ION Santiago - DNSSEC and DANE Based Security for TLS
-
Upload
deploy360-programme-internet-society -
Category
Technology
-
view
269 -
download
3
description
Transcript of ION Santiago - DNSSEC and DANE Based Security for TLS
Who is Wes Hardaker?
● Work for PARSONS– Cyber securty parsons.com/cyber
● Network Security Research Group– Technical Director
– Infrastructure security specialists● DNSSEC, RPKI, BGPSEC, SNMP, IPSec, …● DNS and DNSSEC monitoring services
– Open Source Software● Net-SNMP● DNSSEC-Tools
● IETF Participant DNS-Sentinel
3
Overview
● Current TLS Trust Anchoring Problems● What is DANE? How does it help?● DANE & The Web● DANE & SMTP● DANE & XMPP
4
TLS Overview
● TLS is:– An application-layer security tunnel
– A TCP-based security protocol to secure TCP● DTLS secures datagram protocols (eg, UDP)
– Can provide authentication and encryption● Typically based on X.509 Certificate bootstrapping
User ServerTLS Protection “Tunnel”
Data
5
TLS Properties
● TLS ensures that:– Eves-dropping is impossible
– The client connected to the correct server
– But, this only works when properly anchored
● TLS certificates and trust anchors– A server must present a X.509 certificate
– The client checks this certificate● Did it present one with the right name?● Did it present one with the right IP address?● Was it signed by a CA I trust?
6
PKIX / X.509 Certificate Trees
● Certificate Authorities (CAs)– Sign child certificates
– Should verify the child's identity● Domain ownership● Or their legal business name
– Can be “Trust Anchors” (TAs)
● TLS clients– Trust their trust anchors
● All is good? CAs are trustworthy?
ICANN.ORG
signs
signs
Root CertificateAKA “Trust Anchor”
7
The “Too Many CAs” Problem
● TLS clients often have an abundance of TAs– Modern web browsers have 1300+ TAs
– Any of them can issue a certificate for example.com
example.com
example.com
The TLS Client Accepts Them Both!!!This has happened multiple times!
8
DANE To The Rescue!
● DNS-Based Authentication of Named Entities– A new DNS resource record: “TLSA”
– Indicates the correct server certificate
– MUST be DNSSEC signed to be valid
– Marries the DNSSEC tree to the X.509 tree
– Defined in RFC6698● Updated by RFC7218
9
DNSSEC, DANE and X.509
example.com
example.com
com
example.com
. (DNS root)
TLSArecord
AcceptONLY
this one
X
Dane allows DNS, secured by DNSSEC, to indicate whichTLS/X.509 certificate is the right one to use.
This reduces the attack footprint of TLS significantly.
MU
ST
BE
DN
SS
EC
SIG
NE
D!!!
10
What does a TLSA record look like?
_25._tcp.example.com.
14400
IN
TLSA
3 1 1
FA2AE51F6831B10CE2EFC
933D860579ED1E0FA7974
AF964F02AC3BC4093C0404
Name
TTL
Class
Type
TLSA Parameters
Data
port protocol
11
TLSA Parameters
● Certificate Usage Field– What certificate should we match against
● (where in the chain is the TLSA record pointing at)
● Selector Field– Match the full certificate, or just the key (SPKI)?
● Matching Type Field– What type of match? SHA1, SHA256, or full?
12
TLSA Matching Types
Value Acronym Description
0 Full No hash used; DATA is the Cert or SPKI
1 SHA-256 DATA is the SHA-256 of the Cert or SPKI
2 SHA-512 DATA is the SHA-256 of the Cert or SPKI
… IN TLSA 3 1 1 DATA
13
TLSA Selector
Value Acronym Description
0 Cert Data is based on the full certificate
1 SPKI Data is based on the public key
… IN TLSA 3 1 1 DATA
Certificate
Name: example.comKey Info: public key...
14
Certificate Usage Field
Value Acronym Description
0 PKIX-TA Public CA from X.509 tree
1 PKIX-EE End-Certificate plus X.509 validation
2 DANE-TA Private CA from X.509 tree
3 DANE-EE End-Entity Certificate
… IN TLSA 3 1 1 DATA
15
Certificate Usage Field
Value Acronym
0 PKIX-TA
1 PKIX-EE
2 DANE-TA
3 DANE-EE
… IN TLSA 3 1 1 DATA
ICANN.ORG
Public“Trust Anchor”
Private“Trust Anchor”
17
Creating a TLSA Record
● Useful package: hashslinger– Contains a “tlsa” script to generate records
● From a certificate file:
# tlsa usage 3 selector 1 mtype 1 \ certificate /path/to/cert.crt \ example.com
_443._tcp.example.com. IN TLSA 3 1 1 152d75a2d529e3035760125be0560741f58fee7af18e20c1ace7d2cabc04277c
18
Creating a TLSA Record
● Connect to a port:
# tlsa usage 3 selector 1 \ mtype 1 port 443 example.com
_443._tcp.example.com. IN TLSA 3 1 1 152d75a2d529e3035760125be0560741f58fee7af18e20c1ace7d2cabc04277c
20
HTTPS and DANE
● Deploying DANE requires:– Serving TLSA records
● Easy for HTTPS: defined in RFC6698● Not many publishers yet; people are watching though!
– A client that can make use of them● Google Chome: NO● Mozilla Firefox: NO● Safari: NO● … NO● Some plugins: Yes, but...
21
HTTPS and DANE
● Deploying DANE requires:– Serving TLSA records
● Easy for HTTPS: defined in RFC6698● Not many publishers yet; people are watching though!
– A client that can make use of them● Google Chome: NO● Mozilla Firefox: NO● Safari: NO● … NO● Some plugins: Yes, but...● Bloodhound: YES!
22
Bloodhound
● A derivative of the Firefox code– Developed by Parsons
– All DNS requests are validated via DNSSEC
● DANE support mostly complete– DANE-EE(3) DANE-SPKI(1) SHA-256(1)
● Works on:– OS X
– Linux
– Microsoft Windows needs some work
24
Server-to-Server Email
1: Alice'sMail User Agent (MUA)sends the emailvia the configured SMTP server
3: Bob's MUAdownloadsthe message via IMAP
2: Alice's ISPforwards themessage toBob's ISP
Mail TransferAgent
Simple MailTransport Protocol
(SMTP)
Mail TransferAgent
25
Server-to-Server Email
1: Alice'sMail User Agent (MUA)sends the emailvia the configured SMTP server
3: Bob's MUAdownloadsthe message via IMAP
2: Alice's ISPforwards themessage toBob's ISP
Mail TransferAgent
Simple MailTransport Protocol
(SMTP)
Mail TransferAgent
Server-to-Server Email
1: Alice'sMail User Agent (MUA)sends the emailvia the configured SMTP server
3: Bob's MUAdownloadsthe message via IMAP
2: Alice's ISPforwards themessage toBob's ISP
Mail TransferAgent
Simple MailTransport Protocol
(SMTP)
Mail TransferAgent
We're talking aboutthis part today
Largely secured today throughManual configuration parameters
26
Server-to-Server Emailwith DNS
DNS Server
1: Where should I send mail for @bobsISP.com?
2: You should send it to mail.bobsISP.com
3: I've got mail for Bob
Mail TransferAgent
Mail TransferAgent
(and the address for it is ….)
27
I Wish It Were So Simple
● There can be multiple DNS servers– Every domain should have at least two
● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server
– There may be multiple resolvers
● There can be multiple mail servers
28
Server-to-Server EmailReality Sets In
DNS Server
1: Where should I send mail for @bobsISP.com?
2: You should send it to mail1, mail2 or mail3
3: Do you have an address for mail1?
Mail TransferAgent
Mail TransferAgent
DNS Server
4: Yep, it's 192.0.2.3
5: Hi, I'm representing Alice, I have mail for Bob
6: Hi, I'll take mail for Bob; PS: I don't do security
7: Here's the mail for Bob from Alice
8: Thanks, I'll make sure he gets it
(Actually, reality is even worse but wouldn't fit on this slide)
29
Back To: I Wish It Were So Simple
● There can be multiple DNS servers– Every domain should have at least two
● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server
– There may be multiple resolvers
● There can be multiple mail servers
30
What could possibly go wrong???
● There can be multiple DNS servers– Compromised?
● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server
– Compromised?
● There can be multiple mail servers– Compromised?
● Man In The MiddleDNS Attack
Point!!!NetworkAttack
31
DANE/DNSSEC To The Rescue
● There can be multiple DNS servers– Compromised?
● Alice's mail server asks her ISP's resolver– It doesn't talk directly to the distant DNS server
– Compromised?
● There can be multiple mail servers– Compromised?
● Man In The Middle
UseDNSSEC
UseDANE
32
SMTP Vulnerabilities
● MX, A and other DNS records can be spoofed– DNS redirects SMTP clients to the...
– DNSSEC detects this, and clients won't proceed
● Eavesdropping is Easy– SMTP is unencrypted by default
– Opportunistic encryption helps● See if they offer a certificate and start encryption● However, you may just be encrypting to the...
33
SMTP Vulnerabilities
● If DNS is spoofed, you get a...● ...Man In The Middle
– SMTP is unauthenticated by default
– SMTP is unencrypted by default
– They can turn on opportunistic encryption● Server indicates “I do security”● But a man-in-the-middle can just say “I don't do security”
– CA based solutions don't help because:● The man-in-the-middle says “I don't do security”● You've been redirected to a name the attacker controls
34
DNSSEC/DANE For The Win
● DNSSEC and DANE solves all these problems!● With DNSSEC: you can believe:
– The MX that led you here
– The TLSA is accurately pointing to my certificate
● With DANE's TLSA record:– “This is my certificate” or “This is my CA”
● (accept no others)
– You MUST expect security!!! (i.e., must do TLS)
– You connected to the right place
35
Deployment Options
● Postfix 2.11– Server side (receiving mail):
● Publish a TLSA record: _25._tcp.smtp.example.com● smtpd_tls_cert_file = /path/to/mycert.crt● smtpd_tls_key_file = /path/to/mycert.key
– Client side (sending mail):● smtp_tls_security_level = dane● smtp_dns_support_level = dnssec● CAVEAT: MUST use a secure local resolver
● Exim: Implementation underway (~ 2015)
37
DANE and XMPP
● XMPP– The recommended security solution:
● Check the PKI● If that fails, use DANE● STARTTLS is required
– Being defined now in the IETF● draft-ietf-xmpp-dna● draft-ietf-dane-srv
● Deployed and running code!– Prosody & more ???
39
DANE and SIP
● Just getting started!● Not an official WG item yet
– There is interest in making it one
– One personal draft discussing it
40
Questions?
The Future of TLS SecurityIs Looking Up!
IETF 90IETF 90TorontoToronto
July, 2014July, 2014
41
Resources
● RFC6698 DANE
● RFC7218 Acronyms
● draft-ietf-dane-smtp-with-dane SMTP
● draft-ietf-dane-ops Guidance
● draft-ietf-xmpp-dna XMPP
● draft-ietf-dane-srv SRV
● http://www.dnssec-tools.org/
– (bloodhound!)● http://postfix.org/
42
Known Large Early SMTP Adopters
● posteo.de● mailbox.org● bund.de● denic.de● umkbw.de● freebsd.org
● unitybox.de● debian.org● ietf.org● nlnet.nl● nic.cz