Reducing the X.509 Attack Surface with DNSSEC’s...
Transcript of Reducing the X.509 Attack Surface with DNSSEC’s...
![Page 1: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/1.jpg)
Reducing the X.509 Attack Surface with DNSSEC’s DANE!
E. Osterweil, B. Kaliski, M. Larson and D. McPherson!!SATIN 2012, March 22-23!Teddington, UK!!
![Page 2: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/2.jpg)
2!
SSL/TLS Authentication!
• SSL/TLS has been fantastically successful • But there have been some highly publicized failures (Comodo,
DigiNotar) • What can be done?
• Authentication uses X.509 certificates • Server sends cert at SSL/TLS session start • How does client trust the cert presented by the server?
• Certificate Authority (CA) model predominates • CAs vouch for servers’ public keys • Clients trust multiple CAs • Clients transit trust from CA to server cert
![Page 3: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/3.jpg)
3!
Problems With the CA Model!
• Conflates authentication and trustworthiness • “This is an authentic cert from the named entity.” • “You can trust the named entity.”
• CA confirmed the named entity controls its domain name (Domain Validated)
• Name entity passed certain checks (Extended Validation)
• Only as strong as weakest CA • Clients trust many CAs for flexibility • All CAs are trusted equivalently • Any CA can vouch for anyone • Named entity can’t specify who can vouch for it • One compromised CA affects everyone
![Page 4: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/4.jpg)
4!
CA Model Attack Surface Illustrated!
CA List
root
foo.com
.com
Resolvinghttps://www.foo.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
OCSPservers
CRLservers
4 - CheckCert
CheckCA Rev
CheckCA Rev
Attack Surface~150 targets
Attack Surface~150 targets
![Page 5: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/5.jpg)
5!
CA Model Aggregate Attack Surface!
• All trusted CAs • O(n) • n = number of CAs (~150)
• All OCSP and CRL servers • O(m + p) • m = number of OCSP servers • p = number of CRL servers
• Name servers hosting OCSP servers, CRL servers and the target domain’s zone • O(|NS|) • |NS| = number of name servers involved in entire precedessor
graph
![Page 6: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/6.jpg)
6!
DNS Transitive Trust Illustrated: starbucks.com!
![Page 7: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/7.jpg)
7!
DNS Transitive Trust Illustrated: .bg!
![Page 8: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/8.jpg)
8!
The DANE Alternative!
• DNS-based Authentication of Named Entities (DANE) • Protocol to transit trust from DNSSEC to TLS certificate
• TLSA record holds cert info • For TLS server at specific domain name, transport and port
number • E.g., _443._tcp.www.example.com
• Multiple options for specifying cert info in TLSA record • Cert provided by TLS server must…
• …match specified cert • …be issued by specified CA cert • …chain to specified trust anchor
• DANE authenticates certs; makes no assertions about trustworthiness of named entity
![Page 9: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/9.jpg)
9!
DANE Potential Liabilities!
• DNS response modification • Transitive trust incurred via target zone secondaries and
predecessor zone secondaries • Missing CA policy framework • Need for DNSSEC validation • Encoding DNSSEC data in certificates
![Page 10: Reducing the X.509 Attack Surface with DNSSEC’s DANEconferences.npl.co.uk/satin/presentations/satin2012slides... · Reducing the X.509 Attack Surface with DNSSEC’s DANE! E. Osterweil,](https://reader031.fdocuments.us/reader031/viewer/2022022706/5be0cc0a09d3f280578cfce2/html5/thumbnails/10.jpg)
10!
DANE Future!
• S/MIME • DNS as distribution, DNSSEC as authentication
• Trustworthiness checks • As attempted by CAs
• DANE provides motivation for DNSSEC deployment