securing dnssec keys via threshold ecdsa from generic mpc
play

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris - PowerPoint PPT Presentation

Aug 03, 2023 •144 likes •775 views

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany November 6, 2020 NIST Workshop on Multi-Party Threshold Schemes 2020 Based on work published at ESORICS20 with Anders Dalskov, Marcel Keller,

  1. Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany November 6, 2020 NIST Workshop on Multi-Party Threshold Schemes 2020 Based on work published at ESORICS’20 with Anders Dalskov, Marcel Keller, Claudio Orlandi and Haya Shulman

  2. This work Threshold ECDSA for DNS zone signing 1 / 20

  3. This work Threshold ECDSA for DNS zone signing - Key security for DNSSEC - Generic way of doing threshold ECDSA (signing and key gen) - Support for lots of different threat models - As fast, or faster, than previous work 1 / 20

  4. Outline DNS and DNSSEC Threshold signatures for DNSSEC

  5. Outline DNS and DNSSEC Threshold signatures for DNSSEC

  6. DNS DNS is a protocol for mapping names to addresses “It’s at 198.51.100.43 ” “Where is ducks.de. ?” Client DNS Server HTTP GET / Host: ducks.de https://ducks.de 198.51.100.43 2 / 20

  7. DNS DNS is a protocol for mapping names to addresses “It’s at 198.51.100.43 ” “Where is ducks.de. ?” Client DNS Server HTTP GET / Host: ducks.de https://ducks.de 198.51.100.43 2 / 20

  8. DNS DNS is a protocol for mapping names to addresses “It’s at 198.51.100.43 ” “Where is ducks.de. ?” Client DNS Server HTTP GET / Host: ducks.de https://ducks.de 198.51.100.43 2 / 20

  9. DNS DNS is a protocol for mapping names to addresses “It’s at 198.51.100.43 ” “Where is ducks.de. ?” Client DNS Server HTTP GET / Host: ducks.de https://ducks.de 198.51.100.43 2 / 20

  10. DNS Insecurity Poisoning/Spoofing is possible 3 / 20

  11. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted 3 / 20

  12. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  13. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  14. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  15. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  16. DNS Insecurity Poisoning/Spoofing is possible First answer is accepted Adversary HTTP GET / 198.51.100.123 Host: ducks.de 198.51.100.123 ducks.de.? ducks.de.? Client ISP DNS Server https://ducks.de 198.51.100.43 3 / 20

  17. DNSSEC DNSSEC fixes this problem - Data integrity: data was not changed in transit - Origin authentication: data originated from the owner 4 / 20

  18. DNS in practice DNS Operators Domains Cloudflare ducks.de Azure DNS cuteswans.de UltraDNS 5 / 20

  19. DNSSEC deployment issues Studies 12 have found that - Some operators use the same key for all domains - E.g., one key shared by > 132 000 domains 1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem (USENIX ’17) 2 One Key to Sign Them All Considered Vulnurable: Evaluation of DNSSEC in the Internet (NSDI ’17) 6 / 20

  20. DNSSEC deployment issues Studies 12 have found that - Some operators use the same key for all domains - E.g., one key shared by > 132 000 domains 1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem (USENIX ’17) 2 One Key to Sign Them All Considered Vulnurable: Evaluation of DNSSEC in the Internet (NSDI ’17) 6 / 20

  21. DNSSEC deployment issues Studies 12 have found that - Some operators use the same key for all domains - E.g., one key shared by > 132 000 domains - Default is 1024-bit RSA - Most keys 1024-bit, with ∼ 10K domains use 512-bit RSA - The majority of keys were not rotated in a 21-month period - Some providers use different keys but share the modulus 1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem (USENIX ’17) 2 One Key to Sign Them All Considered Vulnurable: Evaluation of DNSSEC in the Internet (NSDI ’17) 6 / 20

  22. DNSSEC in practice DNSSEC - Should use ECDSA instead of RSA - Shorter signatures reduce the chance of packet fragmentation 1 1 RFC 6781 recommends 1024-bit RSA for this reason 2 See 2016 Dyn attacks 3 RFC 8901: Multi-Signer DNSSEC Models 7 / 20

  23. DNSSEC in practice DNSSEC - Should use ECDSA instead of RSA - Shorter signatures reduce the chance of packet fragmentation 1 - Support multiple name servers - better availability and DDoS protection 2 - new standard 3 requires zone owner interaction while relinquishing key control 1 RFC 6781 recommends 1024-bit RSA for this reason 2 See 2016 Dyn attacks 3 RFC 8901: Multi-Signer DNSSEC Models 7 / 20

  24. Outline DNS and DNSSEC Threshold signatures for DNSSEC

  25. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) 8 / 20

  26. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC 8 / 20

  27. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC 8 / 20

  28. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC 8 / 20

  29. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC 8 / 20

  30. Threshold signatures for DNSSEC Zone signing with Threshold ECDSA [sk] ← Share (sk) DNS Operators [sk] 1.2.3.4 Sig sk ( 1 . 2 . 3 . 4 || ducks . de ) ducks.de.? ISP [sk] [sk] MPC Threshold signing should not be much more expensive than regular DNSSEC 8 / 20

  31. ECDSA s = k − 1 ( H ( M ) + sk · r x ) 9 / 20

  32. ECDSA s = k − 1 ( H ( M ) + sk · r x ) 9 / 20

  33. Threshold ECDSA s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x 10 / 20

  34. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] Message independent s , r x Online phase MPC 11 / 20

  35. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] Message independent s , r x Online phase MPC 11 / 20

  36. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] [ k − 1 ] Message independent s , r x Online phase [ k − 1 ] [ k − 1 ] MPC 11 / 20

  37. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] [ k − 1 ], [sk − 1 ] Message independent s , r x Online phase [ k − 1 ], [sk − 1 ] [ k − 1 ], [sk − 1 ] MPC 11 / 20

  38. Threshold ECDSA signing in 3 phases s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x DNS Operators Preprocessing: Preprocessing: Key independent Key independent [sk ′ ] = [sk · k − 1 ] [ k − 1 ] [ k − 1 ], [sk − 1 ], M Message independent s , r x Online phase [ k − 1 ], [sk − 1 ], M [ k − 1 ], [sk − 1 ], M MPC 11 / 20

  39. Threshold ECDSA signing s = H ( M )[ k − 1 ] + [sk · k − 1 ] · r x Problems: How do we compute 1. [ k − 1 ] 2. r x 12 / 20

  40. Threshold ECDSA signing Need to compute s = [ k − 1 ]( H ( M ) + [sk] · r x ) 13 / 20

  41. Threshold ECDSA signing Need to compute s = [ k − 1 ]( H ( M ) + [sk] · r x ) Problem how do we compute [ k − 1 ]? Main difficulty with threshold ECDSA 13 / 20

  42. Threshold ECDSA signing From [ k ] to [ k − 1 ] using a trick due to Bar-Ilan and Beaver 4 4 Non-cryptographic fault-tolerant computing in constant number of rounds of interaction (PODC ’89) 14 / 20

  43. Threshold ECDSA signing From [ k ] to [ k − 1 ] using a trick due to Bar-Ilan and Beaver 4 1. Suppose we have ([ k ] , [ b ] , [ c ]) with c = k · b 4 Non-cryptographic fault-tolerant computing in constant number of rounds of interaction (PODC ’89) 14 / 20

  44. Threshold ECDSA signing From [ k ] to [ k − 1 ] using a trick due to Bar-Ilan and Beaver 4 1. Suppose we have ([ k ] , [ b ] , [ c ]) with c = k · b 2. Open [ c ] 4 Non-cryptographic fault-tolerant computing in constant number of rounds of interaction (PODC ’89) 14 / 20

  45. Threshold ECDSA signing From [ k ] to [ k − 1 ] using a trick due to Bar-Ilan and Beaver 4 1. Suppose we have ([ k ] , [ b ] , [ c ]) with c = k · b 2. Open [ c ] 3. Compute c − 1 [ b ] = [( k · b ) − 1 b ] = [ k − 1 ] 4 Non-cryptographic fault-tolerant computing in constant number of rounds of interaction (PODC ’89) 14 / 20

Recommend

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016 ECDSA Elliptic Curve Cryptography allows for the construction of strong public/private key pairs with key lengths that are far shorter than

416 views • 27 slides
Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa

Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa Lee , and abhi shelat j@ckdoerner.net ykondi@ccs.neu.edu eysa@ccs.neu.edu abhi@neu.edu Northeastern University Traditional Signature

868 views • 57 slides
A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key Management Implementations Back to ICANN 40 2 Key Management Implementations Needs Zones need to be re-signed PKCS#11 periodically. Keys

507 views • 14 slides
Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City

Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City

UC Non-Interactive, Proactive, Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City College, CUNY), Steven Goldfeder (Cornell Tech), Nikolaos Makriyannis (Fireblocks), Udi Peled (Fireblocks) To appear

1.18k views • 41 slides
*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a

*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a

New DNSSEC Technologies Paul Wouters Senior software engineer, Red Hat February 9, 2015 1 Paul Wouters <pwouters@redhat.com> *.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a user@fedoraproject.org

380 views • 12 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com

Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com

Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com Disclaimer: we have done this First major DNSSEC user of ECDSA P256 Working on getting others to support it ICANN Registration model is

981 views • 9 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

375 views • 36 slides
A Full CryptoCurrency Custody Solution Based on MPC and Threshold ECDSA Yehuda Lindell,

A Full CryptoCurrency Custody Solution Based on MPC and Threshold ECDSA Yehuda Lindell,

A Full CryptoCurrency Custody Solution Based on MPC and Threshold ECDSA Yehuda Lindell, Bar-Ilan University and Unbound Tech Ariel Nof, Bar-Ilan University Samuel Ranellucci, Unbound Tech Motivation 2 Custody and Protection

325 views • 21 slides
Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic,

1.51k views • 92 slides
DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why DNSSEC ? Securing the DNS system is both necessary and, right now, doable Root signed since 2010 No

473 views • 10 slides
DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse University of Costa Rica & Namibian Network Information Centre 2015-02-09 Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

202 views • 19 slides
Securing the Internet's Identifier Systems DNSSec and other short stories John Crain ICANN

Securing the Internet's Identifier Systems DNSSec and other short stories John Crain ICANN

Securing the Internet's Identifier Systems DNSSec and other short stories John Crain ICANN john.crain@icann.org 1 Criticality of the Domain Name System Most transactions on the Internet start with a user known name and use the DNS to

514 views • 18 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat,

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat,

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat, Morocco, 1 June 2008 http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 page 2 DNSKEY in flavours Zone Signin Key (ZSK) Key Signing Key (KSK)

155 views • 13 slides
DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009

DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009

DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009 Manila, Philippines http://nsrc.org/tutorials/2009/apricot/dnssec/ Public-Private Keys Refresher Ciphers Ciphertext Symmetric Cipher /

465 views • 20 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA Keegan Ryan NCC Group What is ROHNP? Key extraction attack on DSA and ECDSA Uses an old technique to target a new part of the algorithm

243 views • 23 slides
Opportunistic SMTP Security Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview

Opportunistic SMTP Security Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview

Opportunistic SMTP Security Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview E-Mail Overview Where E-Mail Can Go Wrong Securing E-Mail Requires DNSSEC Securing SMTP Using DNSSEC and DANE 2 wes.hardaker@parsons.com

678 views • 31 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides

More recommend