DNSSEC. What is DNSSEC? Why is DNSSEC necessary? Ensuring a secure Internet

Similar documents
DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

Using etoken for SSL Web Authentication. SSL V3.0 Overview

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Deploying DNSSEC: From End-Customer To Content

Author: Kai Engert, kaie at redhat dot com or kaie at kuix dot de For updates to this document, please check

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Public Key Infrastructure (PKI)

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

National Certification Authority Framework in Sri Lanka

The Domain Name System from a security point of view

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Implementing Cisco IOS Network Security

Securing DNS Infrastructure Using DNSSEC

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Understanding Digital Certificates and Secure Sockets Layer (SSL)

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

DNS at NLnet Labs. Matthijs Mekking

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Analyzing DANE's Response to Known DNSsec Vulnerabilities

Understanding digital certificates

10 Secure Electronic Transactions: Overview, Capabilities, and Current Status

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

Secure Frequently Asked Questions

SSL/TLS: The Ugly Truth

DnsCluster: A networking tool for automatic domain zone updating

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Configuring, Customizing, and Troubleshooting Outlook Express

Web Security. Mahalingam Ramkumar

IINS Implementing Cisco Network Security 3.0 (IINS)

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

X.509 Certificate Revisited

Security Digital Certificate Manager

Strong Security in Multiple Server Environments

Security Digital Certificate Manager

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Internet-Praktikum I Lab 3: DNS

Network Security - ISA 656 Security

Cornerstones of Security

Cryptography and Network Security Chapter 14

DNSSEC Deployment a case study

DNSSEC for Everybody: A Beginner s Guide

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Securing your Online Data Transfer with SSL

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Portal Administration. Administrator Guide

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.

Chapter 17. Transport-Level Security

Key Management and Distribution

Securing an Internet Name Server

Research Article. Research of network payment system based on multi-factor authentication

Types of hypertext. Hypertext documents can either be 1.Static 2.Dynamic


How To Guide Edge Network Appliance How To Guide:

Domain Name System Security

DNS and BIND Primer. Pete Nesbitt linux1.ca. April 2012

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Using etoken for Securing s Using Outlook and Outlook Express

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Introduction to Network Security Key Management and Distribution

DNS security: poisoning, attacks and mitigation

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from

Encryption. Administrator Guide

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

Authenticity of Public Keys

Electronic approvals for forms FAQs

Introduction to the DANE Protocol

Module 2. Configuring and Troubleshooting DNS. Contents:

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Network Fundamentals Carnegie Mellon University

DNSSEC and DNS Proxying

The IDA Catalogue. of GENERIC SERVICES. Interchange of Data between Administrations

Guidelines for Account Management and Effective Usage

Internet Programming. Security

DNS Best Practices. Mike Jager Network Startup Resource Center

Application-layer protocols

Key Management Interoperability Protocol (KMIP)

An Introduction to Cryptography and Digital Signatures

GT 6.0 GSI C Security: Key Concepts

NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314

Background Information

Computer Networks: Domain Name System

Domain Name System. Proper use reduces intranet administration costs. Architecture DNS. Service. Flexible Scalable Extensible

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks

ERserver. iseries. Secure Sockets Layer (SSL)

Transcription:

SEC Ensuring a secure Internet What is SEC? SEC is an extension of the Domain Name System (), that ensures the authenticity and integrity of the data in replies. Technical measures have been implemented which mean that the computer submitting a query (e.g. an internet browser) can now see whether the reply provided for an internet address in the actually comes from the server that is registered with us as being the competent server. At the same time, SEC ensures that this response is not modified as it is transported through the internet. Expressed in simple terms: SEC is a type of insurance which guarantees that people using the internet are only shown the actual website that they intended to call up. This guarantee is achieved through cryptographic signatures. No information is encrypted in SEC. All the data remains publicly accessible, as with the existing. Why is SEC necessary? Observant readers will doubtless have noticed that internet browsers already incorporate a technology designed to ensure that the user arrives at the correct website. Websites of this type are generally encrypted with SSL (Secure Sockets Layer) and are indicated in the browser by means of a key symbol. 1

SEC was not developed in order to replace SSL encryptation. On the contrary, SEC has been introduced to supplement SSL and to prevent a situation where the user lands at an incorrect server even before the connection has been secured by SSL. How does the (Domain Name System) work? The internet as we know it today is based on the global Domain Name System. We will briefly outline the way this system works below. The can be pictured as a globally distributed telephone directory, which allocates the globally unique domain names (www.) to the globally unique internet addresses (130.59.138.34). The internet addresses, or domain names, are used simply because they are easier to write. To make sure that the different queries do not all land up on the same server, the is designed with a hierarchical structure. The name space is divided up into socalled zones. In the case of www., the top level of the hierarchy (root), would be followed by the servers for Switzerland ( ch ), and then the SWITCH servers ( ). The competences of the individual zones are divided up (delegated) within the hierarchy. If you wish to call up the www. website from your computer, your internet provider s name server will poll all the levels of the hierarchy, one after the other. Each level that does not know the answer to the target address will send notification to the next-lower level. The server on the lowest level of the hierarchy will then finally be able to provide the answer for the address. The Domain Name System () has a hierarchical structure. The name servers for automatically forward requests for domain names ending in (e.g. ) to the correct address..com.org nic iana.org What is the purpose of SEC? Imagine a situation where someone succeeds in changing entries in the telephone directory. You thus look up the number for the SWITCH helpdesk and find the wrong number listed there. Would you have had any means of recognising this nonpermitted abuse? Not really. Such a scenario would be possible in the internet if an attacker were to change the hierarchy described above. If an attacker succeeds, for instance, in smuggling incorrect data into your provider s server (cache poisoning), then you would land at a different website when you called up www.. It s best not to try and imagine what nic could happen if the forged website was your bank. Or if you were to send your company s latest strategy to a Partner s forged mail server. 2 www.? www.?

The hierarchy can be modified through cache poisoning. nic SEC in detail nic Since the internet is used for a whole range of different purposes today, hacker attacks can have far-reaching implications. SEC provides fundamental protection against attacks of this type and not only when websites are called up. SEC cannot protect against phishing SERVER attacks on a general basis. It does, however, provide efficient protection against PROVIDER attacks on the. This is what is important, since most phishing attacks can be recognised and prevented by alert internet users. Even experts, however, can scarcely detect attacks on the. www.? www.? www.? IN www.? IN As already mentioned, SEC is based on cryptographic signatures with which the current entries are signed. Anyone who is responsible (authoritative) for a domain name in the internet can protect their information by means of SEC. public root key All the information for which a service provider holds responsibility is signed with this service provider s CHAIN private OF TRUSTkey, and the signatures are written in the (RRSIG record). public key public key ch.ds hash() ch.rrsig DS.... DS hash(). RRSIG DS... signed with private key www. A 130.59.138.34 www. RRSIG A signed with private key 3

.com.org nic An example with SEC: Your internet provider s name server once again follows the familiar hierarchy in order to resolve a query. This time, however, it can check on the basis of the signatures received whether nic the origin of the answers is correct iana.org and whether an answer has been modified en route. The name server will only answer if all the information is correct. With SEC, your internet provider s name server is able to recognise a hierarchy that has been modified by cache poisoning. www.? SERVER PROVIDER www.? www.? www.? IN IN nic nic How is it possible for all these signatures to be checked? CHAIN OF TRUST To compile digital signatures, a pair of keys is generated. A pair of keys of this type is made up of a private and a public key (asymmetric SERVER cryptosystem). As the name suggests, the private part is secret and remains with the PROVIDER owner. The public part is pub- public root key lished in the ( record). Using the public key, it is now possible to check public key and validate a signature that has been signed with the private key. www.? www.? public IN key It is thus necessary to trust a public key before you can check a signature. Since it is not possible to trust all the keys in the internet, use is made of a key hierarchy similar to the nic ch.ds hierarchy hash() ( chain of trust ).. This DS looks hash() somewhat confusing at first sight, but its sole purpose ch.rrsig DS... is to ensure that all. signatures RRSIG DS... can be verified with www. a single RRSIG public A key. signed with private key www.? IN www.? www. A 130.59.138.34 signed with private key The chain of trust in detail In a chain of trust, the higher-ranking level (e.g. a name server for ) guarantees the authenticity of data from the lower-ranking level. CHAIN OF TRUST public root key public key public key ch.ds hash() ch.rrsig DS.... DS hash(). RRSIG DS... signed with private key www. A 130.59.138.34 www. RRSIG A signed with private key 4

An image of the public key is notified to the next level of the hierarchy in each case. The higher level writes this image into its zone (DS record) and guarantees its authenticity by signing it. This public key for this level is then, in turn, notified to the next higher level. SEC DFIE 9.2009 What do I need in order to use SEC? As an internet user, there is no need for you to do anything. If your ADSL or cable modem provider supports SEC, all signature checks will be made on their servers. If you are the holder of a domain name, your website operator must set up SEC for you. Since SEC will not be very widespread precisely in the initial phase, it will probably be the case that only operators of websites requiring protection (e.g. banks) will protect their domain names with SEC to begin with. SWITCH Werdstrasse 2 P.O. Box CH-8021 Zurich phone + 41 848 844 080 fax + 41 848 844 081 helpdesk@nic www.nic/dnssec 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information