Building Trust into DNS: Key Strategies


Published on

DNSSEC represents a vital means with which to address many security threats, including cache poisoning, man-in-themiddle attacks, and more. But the DNSSEC infrastructure is only as secure as the cryptographic keys used to protect DNS records. This paper reveals important strategies for maximizing DNSSEC security, outlining the key role HSMs play and the critical requirements for successful HSM implementations.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Building Trust into DNS: Key Strategies

  1. 1. B Building Trust into DNS: Key Strategies W WHITE PAPER IntroductionExecutive Summary For all the benefits of an open Internet, there is a dangerous flip side. Domain name systemDNSSEC represents a vital (DNS) servers are a perfect case in point. With no inherent security, DNS servers at a host ofmeans with which to address organizations have been repeatedly compromised to enable a host of malicious endeavors,many security threats, including including cache poisoning (injecting incorrect/fraudulent data into a name server’s cache,cache poisoning, man-in-the- which then gets served to users), redirecting phone calls, man-in-the-middle attacks to stealmiddle attacks, and more. But passwords, rerouting email, denial of service attacks, and more.the DNSSEC infrastructureis only as secure as the To combat these threats, many organizations have implemented Domain Name Systemscryptographic keys used to Security Extensions (DNSSEC), the process of digitally signing DNS records in order to ensureprotect DNS records. This paper that the messages received are the same as those that were sent.reveals important strategies By adopting DNSSEC, a range of organizations, including domain providers, online banks andfor maximizing DNSSEC retailers, SaaS providers, and more, can realize a range of benefits:security, outlining the key roleHSMs play and the critical • Boost security. DNSSEC can help guard against cache poisoning, redirected phone calls,requirements for successful HSM man-in-the-middle attacks, and more.implementations. • Ensure compliance. DNSSEC can help address ICANN, NSEC, and other mandates and guidelines. • Reduce costs. By safeguarding against a range of network based threats, organizations can reduce the time and cost associated with threat mitigation and post-attack forensics and reparation. Without Robust Security, DNSSEC Can Be Compromised In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. What this means is that DNSSEC requires some new procedures such as key generation, signing, and key management. But, for all the potential DNSSEC benefits outlined above, the intended gains aren’t guaranteed because the resource records introduced by DNSSEC are kept in an unencrypted file. It is only when the entire DNSSEC infrastructure is fully and comprehensively secured that organizations can begin to fully enjoy DNSSEC’s benefits. To do so, they need capabilities to do the following: Building Trust into DNS: Key Strategies White Paper 1
  2. 2. • Secure digital signatures. DNS messages need to be digitally signed in order to ensure theHSM Advantages validity of DNS services.• Completeness • Control access. Organizations need to ensure only authorized customers and internal staff• Performance can access sensitive applications and data.• Compliant and Secure• Centralization of Key • Maintain application integrity. All associated application code and processes need to be Management secured to ensure integrity and prohibit unauthorized application execution. • Scale to accommodate high volume processing. Since DNS updates are very frequent, DNSSEC infrastructures need to deliver the performance and scalability required to ensure timely processing at all times. The Role of HSMs in DNSSEC As outlined above, it is only by ensuring security throughout the DNSSEC infrastructure that businesses can realize the benefits of DNSSEC. To ensure the validity of DNS services, DNSSEC employs public key cryptography to digitally sign DNS messages. To realize the security required, robust protection of private signing keys is vital. If the keys and their corresponding digital certificates are compromised, the chain of trust in the DNS hierarchy is broken, rendering the entire system obsolete. This is where hardware security modules (HSMs) come into play. HSMs are dedicated systems that physically and logically secure the cryptographic keys and cryptographic processing that are at the heart of digital signatures. HSMs support the following functions: • Life-cycle management, including key generation, distribution, rotation, storage, termination, and archival. • Cryptographic processing, which produces the dual benefits of isolating and offloading cryptographic processing from application servers. By storing cryptographic keys in a centralized, hardened device, HSMs can eliminate the risks associated with having these assets housed on disparate, poorly secured platforms. In addition, this centralization can significantly streamline security administration. DNS Root Server Cluster HSM Authoritative Server Cluster TLD Server Cluster *FIPS 140-2 Level 4 Validated Root zone records signed by private key in HSM 2 SafeNet HSM Enterprise level zone key signed by SafeNet HSM SafeNet HSM ( SafeNet HSM stores the cryptographic TLD zone records signed by 3 4 keys that sign the DNS records: (DNSKEY, RRSIG, NSEC, and DS) private key in SafeNet HSM Recursive (Caching) Name Server 1 Client initiates query for 5 ISP Caching name server starts recursive 2 search at root if no record found in cache. Recursive search referred to applicable 3 TLD by root. If record does not exist in TLD zone query referred to the Authoritative server. (Simplified example – additional 1 zone searches may be required to identify Authoritative Name Server.) Client-Side of the DNS DNS Query 4 Authoritative Server responds with signed DNS zone record Recursive server returns verified IP address 5 for “” to DNS client The diagram above depicts the steps involved in securing DNS messages through the use of HSMs. By safeguarding digital certificates and cryptographic keys, organizations can maximize the security of their DNSSEC implementations. Building Trust into DNS: Key Strategies White Paper 2
  3. 3. The Advantages of HSMsSafeNet DNSSEC Benefits Compared to the process of storing cryptographic keys in software residing on general purpose• Enhance Security application servers, HSMs deliver several advantages:• Ensure Compliance• Optimize Operational Completeness Performance HSMs are fully contained solutions for cryptographic processing, key generation, and key storage. As purpose-built appliances, they automatically include the required hardware and firmware (i.e., software) in an integrated package. Physical and logical protection of the appliance is supported by a tamper resistant/evident shell; and protection from logical threats, depending on the vendor’s products, is supported by integrated firewall and intrusion prevention defenses. Some HSM vendors also include integrated support for two-factor authentication. Security certification is typically pursued by HSM vendors and positioned as a product feature. Software for these same functions is not a complete out-of-the-box solution. Server hardware is a separate purchase, unless unused servers are present, as is firewall, intrusion prevention, and two-factor authentication. Being tamper resistant is not a trait typically associated with general- purpose servers. Security certification encompassing the combination of hardware platform and software would be the responsibility of the user organization and can be a lengthy and very costly activity, especially if involvement with certification bodies is not standard operating practice for the organization using the software. Performance Cryptography is a resource intensive process that will introduce latency to any application that depends on it. Depending on the application and organization involved, the objective could be to minimize the latency introduced by cryptography. HSMs have an advantage over software as they are designed to optimize the efficiency of cryptographic processing. Compared to software running on general purpose servers, HSMs will accelerate processing; an outcome of being purpose-built. Compliant and Secure Frequently, cryptography is used to meet compliance mandates. Cryptography use, however, does not guarantee that information is secure. Further, there are no security guarantees (i.e., promises of no security instances ever) with any security solution so the objective becomes one of managing risk by reducing the number of vulnerabilities and the likelihood of vulnerabilities being exploited. The aforementioned completeness attributes of HSMs allow organizations that deploy HSMs to take efficient and simultaneous steps toward compliance and security. Centralization of Key Management An attribute of software is its portability; software can be installed on several servers. Consequently, cryptographic keys have greater likelihood to reside in several locations/software hosts. This multi-location characteristic will add to administrative complexity and potential lapses in the life-cycle management of cryptographic keys (e.g., rotation and revocation). In addition, if consistency in the protective layer of the software host (e.g., firewall, intrusion prevention, and access control) cannot be ensured, the risk of keys being compromised increases. With HSMs, the tendency is to store keys in a single unit. Not only does this streamline administration and reduce the potential for management lapses but it also supports a consistent layer of key protection. Building Trust into DNS: Key Strategies White Paper 3
  4. 4. By leveraging HSMs, organization The Benefits of DNSSEC with SafeNetcan enjoy the utmost in security SafeNet offers a broad set of HSMs that are ideally suited to the demands of securing privateof the cryptographic keys and signing keys. By employing SafeNet HSMs, organizations can realize a range of benefits:digital certificates that underpin Enhance Securitythe DNSSEC infrastructure. SafeNet HSMs deliver sophisticated security capabilities that enable businesses to enjoy maximum security of DNSSEC. SafeNet HSMs ensure the most rigorous control over keys and their corresponding digital certificate. As a result, organizations can eliminate the threats of DNS exploits, and the damage they can wreak. Ensure Compliance The Internet Engineering Task Force has published a comprehensive set of guidelines for ensuring DNSSEC security. For example, RFC 5011 outlines extensive standards for securing various points in the DNS tree, referred to as trust points. Each trust point must be validated by at least one associated public key. In addition, the guidelines specify a host of efforts for securely adding keys, rotating keys, and removing keys. With their robust encryption and policy management support, SafeNet HSMs enable organizations to ensure compliance with these guidelines. Further, ICANN DNSSEC requirements state that private keys must be generated and stored on FIPS 140-2 validated HSMs. Many SafeNet HSMs meet these demanding FIPS requirements and many are also Common Criteria certified. Optimize Operational Performance By leveraging SafeNet’s secure HSMs, organizations can realize significant gains in operational performance: • Improve staff efficiency. By centralizing keys and policy administration on a central, comprehensive platform, security teams can significantly streamline administrative efforts. Further, with an appliance that supports XML, SafeNet enables easier up-front HSM integration. • Ensure high performance. By managing cryptographic processing on purpose-built appliances, SafeNet HSMs deliver scalable, responsive performance, ensuring the timely, reliable response required in DNSSEC environments. • Optimize key storage. With its support for the Elliptic Curve Digital Signature Algorithm (ECDSA), SafeNet enables more efficient storage of cryptographic keys. • Enhance customer service and loyalty. SafeNet HSMs safeguard the DNS infrastructure, so organizations can eliminate the DNS exploits that put customers at risk. By ensuring high levels of security, organizations can foster greater trust and loyalty among their customer base. SafeNet’s Breadth of HSM Offerings SafeNet HSMs provide reliable protection for applications, transactions, and information assets by safeguarding the cryptographic keys that are at the heart of any encryption-based security solution. SafeNet HSMs are the fastest, most secure, and easiest to integrate application security solution for enterprise and government organizations to ensure regulatory compliance, reduce the risk of legal liability, and improve profitability. SafeNet offers these HSM products: General Purpose HSMs, Network Attached • Luna SA. Luna SA offers award-winning application protection through powerful cryptographic processing and hardware key management. Luna PCI for Luna SA 4.1 has received Common Criteria EAL4+ certification. Building Trust into DNS: Key Strategies White Paper 4
  5. 5. • Luna SP. The SafeNet Luna SP allows developers to securely deploy Web applications, WebBy adopting DNSSEC services, and other Java applications in a protected, hardened security appliance.organizations can realize arange of benefits including: • Luna XML. SafeNet Luna XML is designed to secure next-generation XML Web services• Boost security and service-oriented architectures (SOAs). Other HSMs take months to integrate with• Ensure compliance new applications due to complex security APIs. Luna XML has zero footprint on the host application server, providing for rapid, independent, flexible, and highly scalable• Reduce costs deployments. • ProtectServer External. The SafeNet ProtectServer External is a network-attached HSM that connects via TCP/IP to a single machine or complete network (LAN) to function as a central cryptographic subsystem that delivers symmetric and asymmetric cryptographic services. All operations that would otherwise be performed on insecure servers are securely processed within the HSM, ensuring that sensitive keys are always protected from compromise. • Luna SX. The SafeNet Luna SX is a central management console for rapid HSM setup and easy remote administration for the SafeNet Luna SA and Luna SP. Using a simple GUI, SafeNet HSMs can be managed remotely and securely. General Purpose HSMs, Embedded • Luna CA4 HSM. The SafeNet Luna CA4 offers a complete hardware security solution for the protection of sensitive root keys belonging to certificate authorities used in public key infrastructures (PKI). • Luna PCI. SafeNet Luna PCI is designed to protect cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications. • Luna PCM. SafeNet Luna PCM is a low-cost family of compact HSMs, offering hardware- based key management and hardware-accelerated cryptographic performance within a compact PCMCIA card. • ProtectServer HSMs. For server systems and support applications that require high performance symmetric and asymmetric cryptographic operations, ProtectServer Gold and ProtectServer Internal-Express provide tamper-protected hardware security. Conclusion Today, DNSSEC represents a critical approach for guarding against a range of threats to Internet- based communications. By leveraging HSMs, organization can enjoy the utmost in security of the cryptographic keys and digital certificates that underpin the DNSSEC infrastructure. Today, SafeNet offers a broad range of HSMs, solutions that accommodate the needs of a range of deployments, and ensure organizations enjoy maximum security in their DNSSEC environments. About SafeNet, Inc. Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit Follow Us: ©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-11.29.10 Building Trust into DNS: Key Strategies White Paper 5