Embed Size (px)
DESCRIPTION
A presentation by Wes Hardaker from PARSONS given on 28 October 2014 at ION Santiago in Chile. If you connect to a “secure” server using TLS/SSL (such as a web server, email server or xmpp server), how do you know you are using the correct certificate? With DNSSEC now being deployed, a new protocol has emerged called “DANE” (“DNS-Based Authentication of Named Entities“), which allows you to securely specify exactly which TLS/SSL certificate an application should use to connect to your site. DANE has great potential to make the Internet much more secure by marrying the strong integrity protection of DNSSEC with the confidentiality of SSL/TLS certificates. In this session, Wes will explain how DANE works and how you can use it to secure your websites, email, XMPP, VoIP, and other web services.
Citation preview
Who is Wes Hardaker?
● Work for PARSONS– Cyber securty parsons.com/cyber
● Network Security Research Group– Technical Director
– Infrastructure security specialists● DNSSEC, RPKI, BGPSEC, SNMP, IPSec, …● DNS and DNSSEC monitoring services
– Open Source Software● Net-SNMP● DNSSEC-Tools
● IETF Participant DNS-Sentinel
3
Overview
● Current TLS Trust Anchoring Problems● What is DANE? How does it help?● DANE & The Web● DANE & SMTP● DANE & XMPP
4
TLS Overview
● TLS is:– An application-layer security tunnel
– A TCP-based security protocol to secure TCP● DTLS secures datagram protocols (eg, UDP)
– Can provide authentication and encryption● Typically based on X.509 Certificate bootstrapping
User ServerTLS Protection “Tunnel”
Data
5
TLS Properties
● TLS ensures that:– Eves-dropping is impossible
– The client connected to the correct server
– But, this only works when properly anchored
● TLS certificates and trust anchors– A server must present a X.509 certificate
– The client checks this certificate● Did it present one with the right name?● Did it present one with the right IP address?● Was it signed by a CA I trust?
6
PKIX / X.509 Certificate Trees
● Certificate Authorities (CAs)– Sign child certificates
– Should verify the child's identity● Domain ownership● Or their legal business name
– Can be “Trust Anchors” (TAs)
● TLS clients– Trust their trust anchors
● All is good? CAs are trustworthy?
ICANN.ORG
signs
signs
Root CertificateAKA “Trust Anchor”
7
The “Too Many CAs” Problem
● TLS clients often have an abundance of TAs– Modern web browsers have 1300+ TAs
– Any of them can issue a certificate for example.com
example.com
example.com
The TLS Client Accepts Them Both!!!This has happened multiple times!
8
DANE To The Rescue!
● DNS-Based Authentication of Named Entities– A new DNS resource record: “TLSA”
– Indicates the correct server certificate
– MUST be DNSSEC signed to be valid
– Marries the DNSSEC tree to the X.509 tree
– Defined in RFC6698● Updated by RFC7218
9
DNSSEC, DANE and X.509
example.com
example.com
com
example.com
. (DNS root)
TLSArecord
AcceptONLY
this one
X
Dane allows DNS, secured by DNSSEC, to indicate whichTLS/X.509 certificate is the right one to use.
This reduces the attack footprint of TLS significantly.
MU
ST
BE
DN
SS
EC
SIG
NE
D!!!
10
What does a TLSA record look like?
_25._tcp.example.com.
14400
IN
TLSA
3 1 1
FA2AE51F6831B10CE2EFC
933D860579ED1E0FA7974
AF964F02AC3BC4093C0404
Name
TTL
Class
Type
TLSA Parameters
Data
port protocol
11
TLSA Parameters
● Certificate Usage Field– What certificate should we match against
● (where in the chain is the TLSA record pointing at)
● Selector Field– Match the full certificate, or just the key (SPKI)?
● Matching Type Field– What type of match? SHA1, SHA256, or full?
12
TLSA Matching Types
Value Acronym Description
0 Full No hash used; DATA is the Cert or SPKI
1 SHA-256 DATA is the SHA-256 of the Cert or SPKI
2 SHA-512 DATA is the SHA-256 of the Cert or SPKI
… IN TLSA 3 1 1 DATA
13
TLSA Selector
Value Acronym Description
0 Cert Data is based on the full certificate
1 SPKI Data is based on the public key
… IN TLSA 3 1 1 DATA
Certificate
Name: example.comKey Info: public key...
14
Certificate Usage Field
Value Acronym Description
0 PKIX-TA Public CA from X.509 tree
1 PKIX-EE End-Certificate plus X.509 validation
2 DANE-TA Private CA from X.509 tree
3 DANE-EE End-Entity Certificate
… IN TLSA 3 1 1 DATA
15
Certificate Usage Field
Value Acronym
0 PKIX-TA
1 PKIX-EE
2 DANE-TA
3 DANE-EE
… IN TLSA 3 1 1 DATA
ICANN.ORG
Public“Trust Anchor”
Private“Trust Anchor”
17
Creating a TLSA Record
● Useful package: hashslinger– Contains a “tlsa” script to generate records
● From a certificate file:
# tlsa usage 3 selector 1 mtype 1 \ certificate /path/to/cert.crt \ example.com
_443._tcp.example.com. IN TLSA 3 1 1 152d75a2d529e3035760125be0560741f58fee7af18e20c1ace7d2cabc04277c
18
Creating a TLSA Record
● Connect to a port:
# tlsa usage 3 selector 1 \ mtype 1 port 443 example.com
_443._tcp.example.com. IN TLSA 3 1 1 152d75a2d529e3035760125be0560741f58fee7af18e20c1ace7d2cabc04277c
20
HTTPS and DANE
● Deploying DANE requires:– Serving TLSA records
● Easy for HTTPS: defined in RFC6698● Not many publishers yet; people are watching though!
– A client that can make use of them● Google Chome: NO● Mozilla Firefox: NO● Safari: NO● … NO● Some plugins: Yes, but...
21
HTTPS and DANE
● Deploying DANE requires:– Serving TLSA records
● Easy for HTTPS: defined in RFC6698● Not many publishers yet; people are watching though!
– A client that can make use of them● Google Chome: NO● Mozilla Firefox: NO● Safari: NO● … NO● Some plugins: Yes, but...● Bloodhound: YES!
22
Bloodhound
● A derivative of the Firefox code– Developed by Parsons
– All DNS requests are validated via DNSSEC
● DANE support mostly complete– DANE-EE(3) DANE-SPKI(1) SHA-256(1)
● Works on:– OS X
– Linux
– Microsoft Windows needs some work
24
Server-to-Server Email
1: Alice'sMail User Agent (MUA)sends the emailvia the configured SMTP server
3: Bob's MUAdownloadsthe message via IMAP
2: Alice's ISPforwards themessage toBob's ISP
Mail TransferAgent
Simple MailTransport Protocol
(SMTP)
Mail TransferAgent
25
Server-to-Server Email
1: Alice'sMail User Agent (MUA)sends the emailvia the configured SMTP server
3: Bob's MUAdownloadsthe message via IMAP
2: Alice's ISPforwards themessage toBob's ISP
Mail TransferAgent
Simple MailTransport Protocol
(SMTP)
Mail TransferAgent
Server-to-Server Email
1: Alice'sMail User Agent (MUA)sends the emailvia the configured SMTP server
3: Bob's MUAdownloadsthe message via IMAP
2: Alice's ISPforwards themessage toBob's ISP
Mail TransferAgent
Simple MailTransport Protocol
(SMTP)
Mail TransferAgent
We're talking aboutthis part today
Largely secured today throughManual configuration parameters
26
Server-to-Server Emailwith DNS
DNS Server
1: Where should I send mail for @bobsISP.com?
2: You should send it to mail.bobsISP.com
3: I've got mail for Bob
Mail TransferAgent
Mail TransferAgent
(and the address for it is ….)
27
I Wish It Were So Simple
● There can be multiple DNS servers– Every domain should have at least two
● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server
– There may be multiple resolvers
● There can be multiple mail servers
28
Server-to-Server EmailReality Sets In
DNS Server
1: Where should I send mail for @bobsISP.com?
2: You should send it to mail1, mail2 or mail3
3: Do you have an address for mail1?
Mail TransferAgent
Mail TransferAgent
DNS Server
4: Yep, it's 192.0.2.3
5: Hi, I'm representing Alice, I have mail for Bob
6: Hi, I'll take mail for Bob; PS: I don't do security
7: Here's the mail for Bob from Alice
8: Thanks, I'll make sure he gets it
(Actually, reality is even worse but wouldn't fit on this slide)
29
Back To: I Wish It Were So Simple
● There can be multiple DNS servers– Every domain should have at least two
● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server
– There may be multiple resolvers
● There can be multiple mail servers
30
What could possibly go wrong???
● There can be multiple DNS servers– Compromised?
● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server
– Compromised?
● There can be multiple mail servers– Compromised?
● Man In The MiddleDNS Attack
Point!!!NetworkAttack
31
DANE/DNSSEC To The Rescue
● There can be multiple DNS servers– Compromised?
● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server
– Compromised?
● There can be multiple mail servers– Compromised?
● Man In The Middle
UseDNSSEC
UseDANE
32
SMTP Vulnerabilities
● MX, A and other DNS records can be spoofed– DNS redirects SMTP clients to the...
– DNSSEC detects this, and clients won't proceed
● Eavesdropping is Easy– SMTP is unencrypted by default
– Opportunistic encryption helps● See if they offer a certificate and start encryption● However, you may just be encrypting to the...
33
SMTP Vulnerabilities
● If DNS is spoofed, you get a...● ...Man In The Middle
– SMTP is unauthenticated by default
– SMTP is unencrypted by default
– They can turn on opportunistic encryption● Server indicates “I do security”● But a man-in-the-middle can just say “I don't do security”
– CA based solutions don't help because:● The man-in-the-middle says “I don't do security”● You've been redirected to a name the attacker controls
34
DNSSEC/DANE For The Win
● DNSSEC and DANE solves all these problems!● With DNSSEC: you can believe:
– The MX that led you here
– The TLSA is accurately pointing to my certificate
● With DANE's TLSA record:– “This is my certificate” or “This is my CA”
● (accept no others)
– You MUST expect security!!! (i.e., must do TLS)
– You connected to the right place
35
Deployment Options
● Postfix 2.11– Server side (receiving mail):
● Publish a TLSA record: _25._tcp.smtp.example.com● smtpd_tls_cert_file = /path/to/mycert.crt● smtpd_tls_key_file = /path/to/mycert.key
– Client side (sending mail):● smtp_tls_security_level = dane● smtp_dns_support_level = dnssec● CAVEAT: MUST use a secure local resolver
● Exim: Implementation underway (~ 2015)
37
DANE and XMPP
● XMPP– The recommended security solution:
● Check the PKI● If that fails, use DANE● STARTTLS is required
– Being defined now in the IETF● draft-ietf-xmpp-dna● draft-ietf-dane-srv
● Deployed and running code!– Prosody & more ???
39
DANE and SIP
● Just getting started!● Not an official WG item yet
– There is interest in making it one
– One personal draft discussing it
40
Questions?
The Future of TLS SecurityIs Looking Up!
IETF 90IETF 90TorontoToronto
July, 2014July, 2014
41
Resources
● RFC6698 DANE
● RFC7218 Acronyms
● draft-ietf-dane-smtp-with-dane SMTP
● draft-ietf-dane-ops Guidance
● draft-ietf-xmpp-dna XMPP
● draft-ietf-dane-srv SRV
● http://www.dnssec-tools.org/
– (bloodhound!)● http://postfix.org/
42
Known Large Early SMTP Adopters
● posteo.de● mailbox.org● bund.de● denic.de● umkbw.de● freebsd.org
● unitybox.de● debian.org● ietf.org● nlnet.nl● nic.cz
