Upload
kaylynn-burbank
View
212
Download
0
Embed Size (px)
Citation preview
NSEC5: Provably Preventing
DNSSEC Zone EnumerationDNS OARC Fall 2014 Workshop, Los Angeles, October 12, 2014
Sharon GoldbergDimitrios
Papadopoulos Leonid ReyzinSachin Vasant
Moni NaorAsaf Ziv
outline• How does DNSSEC deal with denial of existence?
– RFC 4470: Online Signing – RFC 4034: NSEC – RFC 5155: NSEC3
• Zone enumeration in NSEC and NSEC3 • attacker makes a few online queries & enumerates
all names in the zone via offline dictionary attacks
• Demo’d by [nsec3walker; 2011],[Wander-Schwittmann-Boelmann-Weis;2014]
• We introduce NSEC5– NSEC5 is just like NSEC3, replacing the hash with a RSA-based
“keyed hash”– NSEC5 provably prevents zone enumeration.– NSEC5 maintains zone integrity, even if the hash key is leaked.
• We hope to turn NSEC5 into an Internet Draft & want feedback!
how to deal with authenticated denial of existence?
q.com?
NXDOMAIN
Zone File:a.comc.comz.comDNSKEY:
NXDOMAIN
a.comc.comz.comDNSKEY:
generic pre-signed NXDOMAIN violates integrity.
a.com?NXDOMAIN
Integrity: No denial-of-existence for name that exists.
Violate integrity by replaying NXDOMAIN!
Integrity?
DNS X
Generic Signed NXDOMAIN
X
Online Signing ✔
NSEC
NSEC3
NSEC5
online signing for denial of existence (RFC 4470)
q.com?q.com
NXDOMAIN Secret ZSK:
Integrity?
Tolerates bad
nameserver?
DNS X X
Sign Online ✔ X
NSEC
NSEC3
NSEC5
Zone File:a.comc.comz.comDNSKEY:
Trusting every 2ary nameserver with the secret ZSK can be problematic.
NSEC (RFC 4034): precomputed denial of existence
q.com?
a.com c.comN
SEC
Zone File:a.comc.comz.comDNSKEY:
c.com z.comN
SEC
z.com a.comN
SEC
c.com z.comN
SEC
why NSEC maintains integrity
a.com c.comN
SEC
a.comc.comz.comDNSKEY:
c.com z.comN
SEC
z.com a.comN
SEC
a.com?No valid NSEC
record to replay.
!
Integrity?
Tolerates bad
nameserver?
DNS X X
Sign Online ✔ X
NSEC ✔ ✔
NSEC3 ✔ ✔
NSEC5
Integrity: No denial-of-existence for name that exists.
NSEC introduces a new issue: zone enumeration (1)
Zone with n names: ~n online queries enumerate all names.
b.com?
a.com c.comN
SEC
a.comc.comz.comDNSKEY:
c.com z.comN
SEC
z.com a.comN
SEC
a.com c.comN
SEC
Names:a.com c.com
Integrity?
Tolerates bad
nameserver?
DNS X X
Sign Online ✔ X
NSEC ✔ ✔
NSEC3 ✔ ✔
NSEC5
NSEC introduces a new issue: zone enumeration (2)
Names:a.com c.com z.com
d.com?
a.com c.comN
SEC
a.comc.comz.comDNSKEY:
c.com z.comN
SEC
z.com a.comN
SEC
c.com z.comN
SEC
Integrity?
Tolerates bad
nameserver?
No zone enumeratio
n?
DNS X X ✔
Sign Online ✔ X ✔
NSEC ✔ ✔ X
NSEC3 ✔ ✔ ??????
NSEC5
Zone with n names: ~n online queries enumerate all names.
arguments for why zone enumeration can be issue
An enumerated zone• can expose private device names; toehold for other
attacks• is a “source of probable e-mail addresses for spam”
[RFC 5155], thus compromising a registrar’s “attitude towards consumer protection” [Nominet (.uk)]
• can be a “key for WHOIS queries” to “reveal registrant data that many registries may have legal obligations to protect” [RFC 5155]– e.g., “Germany’s Federal Data Protection Act
“[DENIC]– e.g., “Data protection Laws” in the UK [Nominet
(.uk)]• is in conflict with “the registry’s legal rights. The TLD
register database is a key business asset”, “its compilation is protected in law under Database Rights in the UK and copyright in other countries.” [Nominet (.uk)]
NSEC3 (RFC 5155) introduced to limit zone enumeration
trusted authority for zone precomputes NSEC3 records
23ced.com
a1bb5.com
NS
EC
3
a.comc.comz.com
H(a.com) = a1bb5
H(c.com) = 23ced
H(z.com) = dde45
Hash names
sort
23ceda1bb5 dde45
Sign NSEC3 recordswith secret ZSK
a1bb5.com
dde45.com
NS
EC
3
dde45.com
23ced.com
NS
EC
3
Integrity?
Tolerates bad
nameserver?
DNS X X
Sign Online ✔ X
NSEC ✔ ✔
NSEC3 ✔ ✔
NSEC5
NSEC3 in action
q.com?
H(q.com) = c987b
23ced.com
a1bb5.com
NS
EC
3
a1bb5.com
dde45.com
NS
EC
3
dde45.com
23ced.com
NS
EC
3
a.comc.comz.comDNSKEY:a1bb5.co
mdde45.co
mN
SEC
3
Integrity?
Tolerates bad
nameserver?
No zone enumeratio
n?
DNS X X ✔
Sign Online ✔ X ✔
NSEC ✔ ✔ X
NSEC3 ✔ ✔ ??????
NSEC5
but does NSEC3 really prevent zone enumeration?
r.com?
23ced.com
a1bb5.com
NS
EC
3
a1bb5.com
dde45.com
NS
EC
3
dde45.com
23ced.com
NS
EC
3
a.comc.comz.comDNSKEY:23ced.co
ma1bb5.co
mN
SEC
3
Learned:
a1bb5.com
dde45.com
23ced.com
H(r.com) = 33c46
zone enumeration is still possible with NSEC3!
Hashes learned:
a1bb5.com
dde45.com
23ced.com
Names learned:
a.com
z.com
c.com1) Make dictionary of plausible names
a.comb.comc.com
….z.com
2) Hash each name
H(a.com) = a1bb5 H(b.com) = 33333 H(c.com) = 23ced
….H(z.com) = dde45
Offline dictionary attack
• Oversimplified! There’s one salt per zone, many hash iterations, …
NSEC3 zone enumeration has been demonstrated:• [Wander, Schwittmann, Boelmann, Weis 2014]
reversed 64% of NSEC3 hashes in the .com TLD over 4.5 days using a GPU.
• In 2011, nsec3walker guessed 234 hashes/per day on a laptop.
Zone with n names: ~n online queries enumerate all names.
Crack them using an offline dictionary attack!
why is zone enumeration possible with NSEC3?
The fundamental issue :Dictionary attacks possible b/c resolvers can compute
hashes offline.
q.com?
H(q.com) = c987bFind a
matching NSEC3 record
a1bb5.com
dde45.com
NS
EC
3Offline dictionary
attack to crack hashes a1bb5
, dde45
introducing NSEC5
Why NSEC5 prevents zone enumeration:No more dictionary attacks b/c resolvers can’t compute
hashes!
q.com?
H (q.com) = 7a89b
3cd91.com
8cb67.com
NS
EC
5Offline dictionary attack to crack hashes 3cd91 ,
8cb67
Secret Non-Signing Key (NSK):
XCan’t compute hashes without
secret NSK!
Find a matching NSEC5 record
trusted authority for zone precomputes NSEC5 records
3cd91.com
8cb67.com
NS
EC
5
a.comc.comz.com
sort
3cd918cb679ae3e
Sign NSEC5swith secret ZSK
8cb67.com
9ae3e.com
NS
EC
5
9ae3e.com
3cd91.com
NS
EC
5
“Hash” with secret NSK
H(RSASIG
(a.com))=9ae3e
H(RSASIG
(c.com))=8cb67
H(RSASIG
(z.com))=3cd91
* This is deterministic RSA (aka“Full Domain Hash”)
NSEC5 in action
q.com?
RSASIG (q.com)=aa867a
PROOF aa867a
Secret NSK:
3cd91.com
8cb67.com
NS
EC
5
8cb67.com
9ae3e.com
NS
EC
5
9ae3e.com
3cd91.com
NS
EC
5
a.comc.comz.com3cd91.co
m
8cb67.com
NS
EC
5
H(aa867a)=7a89b
Public NSK:
Do NSEC5, PROOF match: 3cd19 < H(aa867a) < 8cb67
RSAVER (q.com, aa867a)
Do query, PROOF match:
How to verify?
PROOF aa867a
why does NSEC5 prevent zone enumeration?
q.com?
PROOF aa867a
Secret NSK:
a.comc.comz.com3cd91.co
m
8cb67.com
NS
EC
5Public NSK:
Offline dictionary attack to crack hashes 3cd91 ,
8cb67?X Can’t compute hashes without
secret NSK!
H(RSASIG (c.com))= 8cb67
why does NSEC5 prevent zone enumeration?
q.com?
PROOF aa867a
Secret NSK:
a.comc.comz.com3cd91.co
m
8cb67.com
NS
EC
5Public NSK:
RSAVER just verifies PROOFs, not hashes!X
Offline dictionary attack to crack hashes 3cd91 , 8cb67? using RSAVER?
RSAVER (q.com, aa867a)
H(RSASIG (c.com))= 8cb67
Secret NSK:
why does NSEC5 maintain integrity?
Resolver rejects b/c RSAVER (a.com,666666) = FALSE
a.comc.comz.com
3cd91.com
8cb67.com
NS
EC
5
8cb67.com
9ae3e.com
NS
EC
5
9ae3e.com
3cd91.com
NS
EC
5
a.com?
3cd91.com
8cb67.com
NS
EC
5Repla
y
Integrity: No denial-of-existence for name that exists.
Can’t compute PROOF (ie. RSASIG (a.com) )
Public NSK:
PROOF 666666
Integrity?
Tolerates bad
nameserver?
No zone enumerati
on?
DNS X X ✔Sign
Online ✔ X ✔NSEC ✔ ✔ XNSEC3 ✔ ✔ XNSEC5 ✔ ✔
summary
but what about managing the extra secret key?
Secret NSK:
?????
Secret NSK:
a.comc.comz.com
a.com?
PROOF 556e3
e
NSEC5 maintains integrity even if secret NSK is leaked!
There is no valid NSEC5 to replay!!
Integrity: No denial-of-existence for name that exists.
3cd91.com
8cb67.com
NS
EC
5
8cb67.com
9ae3e.com
NS
EC
5
9ae3e.com
3cd91.com
NS
EC
5
Compute PROOF RSASIG (a.com)= 556e3e
Public NSK:
H(556e3e)=9ae3e
See our paper for the crypto proofs!
http://eprint.iacr.org/2014/582.pdf
Integrity?
Tolerates bad
nameserver?
No zone enumerati
on?
DNS X X ✔Sign
Online ✔ X ✔
NSEC ✔ ✔ XNSEC3 ✔ ✔ XNSEC5 ✔ ✔ ✔NSEC5;
lost secret NSK
✔ ✔ X
summary
Just like NSEC3!
• Nameserver does 1 online RSA signature/query (to get PROOF)
• But online signing is necessary to prevent zone enumeration!
Explains why hash-based schemes are vulnerable to zone enumeration.
Extra computational overhead in NSEC5 (vs NSEC3)
Theorem [Informal]: ANY denial of existence scheme that1. prevents zone enumeration, and2. provides integrity (even against malicious slave
nameservers)requires nameservers to compute a public-key signature for every negative response.
3cd91.com
8cb67.com
NS
EC
5
PROOF 6aeb3
a
Key Management:• NSEC5 public non-signing key (NSK) distributed in a
DNSKEY RR.
• Secret NSK at each nameserver; but this is not a “high security” key.
Response size:• NSEC5 & NSEC3 records are the same size.
– ~2048 bits (signature) + 2 x 256 bits (hashes) • Plus PROOF sent with each NSEC5 (~2048 bits)• But, using wildcard optimization, an NSEC5 response is
only ~2048 bit longer than today’s unoptimized NSEC3 standard
NSEC5 vs NSEC3: Key management & response size
Secret NSK:Public NSK:
3cd91.com
8cb67.com
NS
EC
5
PROOF 6aeb
3aa1bb5.co
mdde45.co
m
NS
EC
3
More details in our paperhttp://eprint.iacr.org/2014/582.pdf
Integrity?
Tolerates bad
nameserver?
No zone enumeratio
n?
DNS X X ✔
Sign Online ✔ X ✔
NSEC ✔ ✔ X
NSEC3 ✔ ✔ X
NSEC5 ✔ ✔ ✔
NSEC5, leaked
NSK✔ ✔ X
3cd91.com
8cb67.com
NS
EC
5PROOF 6aeb
3a
Public NSK: