The document discusses three major secure network protocols: IPSec, TLS, and DNSSEC. It provides an overview of how each protocol operates and establishes secure connections. IPSec operates at the network layer and can secure communication between hosts or tunnel traffic through gateways. TLS secures connections at the transport layer, typically for HTTPS. DNSSEC adds security extensions to DNS to provide authentication and integrity for domain name lookups.
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
Introduction to the design principles behind SSL. This was a relatively basic talk since the audience was a networking class with no previous security experience. Talk given to Cal Poly networking class on November 29, 2007.
This is a followup to our Docker networking tutorial. This slidedeck describes the options for deploying Docker container in a multi-host cluster environment. We introduce the LorisPack toolkit for connecting and isolating pods of containers deployed across multiple hosts.
This presentation features a walk through the Linux kernel networking stack covering the essentials and recent developments a developer needs to know. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as segmentation offloading, TCP small queues, and low latency polling. We will cover APIs exposed by the kernel that go beyond use of write()/read() on sockets and will look into how they are implemented on the kernel side.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
Multithreaded fundamentals
The thread class and runnable interface
Creating a thread
Creating multiple threads
Determining when a thread ends
Thread priorities
Synchronization
Using synchronized methods
The synchronized statement
Thread communication using notify(), wait() and notifyall()
Suspending , resuming and stopping threads
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
Introduction to the design principles behind SSL. This was a relatively basic talk since the audience was a networking class with no previous security experience. Talk given to Cal Poly networking class on November 29, 2007.
This is a followup to our Docker networking tutorial. This slidedeck describes the options for deploying Docker container in a multi-host cluster environment. We introduce the LorisPack toolkit for connecting and isolating pods of containers deployed across multiple hosts.
This presentation features a walk through the Linux kernel networking stack covering the essentials and recent developments a developer needs to know. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as segmentation offloading, TCP small queues, and low latency polling. We will cover APIs exposed by the kernel that go beyond use of write()/read() on sockets and will look into how they are implemented on the kernel side.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
Multithreaded fundamentals
The thread class and runnable interface
Creating a thread
Creating multiple threads
Determining when a thread ends
Thread priorities
Synchronization
Using synchronized methods
The synchronized statement
Thread communication using notify(), wait() and notifyall()
Suspending , resuming and stopping threads
Slide deck from my presentation on multi-threading with .NET. The presentation covers from beginner onwards and looks at current technologies (i.e. pre .NET 4.0) specifically.
What makes this extra special is the entire process of how I prepared for it, from finding content to slide deck layout to presentation prep is documented at: http://www.sadev.co.za/content/how-i-build-presentations-series-index
Technology and work design in Organizational RelationSatya P. Joshi
Technology and work design in Organizational Relation, Technology and work design in Organizational behavior, Technology and work design in Organizational Relation, Technology and work design in Organizational behavior,
RADIUS is a protocol for carrying information related to authentication, authorization, and configuration
between a Network Access Server that desires to authenticate its links and a shared Authentication
Server.
RADIUS stands for Remote Authentication Dial In User Service.
RADIUS is an AAA protocol for applications such as Network Access or IP Mobility
It works in both situations, Local and Mobile.
It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.
It look in text file, LDAP Servers, Database for authentication.
Super Effective Denial of Service AttacksJan Seidl
Talk given on October 16th at Latinoware 2013 - Foz do Iguaçu - Brazil
This talk gave an introduction on denial of service attacks, going trough attacks in layer 3 to layer 7, introduced the concept of using load-balancing software for attacks with multiple IPs (Jericho Attack) and introduced the GoldenEye tool written in python and Android (Java), as well as a brief introduction to mitigate layer 7 denial-of-service attacks on most popular webservers.
Presentation Video (pt_BR) @ FISL 2014: https://www.youtube.com/watch?v=ozk0HiMjVNY
The Internet Key Exchange (IKE) protocol, described in RFC 2409, is a key management protocol standard which is used in conjunction with the IPsec standard. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard.
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
Overview of SCTP (Stream Control Transmission Protocol), outlining the main features and capabilities of SCTP.
SCTP is a transport protocol that overcomes many of the shortcomings of TCP, namely head-of-line blocking and stream-oriented transmission.
SCTP supports multiple streams within a connection and preserves boundaries of application messages thus greatly simplifying communication.
Additionally, SCTP supports multi-homing which increases availability in applications with high reliability demands.
SCTP inherits much of the congestion, flow and error control mechanisms of TCP.
SCTP has its roots in telecom carrier networks for use in transitional voice over IP scenarios.
However, SCTP is generic so that it is applicable in many enterprise applications as well.
Short overview of AAA and the RADIUS protocol.
The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources.
AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user).
AAA is typically employed at network ingress points to control user's access to the network and resources.
The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count).
RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.
Presentation of a few mechanisms that can help to automate the bootstrap process in IoT environment.
This is the summary of my work done during an 8 weeks internship at red hat
The design criteria behind TLS/SSL, presented at Cal Poly on 2010/6/3. An updated version of a previous talk, this presentation includes descriptions of the Null-byte certificate attack and the recent session renegotiation attack (both from 2009).
If the number of spine switches were to be merely doubled, the effect of a single switch failure is halved. With 8 spine switches, the effect of a single switch failure only causes a 12% reduction in available bandwidth. So, in modern data centers, people build networks with anywhere from 4 to 32 spine switches. With a leaf-spine network, every server on the network is exactly the same distance away from all other servers – three port hops, to be precise. The benefit of this architecture is that you can just add more spines and leaves as you expand the cluster and you don't have to do any recabling. Intuition Systems will also get more predictable latency between the nodes.
As a trend, disaggregation seems to be most useful for very large companies like Facebook and Google, or cloud providers. The technology does not necessarily have significant implications for small or medium sized businesses. Historically, however, technology has a way of trickling down from the pioneering phases of existing only within large companies with tremendous resources, to becoming more standardized across the board.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
2. Three Major Secure Protocols
Last lecture presented mechanisms
This lecture presents 3 examples of their use
- Layer 3: IPSec
- Layer 4: TLS
- Layer 7: DNSSEC
3. IPSec Overview
Layer 3: between hosts, covers both IPv4 and IPv6
[RFC 4301]
AH: IP Authentication Header (MAY, [RFC 4302])
ESP: Encapsulated Security Payload (MUST,
[RFC 4303])
Very comprehensive: this lecture will only cover
some of the basics (no multicast, combined
ESP+AH, IPv6, etc.)
4. IPSec Operation [RFC 4301]
Hosts can use IPSec directly (“transport mode”)
Security gateways can tunnel traffic through IPSec
(“tunnel mode”)
Security Associations (SAs) specify security
services for traffic in a half-duplex “connection”
- Bi-directional traffic requires two SAs
- Security Parameters Index (SPI) field specifies SA in unicast
traffic
Security Association Database (SAD) maintained
at each endpoint
- Packets processed based on SA, src/dest IP address
- SAD managed “semi-manually”
5. Transport Mode vs. Tunneling Mode
Transport mode operates directly on top of IP
- Next header is TCP, UDP, etc.
- IPSec header interposes between IP and transport header
Tunneling mode encapsulates entire IP packet
- Next header is IP
- Separate source, destination addresses
6. Encapsulating Security Payload [RFC 4303]
v! pktlen!
prot=51! checksum!
src IP address!
dest IP address!
Security Parameter Index!
Sequence Number!
Payload!
Padding!
plen! nhdr!
integrity tag!
MACed!
IP header!
Encrypted! data!
data!
IPsec ESP!
Provides confidentiality, integrity, or both
Next header field specifies payload
7. Transport vs. Tunneling
Tunneling mode (IPv4, TCP)!
dest IP address!
Security Parameter Index!
Sequence Number!
Payload!
v! pktlen!
prot=6! checksum!
src IP address!
Padding!
TCP header, payload!
padding!
plen! nhdr=4!
integrity tag!
Transport mode (TCP)!
dest IP address!
Security Parameter Index!
Sequence Number!
Padding!
plen! nhdr=6!
integrity tag!
dest IP address!
src port! dest port!
Sequence Number!
Acknowledgment Number!
rest of TCP header, payload!
8. ESP Algorithm Support Complications
Some algorithms require an initialization vector
(IV), e.g. CBC
Some algorithms integrate confidentiality and
integrity (“combined mode algorithms”)
- If confidentiality is required for integrity, need to repeat SPI
and sequence number
Algorithm can specify payload substructure
(append/prepend data)
9. ESP details
Must avoid replays
- Keep counter for 64-bit sequence number
- Receiver must accept some packets out of order (e.g., up to 32)
- Only low 32 bits of sequence number in actual packet
(would be bad if you lost 4 billion packets)
Support for traffic flow confidentiality (TFC)
- Can pad packets to fixed length
- Can send dummy packets
Support for encryption without MAC.. .Bummer!
- Rationale: App might be SSL, which has MAC-only mode
- But then attacker can mess with destination address!
11. IPSec Complication: NAT
Transport mode can encrypt transport header,
integrity covers transport header
NAT needs to rewrite transport header!
NAT-T [RFC 3948], tunnel IPSec in UDP
12. Internet Key Exchange (IKEv2, [RFC 4306])
Can establish SAs for IPSec
UDP port 500, designed to work over NATs
All messages are request/response exchanges, use
Diffie-Hellman
- Alice and Bob have secrets a, b, public values g, p
- Alice computes A = ga mod p, Bob B = gb mod p
- Exchange A and B, Alice computes s = Ba mod p, Bob
s = Ab mod p
- Both s are gab mod p: shared secret
13. IKEv2 Exchanges
IKE SA INIT: negotiate crypto algorithms,
establish a shared secret
IKE AUTH: authenticate INIT messages, exchange
certificates, establish first SA
CREATE CHILD SA: create a new SA, renegotiate
keys for an SA
INFORMATIONAL: Notification, Delete, and
Configuration
14. IPSec Overview
Layer 3 security, transport and tunneling mode
Tunneling mode supports security gateways
Transport mode has trouble with NATs
Security specified by SPI, SAs established
manually or through IKE
16. SSL/TLS [RFC 5246] Overview
SSL offers security for HTTP protocol
- That’s what the padlock means in your web browser
Authentication of server to client
Optional authentication of client to server
- Incompatibly implemented in different browsers
- CA infrastructure not in widespread use
Confidentiality of communications
Integrity protection of communications
17. Purpose in more detail
Authentication based on certification authorities
(CAs)
- Certifies who belongs to a public key (domain name and
real name of company)
- Example: Verisign
What SSL Does Not Address
- Privacy
- Traffic analysis
- Trust management
18. Ciphersuites: Negotiating ciphers
Server authentication algorithm (RSA, DSS)
Key exchange algorithm (RSA, DHE)
Symmetric cipher for confidentiality (RC4, DES,
AES)
MAC (HMAC-MD5, HMAC-SHA)
19. Overview of SSL Handshake
Client Server
Supported ciphers, client random
Chosen cipher, server random, certificate
Encrypted pre−master secret
MAC of handshake messages
MAC of handshake messages
Compute keys Compute keys
From “SSL and TLS” by Eric Rescorla
20. SSL Handshake
Client and server negotiate on cipher selection
Cooperatively establish session keys
Use session keys for secure communication
Details
- Multiple messages per stage
- Get an idea of protocol in action:
openssl s_client -connect www.paypal.com:443
21. Client Authentication Handshake
Server requests that client send its certificate
Client signs a signed digest of the handshake
messages
22. SSL Client Certificate
Client Server
Supported ciphers, client random
Chosen cipher, server random, certificate certificate request
Encrypted pre−master secret certificate, cert verify
Compute keys Compute keys
MAC of handshake messages
MAC of handshake messages
From “SSL and TLS” by Eric Rescorla
23. Establishing a Session Key
Server and client both contribute randomness.
Client sends server a “pre-master secret”
encrypted with server’s public key
Use randomness and pre-master secret to create
session keys:
- Client MAC
- Server MAC
- Client Write
- Server Write
- Client IV
- Server IV
24. Establishing a Session Key
Client random Pre−master secret Server random
Master secret
Client MAC key
Server MAC key
Client write key
Server write key
Server IV
Client IV
Key block
From “SSL and TLS” by Eric Rescorla
25. Session Resumption
Problem: Public key crypto expensive
New TCP connection, reuse master secret.
- Avoids unnecessary public key cryptography.
Combines cached master secret with new
randomness to generate new session keys.
Works even when the client IP changes (servers
cache on session ID, clients cache on server
hostname).
26. Example cross-layer issue
TLS puts message format on top of TCP (control,
application)
Handshake through control messages before
application data
Virtual hosts: single web server that responds
differently for different requested hosts (in HTTP
request)
What’s the problem?
28. Example cross-layer issue
TLS puts message format on top of TCP (control,
application)
Handshake through control messages before
application data
Virtual hosts: single web server that responds
differently for different requested hosts (in HTTP
request)
What’s the problem?
29. DNS Review
Domain Name System: resource records (RRs)
bind values to names
Designed to be highly scalable, distributed
administration
30. Structure of a DNS message [RFC 1035]
+---------------------+
| Header |
+---------------------+
| Question | the question for the name server
+---------------------+
| Answer | RRs answering the question
+---------------------+
| Authority | RRs pointing toward an authority
+---------------------+
| Additional | RRs holding additional information
+---------------------+
Same message format for queries and replies
- Query has zero RRs in Answer/Authority/Additional sections
- Reply includes question, plus has RRs
Authority allows for delegation
Additional for glue + other RRs client might need
31. DNS software architecture
Two types of query
- Recursive
- Non-Recursive
Apps make recursive queries to
local DNS server (1)
Local server queries remote
servers non-recursively (2, 4, 6)
- Aggressively caches result
- E.g., only contact root on first query
ending .umass.edu
32. DNS Vulnerabilities
Results cached: cache poisoning
UDP, no session to guess
Responses spoofable, can structure content to
generate many opportunities
Chance, but networks are always faster and one
posioned cache can be disastrous
33. DNSSEC [RFC 4034]
Security extensions for DNS (new RRs):
- DNSKEY: public key for zone
- RRSIG: signature for a set of RRs
- NSEC: next authoritative name
- DS: identifying digest of DNSKEY (stored in parent zone)
Provides integrity and authentication, not
confidentiality
35. Proof of Non-Existence
Problem: spoofed host name, maybe don’t want to
sign RR
NSEC record allows a client to verify a node does
not exist
Contains next valid name
dig +sigchase +trusted-key=./root.keys
wws.berkekey.edu
dig +sigchase +trusted-key=./root.keys
wwz.berkekey.edu
See a problem?
36. Hashed Denial of Existence [RFC 5155]
NSEC record allows an adversary to enumerate a
domain
NSEC3 record: rather than next host name,
contains hash of next host name
Couldn’t find anyone serving NSEC3...
40. What does CA mean by certificate?
That a public key belongs to someone authorized
to represent a hostname?
That a public key belongs to someone who is
associated in some way with a hostname?
That a public key belongs to someone who has lots
of paper trails associated to a company related to a
hostname?
That the CA has no liability, or $100,000, or
$250,00?
100-page Certification Practice Statement (CPS)
41. How to get a Verisign certificate
Get DBA license from city call ($20)
- No on-line check for name conflicts. . . can I do business as
Microsoft?
Letterhead from company ($0)
Notarized document (need driver’s license) ($0)
E.g., pay Verisign ($399–$1,499/year)
Conclusions:
- Easy to get a fraudulent certificate
- Maybe not so easy to avoid prosecution afterwards
But that’s only Verisign’s policy
- Many CAs can issue certificates
43. CA Convenience vs. Security
How convenient is a Verisign certificate?
- Need fee + cooperation from Stanford IT to get one here
- Good for credit cards, but shuts out many other people
How trustworthy is a Verisign certificate?
- In mid-March 2001, VeriSign, Inc., advised Microsoft that
on January 29 and 30, 2001, it issued two. . . [fraudulent]
certificates. . . . The common name assigned to both
certificates is “Microsoft Corporation.”
VeriSign has revoked the certificates. . . . However. . . it is
not possible for any browser’s CRL-checking mechanism to
locate and use the VeriSign CRL.
– Microsoft Security Bulletin MS01-017