dnscurve usable security for dns d j bernstein research
play

DNSCurve: Usable security for DNS D. J. Bernstein Research - PDF document

Jun 10, 2023 •106 likes •598 views

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

  1. DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago

  2. � The Domain Name System cert.org has mail �� �� to deliver to someone@uic.edu . �� �� Mail client at cert.org “The mail server for uic.edu has IP address �� �� �� �� 128.248.155.49.” Administrator at uic.edu Now cert.org delivers mail to IP address 128.248.155.49.

  3. � Same for web browsing. dhs.gov wants to see �� �� http://www.uic.edu . �� �� Browser at dhs.gov “The web server www.uic.edu has IP address �� �� �� �� 128.248.155.210.” Administrator at uic.edu Now dhs.gov retrieves web page from IP address 128.248.155.210.

  4. DNS software security holes: BIND libresolv buffer overflow, Microsoft cache promiscuity, BIND 8 TSIG buffer overflow, BIND 9 dig promiscuity, etc. Fix: Use better DNS software. http://cr.yp.to/djbdns.html carries a $1000 reward for first verifiable public report of a software security hole. But what about protocol holes?

  5. � Forging DNS packets cert.org has mail �� �� to deliver to someone@uic.edu . �� �� Mail client at cert.org “The mail server for uic.edu has IP address �� �� �� �� 157.22.245.20.” Attacker anywhere on network Now cert.org delivers mail to IP address 157.22.245.20, actually the attacker’s machine.

  6. “Can attackers do that?”

  7. “Can attackers do that?” — Yes.

  8. “Can attackers do that?” — Yes. “Really?”

  9. “Can attackers do that?” — Yes. “Really?” — Yes.

  10. “Can attackers do that?” — Yes. “Really?” — Yes. “Don’t the clients check who’s sending information?”

  11. “Can attackers do that?” — Yes. “Really?” — Yes. “Don’t the clients check who’s sending information?” — Yes, but the attacker forges the sender address; as easy as forging address on a physically mailed letter.

  12. “Is the client always listening for the address of www.uic.edu ?”

  13. “Is the client always listening for the address of www.uic.edu ?” — No, but many ways for attackers to work around this: 1. Attack repeatedly. 2. Poke the client to trigger a known lookup. 3. Attack caches a long time in advance. 4. Easy, succeeds instantly: : : :

  14. “Is the client always listening for the address of www.uic.edu ?” — No, but many ways for attackers to work around this: 1. Attack repeatedly. 2. Poke the client to trigger a known lookup. 3. Attack caches a long time in advance. 4. Easy, succeeds instantly: Sniff the network.

  15. “Doesn’t the attacker have to win a race against the legitimate DNS packets from the administrator at uic.edu? ”

  16. “Doesn’t the attacker have to win a race against the legitimate DNS packets from the administrator at uic.edu? ” — Yes, but many ways for attackers to win race: 1. Deafen the legitimate server. 2. Mute the legitimate server. 3. Poke-jab-jab-jab-jab-jab. 4. Easy, succeeds instantly: : : :

  17. “Doesn’t the attacker have to win a race against the legitimate DNS packets from the administrator at uic.edu? ” — Yes, but many ways for attackers to win race: 1. Deafen the legitimate server. 2. Mute the legitimate server. 3. Poke-jab-jab-jab-jab-jab. 4. Easy, succeeds instantly: Sniff the network.

  18. What about cookies? Client’s DNS query packet contains a 16-bit ID. RFC 1035 (1987): “This identifier is copied [to the] reply and can be used by the requester to match up replies to outstanding queries.” Traditional ID sequence: 1, 2, 3, 4, 5, etc. More recent idea: “Hey, let’s use random IDs! Then the attacker won’t be able to forge a packet with the right ID!”

  19. Many “random” IDs are actually quite easy to predict. Client asks for information from attacker’s servers; attacker inspects IDs, predicts subsequent IDs. See, e.g., emergency BIND 9 upgrade (2007.07.24) responding to attack by Amit Klein. But modern cryptographic random-number generators are extremely difficult to predict.

  20. Client can randomize 16-bit ID and 16-bit UDP source port. Implemented and advertised in djbdns since 1999, and in PowerDNS since 2006. Same feature added 2008.07 in emergency upgrade to BIND, Microsoft DNS, Nominum CNS, most Cisco products, etc.

  21. Many ways for attackers to beat this randomization, even if it’s cryptographic: 1. Attack repeatedly. “An attacker who makes a few billion random guesses is likely to succeed at least once; tens of millions of guesses are adequate with a colliding attack;” etc. 2. Allocate most UDP ports to other tasks, non-reusably. 3. Easy, succeeds instantly: : : :

  22. Many ways for attackers to beat this randomization, even if it’s cryptographic: 1. Attack repeatedly. “An attacker who makes a few billion random guesses is likely to succeed at least once; tens of millions of guesses are adequate with a colliding attack;” etc. 2. Allocate most UDP ports to other tasks, non-reusably. 3. Easy, succeeds instantly: Sniff the network.

  23. What about thorough crypto? Cryptography can stop sniffing attackers by scrambling legitimate packets. Cryptography is often described as protecting confidentiality: attackers can’t understand the scrambled packets. Can also protect integrity: attackers can’t figure out a properly scrambled forgery.

  24. Traditional cryptography requires each legitimate client-server pair to share a secret key. Public-key cryptography has much lower requirements. (1976 Diffie–Hellman; many subsequent refinements) Each party has one public key. Two parties can communicate securely if each party knows the other party’s public key. 1993: IETF begins “DNSSEC” project to add public-key signatures to DNS.

  25. Paul Vixie, June 1995: This sounds simple but it has deep reaching consequences in both the protocol and the implementation—which is why it’s taken more than a year to choose a security model and design a solution. We expect it to be another year before DNSSEC is in wide use on the leading edge, and at least a year after that before its use is commonplace on the Internet. BIND 8.2 blurb, March 1999: [Top feature:] Preliminary DNSSEC. BIND 9 blurb, September 2000: [Top feature:] DNSSEC.

  26. Paul Vixie, November 2002: We are still doing basic research on what kind of data model will work for DNS security. After three or four times of saying “NOW we’ve got it, THIS TIME for sure” there’s finally : : : “Wonder if THIS’ll work?” some humility in the picture : : : It’s impossible to know how many : : : It more flag days we’ll have before it’s safe to burn ROMs sure isn’t plain old SIG+KEY, and it sure isn’t DS as currently : : : specified. When will it be? We don’t know. 2535 is already dead and buried. There is no installed base. We’re starting from scratch.

  27. Paul Vixie, 20 April 2004, announcing BIND 9.3 beta: BIND 9.3 will ship with DNSSEC

  28. Paul Vixie, 20 April 2004, announcing BIND 9.3 beta: BIND 9.3 will ship with DNSSEC support turned off by default in the configuration file.

  29. Paul Vixie, 20 April 2004, announcing BIND 9.3 beta: BIND 9.3 will ship with DNSSEC : : : support turned off by default in the configuration file. ISC will also begin offering direct support to users of BIND through the sale of annual support contracts.

  30. Paul Vixie, 1 November 2005: : : : they might Had we done a requirements doc ten years ago not have noticed that it would intersect their national privacy laws or business requirements, we might still have run into the NSEC3 juggernaut and be just as far off the rails now as we actually are now.

  31. After fifteen years and millions of dollars of government grants (e.g., DISA to BIND company; NSF to UCLA; DHS to Secure64 Software Corporation), how successful is DNSSEC? The Internet has about 70000000 *.com names.

  32. After fifteen years and millions of dollars of government grants (e.g., DISA to BIND company; NSF to UCLA; DHS to Secure64 Software Corporation), how successful is DNSSEC? The Internet has about 70000000 *.com names. Surveys by DNSSEC developers, last updated 2008.08.20, have found 116 *.com names with DNSSEC signatures.

  33. � � � � � DNS in more detail �� �� �� Browser �� at dhs.gov DNS cache �� �� “The web server .uic.edu www.uic.edu DNS server has IP address 128.248.155.210.” .uic.edu database �� �� Administrator at uic.edu

  34. � � � � DNS cache learns location of .uic.edu DNS server from �� �� .edu DNS server: �� �� at dhs.gov DNS cache �� �� .edu “The DNS server DNS server for .uic.edu �� �� is icestation with IP address .edu 128.174.45.64.” �� �� database �� �� at uic.edu Administrator

  35. � � � Packets to/from DNS cache God sayeth unto the DNS cache: “DNS Root K.Heaven 193.0.14.129” “Web www.uic.edu ?” 193.0.14.129 � DNS cache “DNS .edu a3 192.5.6.32” “Web www.uic.edu ?” 192.5.6.32 � DNS cache “DNS .uic.edu icestation 128.174.45.64” “Web www.uic.edu ?” 128.174.45.64 � DNS cache “Web www.uic.edu 128.248.155.210”

Recommend

Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische

Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische

Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Disclaimer: I havent released DNSCurve software yet. But you can try prototypes: @mdempsky s DNSCurve cache, @hhavt s

890 views • 40 slides
DNSCurve D. J. Bernstein University of Illinois at Chicago The Domain Name System uma.es

DNSCurve D. J. Bernstein University of Illinois at Chicago The Domain Name System uma.es

DNSCurve D. J. Bernstein University of Illinois at Chicago The Domain Name System uma.es wants to see http://www.iitk.ac.in . Browser at uma.es The web server www.iitk.ac.in has IP address

1.12k views • 80 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends

617 views • 40 slides
Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

350 views • 9 slides
Usable assembly language for GPUs D. J. Bernstein University of Illinois at Chicago 319 ms:

Usable assembly language for GPUs D. J. Bernstein University of Illinois at Chicago 319 ms:

Usable assembly language for GPUs D. J. Bernstein University of Illinois at Chicago 319 ms: rpes/src/cuda 183 ms: rpes/src/qhasm (new) Measured on behemoth : 1.30GHz GTX 280 2; 2.83GHz Core 2 Quad Q9550 1974 Knuth: There is no doubt

578 views • 35 slides
Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two Six Labs working on DARPA Brandeis This talk goes over work from UCB 1 Install-time permissions A ccept all or dont use the app at all. No

944 views • 77 slides
Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

1 2 Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes files University of Illinois at Chicago & Technische Universiteit Eindhoven RAM disk Operating-system kernel divides RAM among processes,

1.32k views • 100 slides
Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in Secure Systems Engineering lersse.ece.ubc.ca Electrical and Computer

348 views • 9 slides
Usable assembly language for GPUs: a success story Daniel J. Bernstein, UIC Hsieh-Chung Chen,

Usable assembly language for GPUs: a success story Daniel J. Bernstein, UIC Hsieh-Chung Chen,

Usable assembly language for GPUs: a success story Daniel J. Bernstein, UIC Hsieh-Chung Chen, Harvard Chen-Mou Cheng, NTU Tanja Lange, Eindhoven Ruben Niederhagen, E+AS Peter Schwabe, Academia Sinica Bo-Yin Yang, Academia Sinica OpenSSL

494 views • 33 slides
Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation Math Sciences Research Institute University of California at Berkeley

596 views • 33 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell,

715 views • 34 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given a choice between dancing pigs and security, users will pick dancing pigs every time. Felton and McGraw (1999) clicky lusers BYU LAB

1.12k views • 84 slides
Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of Internet Speaking to a host end-to-end channel Communication security container-based authenticity: X.509, Certificate

678 views • 57 slides
Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at

Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at

Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at Chicago The bug-of-the-month club Every few months CERT announces Yet Another Security Hole In Sendmailsomething that lets local or even

592 views • 31 slides
Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security (CUPS) Lab Carnegie Mellon University 2 Personalization 3 Cross-System Personalization 4 Cross-System Personalization 5 Cross-System

310 views • 18 slides
Usable Security Spring 2015 Franziska (Franzi) Roesner

Usable Security Spring 2015 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

1.11k views • 55 slides
Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1 Todays class Introducing me Introducing you Human Factors for Security and

985 views • 82 slides
The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas Reynolds University at Albany a Lightning Talk Symposium On Usable Privacy & Security Carnegie Mellon University, July 2011 Usable

371 views • 5 slides
Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to Verifying their Vote Workshop on Usable Security 2/23/2014 Usable Security Lab Jurlind Budurushi, Marcel Woide and Melanie Volkamer Crypto Lab Current

217 views • 19 slides

More recommend