existence for name that exists.

Can’t compute PROOF (ie. RSASIG (a.com) )

Public NSK:

PROOF 666666

Integrity?

Tolerates bad

nameserver?

No zone enumerati

on?

DNS X X ✔Sign

Online ✔ X ✔NSEC ✔ ✔ XNSEC3 ✔ ✔ XNSEC5 ✔ ✔

summary

but what about managing the extra secret key?

Secret NSK:

?????

Secret NSK:

a.comc.comz.com

a.com?

PROOF 556e3

e

NSEC5 maintains integrity even if secret NSK is leaked!

There is no valid NSEC5 to replay!!

Integrity: No denial-of-existence for name that exists.

3cd91.com

8cb67.com

NS

EC

5

8cb67.com

9ae3e.com

NS

EC

5

9ae3e.com

3cd91.com

NS

EC

5

Compute PROOF RSASIG (a.com)= 556e3e

Public NSK:

H(556e3e)=9ae3e

See our paper for the crypto proofs!

http://eprint.iacr.org/2014/582.pdf

Integrity?

Tolerates bad

nameserver?

No zone enumerati

on?

DNS X X ✔Sign

Online ✔ X ✔

NSEC ✔ ✔ XNSEC3 ✔ ✔ XNSEC5 ✔ ✔ ✔NSEC5;

lost secret NSK

✔ ✔ X

summary

Just like NSEC3!

• Nameserver does 1 online RSA signature/query (to get PROOF)

• But online signing is necessary to prevent zone enumeration!

Explains why hash-based schemes are vulnerable to zone enumeration.

Extra computational overhead in NSEC5 (vs NSEC3)

Theorem [Informal]: ANY denial of existence scheme that1. prevents zone enumeration, and2. provides integrity (even against malicious slave

nameservers)requires nameservers to compute a public-key signature for every negative response.

3cd91.com

8cb67.com

NS

EC

5

PROOF 6aeb3

a

Key Management:• NSEC5 public non-signing key (NSK) distributed in a

DNSKEY RR.

• Secret NSK at each nameserver; but this is not a “high security” key.

Response size:• NSEC5 & NSEC3 records are the same size.

– ~2048 bits (signature) + 2 x 256 bits (hashes) • Plus PROOF sent with each NSEC5 (~2048 bits)• But, using wildcard optimization, an NSEC5 response is

only ~2048 bit longer than today’s unoptimized NSEC3 standard

NSEC5 vs NSEC3: Key management & response size

Secret NSK:Public NSK:

3cd91.com

8cb67.com

NS

EC

5

PROOF 6aeb

3aa1bb5.co

mdde45.co

m

NS

EC

3

More details in our paperhttp://eprint.iacr.org/2014/582.pdf

Integrity?

Tolerates bad

nameserver?

No zone enumeratio

n?

DNS X X ✔

Sign Online ✔ X ✔

NSEC ✔ ✔ X

NSEC3 ✔ ✔ X

NSEC5 ✔ ✔ ✔

NSEC5, leaked

NSK✔ ✔ X

3cd91.com

8cb67.com

NS

EC

5PROOF 6aeb

3a

Public NSK: