Reducing the X.509 Attack Surface with DNSSEC’s...
Transcript of Reducing the X.509 Attack Surface with DNSSEC’s...
Reducing the X.509 Attack Surface with DNSSEC’s DANE!
E. Osterweil, B. Kaliski, M. Larson and D. McPherson!!SATIN 2012, March 22-23!Teddington, UK!!
2!
SSL/TLS Authentication!
• SSL/TLS has been fantastically successful • But there have been some highly publicized failures (Comodo,
DigiNotar) • What can be done?
• Authentication uses X.509 certificates • Server sends cert at SSL/TLS session start • How does client trust the cert presented by the server?
• Certificate Authority (CA) model predominates • CAs vouch for servers’ public keys • Clients trust multiple CAs • Clients transit trust from CA to server cert
3!
Problems With the CA Model!
• Conflates authentication and trustworthiness • “This is an authentic cert from the named entity.” • “You can trust the named entity.”
• CA confirmed the named entity controls its domain name (Domain Validated)
• Name entity passed certain checks (Extended Validation)
• Only as strong as weakest CA • Clients trust many CAs for flexibility • All CAs are trusted equivalently • Any CA can vouch for anyone • Named entity can’t specify who can vouch for it • One compromised CA affects everyone
4!
CA Model Attack Surface Illustrated!
CA List
root
foo.com
.com
Resolvinghttps://www.foo.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
OCSPservers
CRLservers
4 - CheckCert
CheckCA Rev
CheckCA Rev
Attack Surface~150 targets
Attack Surface~150 targets
5!
CA Model Aggregate Attack Surface!
• All trusted CAs • O(n) • n = number of CAs (~150)
• All OCSP and CRL servers • O(m + p) • m = number of OCSP servers • p = number of CRL servers
• Name servers hosting OCSP servers, CRL servers and the target domain’s zone • O(|NS|) • |NS| = number of name servers involved in entire precedessor
graph
6!
DNS Transitive Trust Illustrated: starbucks.com!
7!
DNS Transitive Trust Illustrated: .bg!
8!
The DANE Alternative!
• DNS-based Authentication of Named Entities (DANE) • Protocol to transit trust from DNSSEC to TLS certificate
• TLSA record holds cert info • For TLS server at specific domain name, transport and port
number • E.g., _443._tcp.www.example.com
• Multiple options for specifying cert info in TLSA record • Cert provided by TLS server must…
• …match specified cert • …be issued by specified CA cert • …chain to specified trust anchor
• DANE authenticates certs; makes no assertions about trustworthiness of named entity
9!
DANE Potential Liabilities!
• DNS response modification • Transitive trust incurred via target zone secondaries and
predecessor zone secondaries • Missing CA policy framework • Need for DNSSEC validation • Encoding DNSSEC data in certificates
10!
DANE Future!
• S/MIME • DNS as distribution, DNSSEC as authentication
• Trustworthiness checks • As attempted by CAs
• DANE provides motivation for DNSSEC deployment