Reducing the X.509 Attack Surface with DNSSEC’s DANE!
E. Osterweil, B. Kaliski, M. Larson and D. McPherson!!SATIN 2012, March 22-23!Teddington, UK!!
2!
SSL/TLS Authentication!
• SSL/TLS has been fantastically successful • But there have been some highly publicized failures (Comodo,
DigiNotar) • What can be done?
• Authentication uses X.509 certificates • Server sends cert at SSL/TLS session start • How does client trust the cert presented by the server?
• Certificate Authority (CA) model predominates • CAs vouch for servers’ public keys • Clients trust multiple CAs • Clients transit trust from CA to server cert
3!
Problems With the CA Model!
• Conflates authentication and trustworthiness • “This is an authentic cert from the named entity.” • “You can trust the named entity.”
• CA confirmed the named entity controls its domain name (Domain Validated)
• Name entity passed certain checks (Extended Validation)
• Only as strong as weakest CA • Clients trust many CAs for flexibility • All CAs are trusted equivalently • Any CA can vouch for anyone • Named entity can’t specify who can vouch for it • One compromised CA affects everyone
4!
CA Model Attack Surface Illustrated!
CA List
root
foo.com
.com
Resolvinghttps://www.foo.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
OCSPservers
CRLservers
4 - CheckCert
CheckCA Rev
CheckCA Rev
Attack Surface~150 targets
Attack Surface~150 targets
5!
CA Model Aggregate Attack Surface!
• All trusted CAs • O(n) • n = number of CAs (~150)
• All OCSP and CRL servers • O(m + p) • m = number of OCSP servers • p = number of CRL servers
• Name servers hosting OCSP servers, CRL servers and the target domain’s zone • O(|NS|) • |NS| = number of name servers involved in entire precedessor
graph
6!
DNS Transitive Trust Illustrated: starbucks.com!
7!
DNS Transitive Trust Illustrated: .bg!
8!
The DANE Alternative!
• DNS-based Authentication of Named Entities (DANE) • Protocol to transit trust from DNSSEC to TLS certificate
• TLSA record holds cert info • For TLS server at specific domain name, transport and port
number • E.g., _443._tcp.www.example.com
• Multiple options for specifying cert info in TLSA record • Cert provided by TLS server must…
• …match specified cert • …be issued by specified CA cert • …chain to specified trust anchor
• DANE authenticates certs; makes no assertions about trustworthiness of named entity
9!
DANE Potential Liabilities!
• DNS response modification • Transitive trust incurred via target zone secondaries and
predecessor zone secondaries • Missing CA policy framework • Need for DNSSEC validation • Encoding DNSSEC data in certificates
10!
DANE Future!
• S/MIME • DNS as distribution, DNSSEC as authentication
• Trustworthiness checks • As attempted by CAs
• DANE provides motivation for DNSSEC deployment
Top Related