Introduction to the DANE Protocol



Similar documents
Deploying DNSSEC: From End-Customer To Content

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Next Steps In Accelerating DNSSEC Deployment

Securing End-to-End Internet communications using DANE protocol

DANE Secured Demonstration. Wes Hardaker Parsons

A quick overview of the DANE WG. * DNS-based Authentication of Named Entities

A Step-by-Step guide for implementing DANE with a Proof of Concept

One year of DANE Tales and Lessons Learned. sys4.de

SSL and Browsers: The Pillars of Broken Security

Alternatives and Enhancements to CAs for a Secure Web

Analyzing DANE's Response to Known DNSsec Vulnerabilities

Apache Security with SSL Using Ubuntu

SAC075: SSAC Comments to ITU-D on Establishing New Certification Authorities

Server Certificates based on DNSSEC

The Shape and Size of Threats: Defining a Networked System s Attack Surface

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Securing LAN Connected Devices in Industrial Sites with TLS and Multicast DNS

Should You Trust the Padlock? Web Security and the HTTPS Value Chain. Keeping Current 20 November 2013 Ken Calvert

DNSSEC Applying cryptography to the Domain Name System

Automated Certificate Management

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

Internet Standards. Sam Silberman, Constant Contact

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Internet Privacy Options

Innovating with the Domain Name System: From Web to Cloud to the Internet of Things

Digital certificates and SSL

IETF DPRIVE WG: Encrypting DNS

Attacks against certification service providers and their ramifications

Apache Security with SSL Using Linux

DNS security: poisoning, attacks and mitigation

SSL BEST PRACTICES OVERVIEW

Managing CA-Signed Certificates

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important

Securing DNS Infrastructure Using DNSSEC

Public Key Infrastructure (PKI)

Certificates, Revocation and the new gtld's Oh My!

How to configure HTTPS proxying in Zorp 5

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

DANE for SMTP. Viktor Dukhovni & Wes Hardaker. IETF 87, Berlin July 2013

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

The Myth of Twelve More Bytes. Security on the Post- Scarcity Internet

Description: Objective: Attending students will learn:

WHITE PAPER Citrix Secure Gateway Startup Guide

SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust

SIP Security Controllers. Product Overview

SSL/TLS: The Ugly Truth

CTS2134 Introduction to Networking. Module Network Security

Deploy Remote Desktop Gateway on the AWS Cloud

XN--P1AI (РФ) DNSSEC Policy and Practice Statement

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

SSL: Paved With Good Intentions. Richard Moore

Reverse Proxy Guide. Version 2.0 April 2016

Security server configuration

Service Expectations of Root Servers

Secured Communications using Linphone & Flexisip

Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)

Security. Learning Objectives. This module will help you...

BREAKING HTTPS WITH BGP HIJACKING. Artyom Gavrichenkov R&D Team Lead, Qrator Labs

CS Lecture 22 DNS Security

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

CTERA Portal Datacenter Edition

SSL Certificates and Bomgar

Microsoft Windows Server 2012 R2 Remote Desktop Services - How to Set Up (Mostly) Seamless Logon for RDP Connections

Network Infrastructure Under Siege

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

Securing Remote Desktop Services in Windows Server 2008

Security in the PEPPOL

Datacenter Transformation

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

SSL VPNs: An IETF Perspective

More on SHA-1 deprecation:

Encryption. Administrator Guide

How to configure SSL proxying in Zorp 3 F5

When HTTPS Meets CDN: A Case of Authentication in Delegated Service

Specific recommendations

Using a VPN with Niagara Systems. v0.3 6, July 2013

TLS and SRTP for Skype Connect. Technical Datasheet

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

How To Configure SSL VPN in Cyberoam

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

DNS SECURITY TROUBLESHOOTING GUIDE

You Won t Be Needing These Any More: On Removing Unused Certificates From Trust Stores

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Internal Server Names and IP Address Requirements for SSL:

Public-Root Name Server Operational Requirements

Computer Networks: Domain Name System

When HTTPS Meets CDN: A Case of Authentication in Delegated Service

Configuration Guide BES12. Version 12.2

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Mobility Task Force. Deliverable F. Inventory of web-based solution for inter-nren roaming

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Application-layer protocols

Websense Content Gateway HTTPS Configuration

Cisco SSL Encryption Utility

Software Defined Perimeter: Securing the Cloud to the Internet of Things

A Study of What Really Breaks SSL HITB Amsterdam 2011

Table of Contents. This whitepaper outlines how to configure the operating environment for MailEnable s implementation of Exchange ActiveSync.

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

Web Security. Mahalingam Ramkumar

Transcription:

Introduction to the DANE Protocol ICANN 47 July 17, 2013

Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC, routing and other Internet technologies: Case Studies Tutorials Videos Whitepapers News, information English content, initially, but will be translated into other languages. 7/15/13

Why Do I Need DNSSEC If I Have SSL? A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) SSL (more formerly known today as Transport Layer Security (TLS)) solves a different issue it provides encryption and protection of the communication between the browser and the web server

The Typical TLS (SSL) Interaction DNS Svr root DNS Svr.com 6 5 https://example.com/ DNS Svr example.com TLS-encrypted web page 2 example.com? 1 DNS Resolver 3 10.1.1.123 Browser 4 10.1.1.123

The Typical TLS (SSL) Interaction DNS Svr root DNS Svr.com 6 5 https://example.com/ DNS Svr example.com TLS-encrypted web page 2 example.com? 3 Is this encrypted with the CORRECT certificate? Browser 1 4 10.1.1.123 DNS Resolver 10.1.1.123

What About This? https://www.example.com/ DNS www.example.com? TLS-encrypted web page with CORRECT certificate Firewall (or attacker) https://www.example.com/ 1 1.2.3.4 2 TLS-encrypted web page with NEW certificate (re-signed by firewall) Browser

Problems? https://www.example.com/ DNS www.example.com? TLS-encrypted web page with CORRECT certificate Firewall (or attacker) https://www.example.com/ 1 1.2.3.4 2 TLS-encrypted web page with NEW certificate (re-signed by firewall) Browser

Problems? https://www.example.com/ DNS www.example.com? TLS-encrypted web page with CORRECT certificate Firewall (or attacker) https://www.example.com/ 1 1.2.3.4 2 Log files or other servers TLS-encrypted web page with NEW certificate (re-signed by firewall) Browser Potentially including personal information

Issues A Certificate Authority (CA) can sign ANY domain. Now over 1,500 CAs there have been compromises where valid certs were issued for domains. Some middle-boxes such as firewalls can re-sign sessions.

A Powerful Combination TLS = encryption + limited integrity protection DNSSEC = strong integrity protection How to get encryption + strong integrity protection? TLS + DNSSEC = DANE 7/15/13

DNS-Based Authentication of Named Entities (DANE) RFC 6698 Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. A browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA or a selfsigned certificate.

DANE https://example.com/ DNS TLS-encrypted web page with CORRECT certificate Firewall (or attacker) https://example.com/ example.com? 1 2 10.1.1.123 DNSKEY RRSIGs TLSA Log files or other servers TLS-encrypted web page with NEW certificate (re-signed by firewall) DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. Browser w/dane

DANE Not Just For The DANE defines protocol for storing TLS certificates in DNS Securing transactions is the obvious use case Other uses also possible: Email VoIP Jabber/XMPP? 7/15/13

DANE Resources DANE Overview and Resources: http://resources/dane/ IETF Journal article explaining DANE: http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: http://tools.ietf.org/html/rfc6394 RFC 6698 DANE Protocol: http://tools.ietf.org/html/rfc6698

How Do We Get DANE Deployed? Developers: Add DANE support into applications (see list of libraries) DNS Hosting Providers: Provide a way that customers can enter a TLSA record into DNS as defined in RFC 6698 ( http://tools.ietf.org/html/rfc6698 ) This will start getting TLS certificates into DNS so that when browsers support DANE they will be able to do so. [More tools are needed to help create TLSA records ex. hashslinger ] Network Operators / Enterprises / Governments: Start talking about need for DANE Express desire for DANE to app vendors (especially browsers)

Opportunities DANE is just one example of new opportunities brought about by DNSSEC Developers and others already exploring new ideas 7/15/13

Dan York, CISSP Senior Content Strategist, Internet Society york@isoc.org Thank You!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information