261 research outputs found
Securing The Root: A Proposal For Distributing Signing Authority
Management of the Domain Name System (DNS) root zone file is a uniquely global policy problem. For the Internet to connect everyone, the root must be coordinated and compatible. While authority over the legacy root zone file has been contentious and divisive at times, everyone agrees that the Internet should be made more secure. A newly standardized protocol, DNS Security Extensions (DNSSEC), would make the Internet's infrastructure more secure. In order to fully implement DNSSEC, the procedures for managing the DNS root must be revised. Therein lies an opportunity. In revising the root zone management procedures, we can develop a new solution that diminishes the impact of the legacy monopoly held by the U.S. government and avoids another contentious debate over unilateral U.S. control. In this paper we describe the outlines of a new system for the management of a DNSSEC-enabled root. Our proposal distributes authority over securing the root, unlike another recently suggested method, while avoiding the risks and pitfalls of an intergovernmental power sharing scheme
NSEC5, DNSSEC authenticated denial of existence
The Domain Name System Security Extensions (DNSSEC) introduced two
resource records (RR) for authenticated denial of existence: the NSEC
RR and the NSEC3 RR. This document introduces NSEC5 as an
alternative mechanism for DNSSEC authenticated denial of existence.
NSEC5 uses verifiable random functions (VRFs) to prevent offline
enumeration of zone contents. NSEC5 also protects the integrity of
the zone contents even if an adversary compromises one of the
authoritative servers for the zone. Integrity is preserved because
NSEC5 does not require private zone-signing keys to be present on all
authoritative servers for the zone, in contrast to DNSSEC online
signing schemes like NSEC3 White Lies.https://datatracker.ietf.org/doc/draft-vcelak-nsec5/First author draf
Can NSEC5 be practical for DNSSEC deployments?
NSEC5 is proposed modification to DNSSEC that simultaneously guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. This paper redesigns NSEC5 to make it both practical and performant. Our NSEC5 redesign features a new fast verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into the DNSSEC protocol, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5—extending widely-used DNS software to present a nameserver and recursive resolver that support NSEC5—and evaluate their performance under aggressive DNS query loads. Our performance results
indicate that our redesigned NSEC5 can be viable even for high-throughput scenarioshttps://eprint.iacr.org/2017/099.pdfFirst author draf
An analysis on the implementation of secure web-related protocols in portuguese city councils
The services supporting the websites, both public and private entities, may support security protocols such as HTTPS or DNSSEC. Public and private entities have a responsibility to ensure the security of their online platforms. Entities in the public domain such as city councils provide their services through their websites. However, each city council has its systems, configurations, and IT teams, and this means they have different standings regarding the security protocols supported. This paper analyzes the status of security protocols on Portuguese city council websites, specifically HTTPS and DNSSEC. The study evaluated 308 city council websites using a script developed for the research, and data was collected from the website of Direção Geral das Autarquias Locais (DGAL) on December 14, 2022, and the websites were scanned on December 22, 2022. The results of this assessment reveal that around 97% of city council websites use RSA as their encryption algorithm and around 84% use 2048-bit length keys for digital certificate signing. Furthermore, about 53% of the city council websites are still supporting outdated and potentially insecure SSL/TLS versions, and around 95% of the councils are not implementing DNSSEC in their domains. These results highlight potential areas for improvement in
cybersecurity measures and can serve as a baseline to track progress toward improving cybersecurity maturity in Portuguese city councils.A41D-7428-BA6C | Jackson Barreto Costa JĂşniorN/
Detecting and Refactoring Operational Smells within the Domain Name System
The Domain Name System (DNS) is one of the most important components of the
Internet infrastructure. DNS relies on a delegation-based architecture, where
resolution of names to their IP addresses requires resolving the names of the
servers responsible for those names. The recursive structures of the inter
dependencies that exist between name servers associated with each zone are
called dependency graphs. System administrators' operational decisions have far
reaching effects on the DNSs qualities. They need to be soundly made to create
a balance between the availability, security and resilience of the system. We
utilize dependency graphs to identify, detect and catalogue operational bad
smells. Our method deals with smells on a high-level of abstraction using a
consistent taxonomy and reusable vocabulary, defined by a DNS Operational
Model. The method will be used to build a diagnostic advisory tool that will
detect configuration changes that might decrease the robustness or security
posture of domain names before they become into production.Comment: In Proceedings GaM 2015, arXiv:1504.0244
Search for Trust: An Analysis and Comparison of CA System Alternatives and Enhancements
The security of the Public Key Infrastructure has been reevaluated in response to Certification Authority (CA) compromise which resulted in the circulation of fraudulent certificates. These rogue certificates can and have been used to execute Man-in-the-Middle attacks and gain access to users’ sensitive information. In wake of these events, there has been a call for change to the extent of either securing the current system or altogether replacing it with an alternative design. This paper will explore the following proposals which have been put forth to replace or improve the CA system with the goal of aiding in the prevention and detection of MITM attacks and improving the trust infrastructure: Convergence, Perspectives, Mutually Endorsed Certification Authority Infrastructure (MECAI), DNS-Based Authentication of Named Entities (DANE), DNS Certification Authority Authorization (CAA) Resource Records, Public Key Pinning, Sovereign Keys, and Certificate Transparency. Provided are brief descriptions of each proposal, along with an indication of the pros and cons of each system. Following this, a new metric is applied which, according to a set of criteria, ranks each proposal and gives readers an idea of the costs and benefits of implementing the proposed system and the potential strengths and weaknesses of the design. We conclude with recommendations for further research and remark on the proposals with the most potential going forward
Authenticated and Secure Automotive Service Discovery with DNSSEC and DANE
Automotive softwarization is progressing and future cars are expected to
operate a Service-Oriented Architecture on multipurpose compute units, which
are interconnected via a high-speed Ethernet backbone. The AUTOSAR architecture
foresees a universal middleware called SOME/IP that provides the service
primitives, interfaces, and application protocols on top of Ethernet and IP.
SOME/IP lacks a robust security architecture, even though security is an
essential in future Internet-connected vehicles. In this paper, we augment the
SOME/IP service discovery with an authentication and certificate management
scheme based on DNSSEC and DANE. We argue that the deployment of well-proven,
widely tested standard protocols should serve as an appropriate basis for a
robust and reliable security infrastructure in cars. Our solution enables
on-demand service authentication in offline scenarios, easy online updates, and
remains free of attestation collisions. We evaluate our extension of the common
vsomeip stack and find performance values that fully comply with car
operations
- …