Domain Key Infrastructure (From Black Hat USA)

Black Ops of Fundamental Defense:Introducing theDomain Key Infrastructure,[object Object],Dan Kaminsky,[object Object],Chief Scientist,[object Object],Recursion Ventures,[object Object],http://www.recursion.com,[object Object]

So. Another DNS Talk.,[object Object],There may have been some…consequences…of the last one,[object Object],After 15 years of work, the DNS root is signed,[object Object],Even more surprisingly…,[object Object],It’s actually a good thing.,[object Object]

This is my 11th year at Black Hat,[object Object],It’s been quite the ride!,[object Object],Contrary to popular belief, I haven’t always been obsessed with DNS,[object Object],Once upon a time, I was obsessed with SSH,[object Object],My first Black Hat talk got a feature put into it!,[object Object],Dynamic Forwarding / -D flag,[object Object],Anyone notice how excited I’ve been about DNSSEC?,[object Object],This talk is about why.,[object Object]

Introduction,[object Object],I’m Dan Kaminsky, and this is my 11th Black Hat talk.,[object Object],I’ve not always been talking about DNS,[object Object],Ten years ago, my talk was all about SSH,[object Object],SSH (Secure Shell) is the most popular package for remote system administration in the world,[object Object],We used SSH to administer remote machines,[object Object],On a security audit of SSH, it became clear that tunnels (for other protocols, like web browsers) could be opened up on demand,[object Object]

Thus, the –D Flag,[object Object],Dynamic Forwarding was born,[object Object],-D flag,[object Object],“If you can SSH into the box, you can administer its web interface”,[object Object],Code is now in every Mac and Linux system on the planet,[object Object],This was the result of a pen test!,[object Object]

An Unsolved Problem,[object Object],OK, so now we can manage any machine,[object Object],How do we log in?,[object Object],Cross Organizational Authentication was then, and remains now, a capital-h Hard Problem.,[object Object],Verizon Business: 60% of compromises traced to authentication,[object Object],No passwords,[object Object],Default passwords,[object Object],Shared passwords,[object Object],Can we do better?,[object Object]

A Very Common Scene,[object Object]

[That’s A Strange Username…],[object Object]

[Heh Wait, That Worked?],[object Object]

[What’s that in authorized_keys2?!],[object Object]

Redefining The Possible,[object Object],We’ve been trying to authenticate (federate) from one domain to another for years,[object Object],DNSSEC makes it easy.,[object Object],This is the power of the Domain Key Infrastructure,[object Object],We can’t do this if DNSSEC is hard to deploy,[object Object],So is it possible to make DNSSEC easy?,[object Object],Yes.,[object Object],But I get ahead of myself.,[object Object]

DNSSEC,[object Object],For the last eighteen years, people have been trying to secure the DNS,[object Object],Now it’s our turn to secure everything else,[object Object],We live in the future.,[object Object],I recently spent six hours in a secure facility helping sign the DNSSEC root – I’m honored to have been a part of that,[object Object],Everything in this talk is only possible because the DNSSEC root is finally signed.,[object Object],But I get ahead of myself.,[object Object]

What Recursion Ventures Stands For,[object Object],It is time to get serious about defense.,[object Object],Our society runs on Information Technology. We can’t go back.,[object Object],That does not mean we stop talking about how to break into things,[object Object],The only hope we have for creating effective defenses is maintaining strong offensive knowledge, and using it to drive defensive engineering,[object Object],Otherwise, we end up with Please Turn Off Your Cellphones Before Departure Syndrome – major exertions of effort with no measureable or measured relationship with the problem at hand,[object Object]

The Need For Fundamental Defense,[object Object],We believe there are fundamental links between most of the security failures out there,[object Object],Two core issues,[object Object],It’s because of these two issues that attackers succeed.,[object Object],First: We don’t know how to write secure code affordably,[object Object],Second: We can’t authenticate across organizational boundaries,[object Object],Recursion is working on both problems,[object Object],Interpolique, a secure (and public! Go break it!) framework for cross-language communication, is dealing with some of the first,[object Object],We’re here today to talk about the second,[object Object]

There Are Four Audiences For This Talk,[object Object],The User,[object Object],The Buyer,[object Object],The Builder,[object Object],The Breaker,[object Object]

To The Users,[object Object],DKI (Domain Key Infrastructure) will let you know, when you receive a mail from your bank, that it is actually from your bank.,[object Object],We have been talking about secure email for over a decade,[object Object],We apologize. We have failed you.,[object Object],We ask you too many questions.,[object Object],We make awful demands upon your memory,[object Object],We blame you when things go wrong,[object Object],Our failure comes not from lack of trying, but from taking the wrong approach.,[object Object]

To The Buyers,[object Object],DKI is going to increase your budget.,[object Object],Ten years ago, your community spent hundreds of millions of dollars trying to implement Public Key Infrastructure,[object Object],On the one hand, it did not work.,[object Object],On the other, do you think we need strong authentication any less now, than we did a decade ago?,[object Object],Information Technology has only gotten more important, not less.,[object Object],The question is: Is this pendulum swing, with the DNSSEC root being signed, finally the one that will solve this problem?,[object Object],We believe so.,[object Object]

To The Builders,[object Object],DKI will make your security products scale,[object Object],How much stuff have you sold that sits on customer shelves, because it worked in the lab but failed large scale deployment?,[object Object],How many devices have you really been able to ship with certificates?,[object Object],How many sacrifices have you had to make in your products, that in the end equated to disabling the security in the first place?,[object Object],Ahem, devices that don’t even validate the identity of the SSL peer they’re communicating with,[object Object]

To The Breakers,[object Object],You are the most important group here.,[object Object],People think code is secure until proven otherwise,[object Object],You know better.,[object Object],“Holy crap! Recursion Ventures just made DNSSEC OpenSSH Pre-auth!”,[object Object],Thank you for noticing. Lets get to work.,[object Object]

Towards Radical Transparency,[object Object],Recursion Ventures will be actively supporting an aggressive public audit of all DNSSEC and DKI technologies,[object Object],Justin Ferguson (jf / @not_me) is auditing LDNS, NLnet Labs’ excellent DNSSEC library,[object Object],His report will be released publicly in a few weeks (by September 1st, 2010, probably earlier),[object Object],Initial findings are mostly positive, with some finds,[object Object],Nlnet Labs is being very supportive of this effort,[object Object]

To Grandma,[object Object],Welcome to your seventhBlack Hat!,[object Object],You are officially more l33t than 90% of this room ,[object Object],Yes, everyone, there are cookies ,[object Object]

What We Are Here To Do,[object Object],1) Explain DNSSEC. It’s simpler than you think.,[object Object],2) Deploy DNSSEC. See #1,[object Object],3) Discuss some approaches that may make DNSSEC scale better on the server side.,[object Object],4) Describe how we will acquire end-to-end trust via DNSSEC, thus enabling DKI,[object Object],5) Demonstrate DKI working. Not theoretically, but right here, right now, on stage.,[object Object],Code or GTFO,[object Object]

Some Ground Rules [0],[object Object],No Religion But One,[object Object],We don’t care about Not Invented Here,[object Object],Some of the coolest things in this talk were not my idea,[object Object],We have an Internet to fix,[object Object],Bigger than any one person,[object Object],…or one organization,[object Object],…or one community,[object Object],…or one country,[object Object]

Some Ground Rules [1],[object Object],We can’t care about style.,[object Object],Skype’s Law: The Internet was frozen in 2001. Deal with it.,[object Object],Theoretical elegance is great, and there are times where it’s important to “take a stand”,[object Object],But it’s gotta work.,[object Object],And it’s gotta work well. Not just barely.,[object Object],Systems that barely work are barely deployed.,[object Object],1M SSL endpoints.,[object Object],Half of them don’t even pretend to be secure.,[object Object],Corollary: We can’t care about historical precedent,[object Object],Historically, we have not achieved success.,[object Object]

Ops Is King,[object Object],We do care about Operations,[object Object],We will not win by calling people Lazy and Stupid,[object Object],Great for our egos – defines us as intelligent and industrious – but the customer remains 0wned,[object Object],We will not win through moralization,[object Object],“You’re bad people! You release broken code!”,[object Object],We will really not win through regulation,[object Object],Product liability is the end result of no market forces differentiating secure code from bad,[object Object],We will win the old fashioned way: By delivering a better product to market, as judged by the people who actually have to run with it,[object Object]

Timelines,[object Object],18 months ago, we declared at Black Hat DC:,[object Object],DNSSEC, as an implementation, is an undeployable train wreck.,[object Object],It will get better.,[object Object],Today is Yesterday’s Future,[object Object],Look what we have!,[object Object]

Market Survey(Not A Sales Pitch),[object Object],Open Source Servers,[object Object],Bind 9.7 (“DNSSEC for Humans”),[object Object],PowerDNSSEC (Lazy Signing),[object Object],OpenDNSSEC (IXFR Secure Slaves),[object Object],Commercial Servers,[object Object],Xelerance,[object Object],Secure64,[object Object],Infoblox,[object Object],Managed Service Providers,[object Object],Afilias / Proteus,[object Object],Verisign,[object Object],Dyn,[object Object],UltraDNS,[object Object]

Why This Matters,[object Object],There is a robust market of companies out to make DNSSEC easy to deploy.,[object Object],This is a sign of maturity,[object Object],A bevy of suppliers is the mark of a healthy industry,[object Object],A lot of skin in this game,[object Object],A lot of people out to make DNSSEC operations-friendly,[object Object],I’m here to show where it’s all going, on the six-to-eighteen month timeline,[object Object]

1) DNSSEC is not that complicated ,[object Object],Normal DNS:,[object Object],Ask a question, get an answer,[object Object],Ask a question, get a referral,[object Object],Alice: Jenny’s number? Ask Travis.,[object Object],Travis: Jenny’s number? Ask Charlie.,[object Object],Charlie: Jenny’s number? 876-5309,[object Object]

Not Too Different,[object Object],DNSSEC,[object Object],Ask a question, get an answer and a signature,[object Object],Ask a question, get a referral and a signature,[object Object],Alice: Jenny’s number? Ask Travis™,[object Object],Travis: Jenny’s number? Ask Charlie™,[object Object],Charlie: Jenny’s number? 876-5309™,[object Object],Is that it?,[object Object],Mostly,[object Object]

What’s New,[object Object],Referrals now contain new keys,[object Object],Before, you were just told where Travis was,[object Object],“Oh, ask Travis, he’s down by the water fountain”,[object Object],Now you’re told how to recognize him,[object Object],“He’s the guy with the dreadlocks.”,[object Object],Who is now the new Chief Hardware Officer of Recursion Ventures,[object Object],Welcome aboard, neighbor ;),[object Object],Computers can make stronger identifiers than people can, so we use crypto,[object Object],But it’s just the same,[object Object]

Is That It?,[object Object],There’s magic here and there,[object Object],Saying “Jenny has no number” has some magic (NSEC/NSEC3),[object Object],Records can expire (time exists),[object Object],Keys can lead to other keys (KSK/ZSK),[object Object],Some of the magic is optional,[object Object],More than you’d think,[object Object],All of the magic can be implemented in an easily deployable manner,[object Object],Easiest of course is a managed service or a “one click” device,[object Object],But, failing that, lets deploy DNSSEC.,[object Object],Right now.,[object Object]

A Simple Bind9 Install With A Handful Of Small Zones,[object Object]

Step 1: Change The Port To 50053,[object Object]

Step 2: Launch Phreebird, the Recursion Ventures DNSSEC Server,[object Object]

Step 3: There is no step 3,[object Object]

I ask for keys, I get keys!,[object Object]

OK, maybe there’s a Step 3:.org needs to know,[object Object]

Click “Manage DNSSEC”,[object Object]

Wait 30 seconds,[object Object],…,[object Object]

It works!(ahem, end to end),[object Object]

Why This Works,[object Object],Phreebird is an online key signer,[object Object],Like SSH, SSL, and IPsec, it depends on a signing key being available on demand,[object Object],Alternative: Magic key sits in a vault,[object Object],When a request comes in, it figures out right then and there what response needs to go back out,[object Object],Phreebird caches responses, so that 1,000 requests for the same name don’t require 1,000 hits against the encryption engine,[object Object]

Offline Key Signing,[object Object],DNSSEC was designed to allow offlinekey signing,[object Object],Age: When DNSSEC was designed, processors were slow and hardware RSA accelerators didn’t exist,[object Object],Scale: DNSSEC needs to work for both the root – which needs maximum security – and .com – which needs maximum performance,[object Object],Not every server should be run like the root,[object Object],It’s a big deal that every server can be, though,[object Object]

Reality,[object Object], A large part about what made DNSSEC complicated to deploy, was the requirement for offline key signing,[object Object],Offline keying systems are an order of magnitude more complicated,[object Object],PGP,[object Object]

Why Phreebird Works,[object Object],DNSSEC was designed to allow a “key in a vault” approach to security,[object Object],“Offline keying” – no ability to generate responses on demand,[object Object],Age: DNSSEC was designed in an era where CPUs were slow and RSA acceleration was horribly expensive/nonexistent,[object Object],We live in the future. Neither is true anymore.,[object Object],Scale: DNSSEC has to handle everything from the smallest domain to the root to .com – for very, very large sites, the resources exist to implement offline keying,[object Object],When you ask why Verisign hasn’t signed .com yet, remember, .com is absolutely massive on a ridiculous scale,[object Object]

The Key Observation,[object Object],Offline Keying is operationally expensive.,[object Object],The contortions that one must go through to support it are significant in DNSSEC,[object Object],The thrust of most of the products coming out is to hide it all behind cron jobs,[object Object],…and not just in DNSSEC,[object Object]

Not Just DNSSEC,[object Object],Look at PGP / GPG,[object Object],Best solution available for secure email,[object Object],Sure there are keyservers, but everyday use is supposed to depend on keyrings with validated contents,[object Object],What happens when you receive mail from someone not on your keyring?,[object Object],What happens when you have to send mail to someone not on your keyring?,[object Object],What happens when a key expires?,[object Object],What happens when a key is lost?,[object Object],What happens when a key is stolen?,[object Object]

Popup,[object Object],Popup,[object Object],Popup,[object Object],Popup,[object Object],Popup,[object Object],Popup,[object Object],Popup,[object Object],Popup,[object Object]

A simple statement,[object Object],Can you imagine if DNS worked that way?,[object Object],It doesn’t.,[object Object],Requests are made on demand, and are cached for relatively short periods of time,[object Object],This works very well,[object Object],Whenever possible, DNSSEC should be allowed to work like DNS,[object Object],That being said, it’s awesome that DNSSEC can operate in an offline capacity,[object Object]

Further Precedent,[object Object],We did not invent online keysigning,[object Object],Obviously, there are the other protocols,[object Object],DNSSEC has quietly been including support for online signing for years,[object Object],Thanks Ben Laurie!,[object Object],Some precedent even for DNSSEC servers signing on demand,[object Object],PowerDNSSEC by Bert Hubert,[object Object]

Phreebird Is A Proxy,[object Object],Phreebird uses the existing DNS framework – whatever it may be – and enhances it with DNSSEC responses,[object Object],No operational impact: Manage your DNS as you always have, it’s just signing all its responses now,[object Object],No configuration: There is enough information in any DNS request to cobble together the appropriate DNS response,[object Object],Always returns the right answers – even if they change a lot!,[object Object],Implementation notes,[object Object],Today: UDP Port Forwarder,[object Object],Tomorrow: Linux Mangle Table (won’t even have to change the port – DNSSEC on, DNSSEC off),[object Object]

Phreebird Is An Online Keysigner,[object Object],We sign requests when they come in, not in some huge precomputation phase,[object Object],We didn’t invent online keysigning,[object Object],SSL, SSH and IPsec all have the keys online,[object Object],WARNING: There’s some religion here. The reality however is that every company has keys online for some protocols. HSMs exist to keep keys from leaking if necessary, but not everything exists within an HSM!,[object Object],Quiet but very visible support throughout a number of the RFCs,[object Object],Thanks, Ben Laurie!,[object Object],We’re not the only implementation that’s doing it,[object Object],Bert Hubert’s PowerDNSSEC does it as well,[object Object]

Phreebird Is A Proxy,[object Object],As close to a “bump in the wire” as possible,[object Object],Nothing Operations likes more than minimal disruption ,[object Object],There’s effectively nothing to configure – turn it on and go to lunch,[object Object],Present implementation – UDP port forwarder,[object Object],Coming (very) soon – Linux Mangle Table,[object Object],Mangle Tables maintain original Source IP, which is actually important for many servers (GeoIP, etc),[object Object]

Phreebird is fast,[object Object],Thank you, Linux Kernel Developers and LibEvent developers,[object Object],NielsProvos is a badass,[object Object],Few hundred lines of code == DNS server that runs at 60,000 qps on stock fast hardware,[object Object],So says author of evldns,[object Object],We won’t be so fast, since we have a backend to talk to and some records to sign,[object Object],But we’re pretty clearly faster than almost any name server we’re put in front of ,[object Object]

Phreebirdcaches,[object Object],The general idea is we always send a query to the backend, and sign each response,[object Object],If we’ve already signed that particular response, we go to the cache, otherwise we generate the response on the fly,[object Object],This design keeps us compatible with dynamic name servers,[object Object],CDNs, etc.,[object Object]

Phreebird is open,[object Object],You’d just reimplement it anyway ,[object Object],Should have code out today, but demos took precedence over release,[object Object],Send an email to info@recursion.com if you want a pre-preview copy with known (and horrifying) bugs,[object Object],Code should be out in next few weeks (with pen test report),[object Object],Remember, six to eighteen months – this is where things are going, not where things are at,[object Object]

Phreebird does a lot of things I don’t have time to tell you about today,[object Object],There is a lot of obscura in the DNSSEC realm that we’ve been filtering through,[object Object],How do we handle nonexistent records dynamically?,[object Object],How do we tunnel trusted records to registries when the registrars in front of them don’t implement DNSSEC?,[object Object],How do we manage rollover and expiration?,[object Object],How do we keep clocks in sync, especially given the chicken-and-egg relationship between NTP and DNSSEC?,[object Object],The full version of these slides will contain answers to these questions, but right now we want to demonstrate the value of this platform conclusively.,[object Object]

Phreebirdlies,[object Object],White lies ,[object Object],Consider the problem of nonexistent names,[object Object],DNS supports NXDOMAIN – “this domain doesn’t exist”,[object Object],DNSSEC supports NSEC/NSEC3 – “this range of domains doesn’t exist, and here’s proof”,[object Object],Authoritative Nonexistence,[object Object],Actually really useful, surprisingly,[object Object],The reason NSEC/NSEC3 operate on ranges is because there are a finite number of records that do exist and an infinite number of records that do not,[object Object],Offline signers need the ability to say, “anything between here and here, here’s proof it’s not real”,[object Object]

White Lies,[object Object],If you have an online signer, it’d be great to just say “that name you just asked for, here, let me synthesize some proof it doesn’t exist”,[object Object],Problem: The language only lets you express ranges that don’t exist, not actual domains,[object Object],Solution: Generate a record in which there is nothing between “the name right before this one” and “the name right after this one”,[object Object],Simple explanation: “You looked up foo. There are no names between fon and fop”,[object Object],A little too simple…,[object Object]

NSEC White Lies Are A Little Ugly,[object Object],[what they look like],[object Object]

Solution: NSEC3 White Lies,[object Object],In NSEC3, rather than saying there are no values between “fol” and “fop”, all names are turned into very large numbers,[object Object],This is so offline signers don’t leak all the names in the domain,[object Object],Nice side effect: It makes it much easier to implement the White Lies semantic,[object Object],“No names between 1 and 3”,[object Object],Pretty easy to prove that the only name blocked is 2,[object Object]

NSEC3 White Lies Demo,[object Object]

Beyond the Name Server,[object Object],“No Man Is An Island”,[object Object],Neither is any zone,[object Object],Domains chain, from the root to .org, and from .org to foo.org,[object Object],Hosting foo.org is not enough -- .org needs to know where to send people who are looking for foo.org,[object Object],This is the NS record in DNS,[object Object],Hosting foo.org securely is not enough -- .org needs to know the key to switch people to when they’re looking for foo.org,[object Object],This is the DS record in DNS,[object Object]

The Problem,[object Object],Every company (“registrar”) reselling access to .org lets you declare a NS record,[object Object],Very few companies reselling access to .org let you declare a DS record,[object Object],DS is very new,[object Object],It’s a tremendous amount of work to rev UI,[object Object],We have yet to prove the value of that work,[object Object],I’m working on it! Here! Now! ,[object Object]

One Solution: NSDS,[object Object],Before: ns1.domain.com,[object Object],After: nsds-v1-60485-5-2-D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93.nsds-C4F9E99B8383F6A1E4469DA50A.domain.com,[object Object],The idea is that the DS record follows the same secure path it otherwise would, it just gets tunneled inside the NS record,[object Object],Familiar? This is the coolest part of Dan Bernstein’s DNScurve,[object Object],It’s a great idea and DNSSEC should adopt it,[object Object]

Supporting Rotation,[object Object],NSDS is great for the initial keying,[object Object],Past that, in DNSSEC, keys can sign keys,[object Object],Name servers should be able to publish “this is the next key I’m going to use, please see me signing the new key with the old key”,[object Object],Somebody should visit the server to collect the update,[object Object],Possibly, Phreebird could send a NOTIFY packet somewhere – “heh, get my new key”,[object Object]

On Time,[object Object],There is another external dependency in DNSSEC,[object Object],Time,[object Object],1) Signatures expire,[object Object],2) What if your clock is wrong?,[object Object]

Expiration,[object Object],Who here has been to a site where the certificate expired?,[object Object],Why is there UX for this?,[object Object],Fundamental flaw: When a system fails enough, it gets special case handling.,[object Object],Prompts are the direct result of a security system that fails too often in legitimate use,[object Object],Expiration seems like a good idea,[object Object],Don’t we want to make sure that a bad guy eventually loses access?,[object Object]

OPS IS KING,[object Object],Do we buy hard drives by the year?,[object Object],Servers?,[object Object],Networks?,[object Object],Keyboards?,[object Object],No, because that’s totally ridiculous,[object Object],Certificate expiration is not the only reason why X.509 is only deployed when absolutely required,[object Object],But the inconvenience to the ops guys is clearly a contributing factor,[object Object]

You May Have Heard…,[object Object],…that if you don’t update your DNS keys every thirty days, your domain fails,[object Object],Tell this to an ops guy, and he’ll literally remove you from the premises,[object Object],DKI cannot depend on any technology that requires manual maintenance on pain of total failure,[object Object],Phreebird’s keys will expire in 2100 (obviously configurable),[object Object],But don’t we want to make keys go bad?,[object Object]

Sure!,[object Object],The right place to do this is in the chain to root, not at the endpoint,[object Object],.org has a DS record – “this is how you can recognize Travis”,[object Object],This record is signed for some number of days (30 now, could be 5),[object Object],On key rotation, or an emergency event, this record is updated,[object Object],“Heads up, Travis cut his hair, he’s got a mullet now”,[object Object],The “infinite lifespan” key is now of no value to the attacker,[object Object]

What If The Clock’s Wrong?,[object Object],In DNS, all time is relative,[object Object],“This value is good for the next 600 seconds”,[object Object],In DNSSEC, all time is absolute,[object Object],“This value is good until August 1st, 2010, 0630 GMT”,[object Object],This is necessary to prevent replay attacks,[object Object],600 seconds from now is not 600 seconds from a month ago,[object Object],But what if you think it’s August 15th, 2010?,[object Object]

Well then…,[object Object],Either:,[object Object],A) The Internet stops resolving,[object Object],B) Ops disables expiration checking,[object Object],OPS IS KING,[object Object],If we want expiration checking, we have to manage time,[object Object],Couldn’t we use NTP (the Network Time Protocol)?,[object Object]

Chicken and Egg,[object Object],How do you authenticate time?,[object Object],It’s a cross organizational auth request,[object Object],Even if you have your own time servers, what do they sync against?,[object Object],Couldn’t we use DNSSEC to bootstrap NTP?,[object Object],We’re trying to use NTP to bootstrap DNSSEC!,[object Object],Chicken and Egg!,[object Object]

Solution: DnsTime,[object Object],Basic idea: Simple timestamp, signed by some unique domain chaining to the DNSSEC root,[object Object],Say, “dnstime.” or something,[object Object],There be politics here, don’t want to speculate on where exactly this would live,[object Object],Retrieve the timestamp,[object Object],A) On expiration error,[object Object],B) No more than once every 24 hours,[object Object]

There’s An Attack,[object Object],Can anyone see it?,[object Object]

Replay!,[object Object],Two weeks ago, attacker got a signed record with a short expiration, and the root-chained timestamp,[object Object],Now, he can replay those things forever and ever…,[object Object],…unless we add a nonce.,[object Object]

Replay Defeat,[object Object],On receiving an expiration error, resolve dnstime,[object Object],If the resulting time indeed suggests local time is wrong, requery for 74A0CCEB1E3E.dnstime,[object Object],This record is online-signed just for that particular query,[object Object],Since the response is both signed and unique, the name server can add an offset to its clock to compensate for local time differential from global truth,[object Object]

Towards TheDomain Key Infrastructure,[object Object],Perhaps DNSSEC is easy to deploy. But is it useful?,[object Object],Distributed authentication is only interesting if it provides end to end semantics,[object Object],“My desktop to your server”,[object Object],Isn’t DNSSEC only designed to secure the links between recursive name servers, and not endpoints like desktops?,[object Object]

The Basic Mode: The AD Bit,[object Object],DNS responses have a bit referred to as AD,[object Object],Meaning: “The name server you were speaking to validated the DNSSEC status of this record”,[object Object],So?,[object Object],Starbucks, I like your coffee,[object Object],I don’t trust you to tell me the appropriate certificate for my bank,[object Object],No application on earth is going to alter the user experience based on the AD bit,[object Object]

The Normal End To End Modes,[object Object],Chasing,[object Object],Follow up, from www.foo.com to foo.com, from foo.com to .com, from .com to root,[object Object],You only talk to your local DNS server,[object Object],Problems,[object Object],Might get blocked by local resolver,[object Object],Requires lots of round trips,[object Object],Fixable using “SuperChase” – tell the local resolver “don’t just give me the immediate, bottom of the chain signature – give me all the information needed”,[object Object]

About Ten Lines Of Code For End To End!(in LDNS),[object Object]

How Do We Get Full Keys To Your Desktop, Laptop, or Phone?,[object Object],Chasing,[object Object],Tracing,[object Object],Wrapping,[object Object],Packing,[object Object]

Chasing: Going Up The Stack,[object Object],Each signature (“RRSIG”) names its source,[object Object],So, we go up the stack,[object Object],“www.foo.com was signed by foo.com”,[object Object],“foo.com” was signed by “com”,[object Object],“com was signed by the root”,[object Object],“I trust the Root, therefore I trust www.foo.com”,[object Object]

LDNS makes it easy,[object Object],This is about ten lines of code in ldns,[object Object],Instantiate a resolver w/ NS list,[object Object],Provide the root key,[object Object],Do a resolve,[object Object],Extract the answers,[object Object],“Build the data chain” (ldns_dnssec_build_data_chain),[object Object],“Derive the trust tree” (ldns_dnssec_derive_trust_tree),[object Object],Check for success (ldns_dnssec_trust_tree_contains_keys),[object Object]

Two Problems With Chasing,[object Object],1) Requires a decent number of round trips to the DNS server,[object Object],Somewhat slow,[object Object],Being fixed (we think) with what Paul Vixie and I refer to as “Superchase”,[object Object],RD=1 CD=1,[object Object],Server returns not just the bottom of the chain, but all the way up,[object Object],Possible configuration of how far up – “Heh, I already have this com DS, can you just get me there?”,[object Object]

The Other Problem,[object Object],Noncompliant networks,[object Object],Local resolver might not respond properly to CD=1,[object Object],Local network might block DNSSEC traffic,[object Object],This stuff will work 80-90% of the time,[object Object],That’s not enough,[object Object],Ops is King,[object Object]

Tracing: Going Down The Stack,[object Object],Chasing: Given a domain, go up to root,[object Object],Tracing: Given root, get down to the domain,[object Object],This is basic recursion, the fundamental system by which DNS servers work normally,[object Object],Unbound is the nameserver built upon ldns,[object Object],Unbound can be integrated via libunbound, and is itself only a few lines of code as well,[object Object]

Tracing in LibUnbound,[object Object],Even fewer lines of code!,[object Object],Create an unbound context (ub_ctx_create),[object Object],Add a Trust Anchors file (ub_ctx_add_ta_file),[object Object],Containing just the root ,[object Object],Resolve a domain (ub_resolve),[object Object],If result->secure==1, read the output from result->data.,[object Object]

Issues With Tracing,[object Object],1) Entirely bypasses the local cache, increasing load on the root and TLD servers,[object Object],Somewhat acceptable if the cache on the end host is very long lived,[object Object],Almost entirely unacceptable if it’s short lived / flushed for each call,[object Object],(This was the problem with DNSCurve – if you used it to achieve end to end trust, the end hosts needed to talk to the roots directly in order to function),[object Object]

Those Again,[object Object],2) The middleboxen are still a problem,[object Object],They do bad things to a lot of traffic! What can you do?,[object Object],Respect Skype’s Law,[object Object]

Wrapping: DNS over HTTP,[object Object],Not complicated – instead of doing DNS over UDP packets that might get intercepted, talk to a custom DNS server that exposes an HTTP endpoint,[object Object],GET requests w/ Base64 encoded DNS requests,[object Object],8 bit clean responses,[object Object],Phreebird implements this,[object Object]

Performance Data,[object Object],So, how much of a perf hit does DNS take, running over TCP and then HTTP?,[object Object]

Well, it ain’t slower.It might even be faster.,[object Object],# DNS over UDP./queryperf -d target2 -s 184.73.1.213 -l 10… Queries per second: 3278.676726 qps,[object Object],# DNS over HTTPab -c 100 -n 10000 http://184.73.1.213/Rz8BAAABAAAAAAAAA3d3dwNjbm4DY29tAAABAAE=… Requests per second: 3910.13 [#/sec] (mean),[object Object]

Could Be Wrong!,[object Object],Paul Vixie thinks I am,[object Object],“Being wrong just means the world is more interesting than you thought it was.”,[object Object],Even with a significant penalty, superchase over HTTP should work reasonably well though,[object Object],Recursion Ventures will be hosting a DNS over HTTP service in the Cloud within the next few weeks,[object Object]

Wrapping: Brett Watson’s Observation,[object Object],Brett Watson is a really smart Kiwi,[object Object],He was quite the skeptic about DNSSEC,[object Object],So was I, so we got along well,[object Object],His exact quote: “You have to be willing to separate the content of DNS from the transport of DNS”,[object Object],This is a fairly profound point,[object Object],Led to an interesting concept,[object Object]

X.509,[object Object],X.509 normally carries chains to one of a few hundred CA roots, through possibly one of some unknown thousand god-mode Intermediates,[object Object],This is part of why X.509 didn’t work,[object Object],Other parts,[object Object],Unable to reliably delegate – you can’t get a cert for .domain.com that lets you sign other certs,[object Object],Unable to exclude – if Verisign gives you a cert for a domain, so can everyone else,[object Object],See 2009 “Black Ops of PKI” for details,[object Object]

X.509 Reloaded,[object Object],X.509 could also carry the DNSSEC chain.,[object Object],SSL already moves X.509,[object Object],DNS over X.509 over SSL,[object Object],Take that, hotel miniboxen,[object Object],Also, super high performance!,[object Object],Implementing this requires:,[object Object],Extracting all the keys of the full trust chain,[object Object],Not too hard – build a trust chain in ldns, then iterate through it extracting all unique keys,[object Object],Validating the morass of key material you’re left with,[object Object],That’s being a bit tricky – requires some rearchitecture,[object Object]

So Adam Langley at Google sent me a private unofficial build of Chrome…,[object Object]

That certificate was self signed……with a DNSSEC chain embedded.,[object Object]

NOTE,[object Object],This is an unofficial private build of Chrome!,[object Object],Google is not at all committed to DNSSEC, DKI, or X.509 Certificate embedding!,[object Object],This is just Adam and I seeing what is possible ,[object Object],And now, I think it’s a good idea to start talking about actual applications.,[object Object]

Where Do We Implement The DKI?,[object Object],PhreeShell: Federated Identity For OpenSSH,[object Object],This was the demo at the start of the talk,[object Object],Based on the idea that end nodes should validate identities, not public keys,[object Object],Today: Identities instead of keys in authorized_keys2,[object Object],Tomorrow: LDAP backend (similar to FedSSH),[object Object],“Let everyone at support.vendor.com into all the machines in the vendor.com group”,[object Object]

The Dirty Secret Of Federation,[object Object],People have been selling this stuff for years,[object Object],But nobody’s deploying it in large amounts,[object Object],OPS IS KING,[object Object],Three choices,[object Object],M to N complexity: Every group has painful and expensive meetings with every other group,[object Object],The Risk Of The Kingmaker: One group is trusted by all others as the identity manager, and that one abuses his role (lets not name names),[object Object],Key Bleed: Everybody has to trust way too many keyholders not to abuse their powers.,[object Object]

The Fourth Path,[object Object],The Silent Overseer,[object Object],DNSSEC: A single root keyholder, incredibly constrained by both external political constraints and a technical delegation system designed to suppress operational dependency,[object Object],DKI: Federation that will actually work,[object Object]

So, do we add ldns/libunboundto each package, one by one?,[object Object],Eventually, possibly,[object Object],But in the short term? To prove value?,[object Object],On Linux/Unix, SSL is handled via OpenSSL,[object Object],Specifically, X509_verify_cert,[object Object],A nice and self contained library call…hmm…,[object Object]

Domain Key Infrastructure (From Black Hat USA)

Domain Key Infrastructure (From Black Hat USA)

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Domain Key Infrastructure (From Black Hat USA)

Similar to Domain Key Infrastructure (From Black Hat USA)(20)

More from Dan Kaminsky

More from Dan Kaminsky(13)

Domain Key Infrastructure (From Black Hat USA)

Editor's Notes