ION Santiago - DNSSEC and DANE Based Security for TLS

DNSSEC and DANE Based
Security For TLS
An Introduction
Wes Hardaker
Parsons
<wes.hardaker@parsons.com>

Who is Wes Hardaker?
● Work for PARSONS
– Cyber securty parsons.com/cyber
● Network Security Research Group
– Technical Director
– Infrastructure security specialists
● DNSSEC, RPKI, BGPSEC, SNMP, IPSec, …
● DNS and DNSSEC monitoring services
– Open Source Software
● Net-SNMP
● DNSSEC-Tools
● IETF Participant DNS-Sentinel

3
wes.hardaker@parsons.com
Overview
● Current TLS Trust Anchoring Problems
● What is DANE? How does it help?
● DANE & The Web
● DANE & SMTP
● DANE & XMPP

4
Data
TLS Overview
● TLS is:
– An application-layer security tunnel
– A TCP-based security protocol to secure TCP
● DTLS secures datagram protocols (eg, UDP)
– Can provide authentication and encryption
● Typically based on X.509 Certificate bootstrapping
User TLS Protection “Tunnel” Server

5
TLS Properties
● TLS ensures that:
– Eves-dropping is impossible
– The client connected to the correct server
– But, this only works when properly anchored
● TLS certificates and trust anchors
– A server must present a X.509 certificate
– The client checks this certificate
● Did it present one with the right name?
● Did it present one with the right IP address?
● Was it signed by a CA I trust?

6
PKIX / X.509 Certificate Trees
● Certificate Authorities (CAs)
– Sign child certificates
– Should verify the child's identity
● Domain ownership
● Or their legal business name
– Can be “Trust Anchors” (TAs)
● TLS clients
– Trust their trust anchors
● All is good? CAs are trustworthy?
Root Certificate
AKA “Trust Anchor”
ICANN
.ORG
signs
signs

– Modern web browsers have 1300+ TAs
– Any of them can issue a certificate for example.com
7
The “Too Many CAs” Problem
● TLS clients often have an abundance of TAs
example
.com
example
.com
The TLS Client Accepts Them Both!!!
This has happened multiple times!

8
DANE To The Rescue!
● DNS-Based Authentication of Named Entities
– A new DNS resource record: “TLSA”
– Indicates the correct server certificate
– MUST be DNSSEC signed to be valid
– Marries the DNSSEC tree to the X.509 tree
– Defined in RFC6698
● Updated by RFC7218

9
DNSSEC, DANE and X.509
. (DNS root)
Dane allows DNS, secured by DNSSEC, to indicate which
TLS/X.509 certificate is the right one to use.
This reduces the attack footprint of TLS significantly.
example
.com
example
.com
com
example.com
TLSA
record
Accept
ONLY
this one X
MUST BE DNSSEC SIGNED!!!

What does a TLSA record look like?
10
_25._tcp.example.com.
14400
IN
TLSA
3 1 1
FA2AE51F6831B10CE2EFC
933D860579ED1E0FA7974
AF964F02AC3BC4093C0404
Name
TTL
Class
Type
TLSA Parameters
Data
port protocol

11
TLSA Parameters
● Certificate Usage Field
– What certificate should we match against
● (where in the chain is the TLSA record pointing at)
● Selector Field
– Match the full certificate, or just the key (SPKI)?
● Matching Type Field
– What type of match? SHA1, SHA256, or full?

12
TLSA Matching Types
… IN TLSA 3 1 1 DATA
Value Acronym Description
0 Full No hash used;
DATA is the Cert or SPKI
1 SHA-256 DATA is the SHA-256 of
the Cert or SPKI
2 SHA-512 DATA is the SHA-256 of
the Cert or SPKI

13
TLSA Selector
0 Cert Data is based on the full
certificate
1 SPKI Data is based on the
public key
Certificate
Name: example.com
Key Info: public key
...

14
Certificate Usage Field
0 PKIX-TA Public CA from X.509
tree
1 PKIX-EE End-Certificate plus
X.509 validation
2 DANE-TA Private CA from X.509
tree
3 DANE-EE End-Entity Certificate

15
Certificate Usage Field
Value Acronym
0 PKIX-TA
1 PKIX-EE
2 DANE-TA
3 DANE-EE
ICANN
.ORG
Public
“Trust Anchor”
Private
“Trust Anchor”

16
Using and Deploying DANE
● Creating TLSA Records
● HTTPS
● SMTP
● XMPP
●SIP

17
Creating a TLSA Record
● Useful package: hashslinger
– Contains a “tlsa” script to generate records
● From a certificate file:
# tlsa usage
3 selector
1 mtype
1 certificate
/path/to/cert.crt
example.com
_443._tcp.example.com. IN TLSA 3 1 1
152d75a2d529e3035760125be0560741f58fe
e7af18e20c1ace7d2cabc04277c

18
Creating a TLSA Record
● Connect to a port:
# tlsa usage
3 selector
1
mtype
1 port
443 example.com
_443._tcp.example.com. IN TLSA 3 1 1
152d75a2d529e3035760125be0560741f58fe
e7af18e20c1ace7d2cabc04277c

19
DANE and HTTPS
HTTPS suffers the most from
the “too many CAs problem”

20
HTTPS and DANE
● Deploying DANE requires:
– Serving TLSA records
● Easy for HTTPS: defined in RFC6698
● Not many publishers yet; people are watching though!
– A client that can make use of them
● Google Chome: NO
● Mozilla Firefox: NO
● Safari: NO
● … NO
● Some plugins: Yes, but...

21
HTTPS and DANE
● Deploying DANE requires:
– Serving TLSA records
● Easy for HTTPS: defined in RFC6698
● Not many publishers yet; people are watching though!
– A client that can make use of them
● Google Chome: NO
● Mozilla Firefox: NO
● Safari: NO
● … NO
● Some plugins: Yes, but...
● Bloodhound: YES!

22
Bloodhound
● A derivative of the Firefox code
– Developed by Parsons
– All DNS requests are validated via DNSSEC
● DANE support mostly complete
– DANE-EE(3) DANE-SPKI(1) SHA-256(1)
● Works on:
– OS X
– Linux
– Microsoft Windows needs some work

23
DANE and SMTP
SMTP can't be secured without
DNSSEC and DANE!

24
Server-to-Server Email
1: Alice's
Mail User Agent (MUA)
sends the email
via the configured SMTP
server
3: Bob's MUA
downloads
the message
via IMAP
2: Alice's ISP
forwards the
message to
Bob's ISP
Mail Transfer
Agent
Simple Mail
Transport Protocol
(SMTP)
Mail Transfer
Agent

25
1: Alice's
Mail User Agent (MUA)
sends the email
via the configured SMTP
server
3: Bob's MUA
downloads
the message
via IMAP
2: Alice's ISP
forwards the
message to
Bob's ISP
Mail Transfer
Agent
Simple Mail
Transport Protocol
(SMTP)
Mail Transfer
Agent
We're talking about
this part today
Largely secured today through
Manual configuration parameters

26
with DNS
DNS Server
1: Where should I send mail for @bobsISP.com?
2: You should send it to mail.bobsISP.com
3: I've got mail for Bob
Mail Transfer
Agent
Mail Transfer
Agent
(and the address for it is ….)

27
I Wish It Were So Simple
● There can be multiple DNS servers
– Every domain should have at least two
● Alice's mail server asks her ISP's resolver
– It doesn't talk directly to the distant DNS server
– There may be multiple resolvers
● There can be multiple mail servers

28
Reality Sets In
DNS Server
1: Where should I send mail for @bobsISP.com?
2: You should send it to mail1, mail2 or mail3
3: Do you have an address for mail1?
Mail Transfer
Agent
DNS Server
Mail Transfer
Agent
4: Yep, it's 192.0.2.3
5: Hi, I'm representing Alice, I have mail for Bob
6: Hi, I'll take mail for Bob; PS: I don't do security
7: Here's the mail for Bob from Alice
8: Thanks, I'll make sure he gets it
(Actually, reality is even worse but wouldn't fit on this slide)

29
Back To: I Wish It Were So Simple
– Every domain should have at least two
– There may be multiple resolvers

30
What could possibly go wrong???
– Compromised?
– Compromised?
– Compromised?
● Man In The Middle
DNS Attack
Point!!!
Network
Attack

31
DANE/DNSSEC To The Rescue
– Compromised?
– Compromised?
– Compromised?
● Man In The Middle
Use
DNSSEC
Use
DANE

32
SMTP Vulnerabilities
● MX, A and other DNS records can be spoofed
– DNS redirects SMTP clients to the...
– DNSSEC detects this, and clients won't proceed
● Eavesdropping is Easy
– SMTP is unencrypted by default
– Opportunistic encryption helps
● See if they offer a certificate and start encryption
● However, you may just be encrypting to the...

● Server indicates “I do security”
● But a man-in-the-middle can just say “I don't do security”
33
SMTP Vulnerabilities
● If DNS is spoofed, you get a...
● ...Man In The Middle
– SMTP is unauthenticated by default
– SMTP is unencrypted by default
– They can turn on opportunistic encryption
– CA based solutions don't help because:
● The man-in-the-middle says “I don't do security”
● You've been redirected to a name the attacker controls

● DNSSEC and DANE solves all these problems!
34
DNSSEC/DANE For The Win
● With DNSSEC: you can believe:
– The MX that led you here
– The TLSA is accurately pointing to my certificate
● With DANE's TLSA record:
– “This is my certificate” or “This is my CA”
● (accept no others)
– You MUST expect security!!! (i.e., must do TLS)
– You connected to the right place

35
Deployment Options
● Postfix 2.11
– Server side (receiving mail):
● Publish a TLSA record: _25._tcp.smtp.example.com
● smtpd_tls_cert_file = /path/to/mycert.crt
● smtpd_tls_key_file = /path/to/mycert.key
– Client side (sending mail):
● smtp_tls_security_level = dane
● smtp_dns_support_level = dnssec
● CAVEAT: MUST use a secure local resolver
● Exim: Implementation underway (~ 2015)

36
DANE and XMPP
XMPP also uses STARTTLS

37
DANE and XMPP
● XMPP
– The recommended security solution:
● Check the PKI
● If that fails, use DANE
● STARTTLS is required
– Being defined now in the IETF
● draft-ietf-xmpp-dna
● draft-ietf-dane-srv
● Deployed and running code!
– Prosody & more ???

38
DANE and SIP
Another level of indirection!

39
DANE and SIP
● Just getting started!
● Not an official WG item yet
– There is interest in making it one
– One personal draft discussing it

40
Questions?
The Future of TLS Security
Is Looking Up!
IIEETTFF 9900
TToorroonnttoo
JJuullyy,, 22001144

41
Resources
● RFC6698 DANE
● RFC7218 Acronyms
● draft-ietf-dane-smtp-with-dane SMTP
● draft-ietf-dane-ops Guidance
● draft-ietf-xmpp-dna XMPP
● draft-ietf-dane-srv SRV
● http://www.dnssec-tools.org/
– (bloodhound!)
● http://postfix.org/

Known Large Early SMTP Adopters
42
● posteo.de
● mailbox.org
● bund.de
● denic.de
● umkbw.de
● freebsd.org
● unitybox.de
● debian.org
● ietf.org
● nlnet.nl
● nic.cz

ION Santiago - DNSSEC and DANE Based Security for TLS

More Related Content

What's hot

Viewers also liked

Similar to ION Santiago - DNSSEC and DANE Based Security for TLS

More from Deploy360 Programme (Internet Society)

Recently uploaded

ION Santiago - DNSSEC and DANE Based Security for TLS