www.huawei.com
CGA-TSIG/e:
Algorithms for Secure DNS
Authentication and DNS
Confidentiality
http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig
Authors:
Hosnieh Rafiee
Christoph Meinel, Martin v Löwis
Hasso Plattner Institute, Potsdam, Germany
HUAWEI TECHNOLOGIES Duesseldorf GmbH, Munich, Germany
IETF90
21 July 2014
Toronto
Intarea WG
CGA-TSIG/e | Hosnieh Rafiee | int-area 2
Problem Addressed
Mitigates/prevents DNS compromising
IP spoofing
DNS amplification
Unauthorized DNS update
etc.
Automation for DNS authentication and authorization
(minimizing human interactions)
Securely automates DNS authentication
Securely automates key managements
DNS privacy and confidentiality
Automates key exchange for DNS encryption without the need of
infrastructure (in IPv6) and with minimum efforts in IPv4
Encrypts the DNS packet using symmetric encryption algorithm
CGA-TSIG/e | Hosnieh Rafiee | int-area 3
Comparison of the current DNS
Authentication & Authorization Algorithms
Protection
-------------
Algorithm Privacy Spoofing
amplificati
on
Unautho
rized
update
Data Integrity Automation/
scalability
TSIG
SIG0
DNSSEC
CGA-
TSIG/e
Yes No Conditional
CGA-TSIG/e | Hosnieh Rafiee | int-area 4
Do we need a big change on DNS
protocol to support CGA-TSIG/e? NO
The CGA-TSIG/e is a new algorithm to an existing DNS protocol.
It uses only TSIG as a carrier protocol to avoid changing to DNS protocol
One can register a new algorithms in TSIG with IANA
This document only updates a few parts of TSIG standard protocol to allow
TSIG only be able to handle CGA-TSIG/e. It does not have any impact on
the current implementations or does not change TSIG protocol for other
algorithms.
Advantage
Firewalls or other intermediate devices will not prevent this protocol since it
is only an option to TSIG
Flexibility
Can be used in different scenarios based on the requirements
CGA-TSIG/e | Hosnieh Rafiee | int-area 5
DNS privacy? What scenario?
Not different what scenario we want to use this algorithm
Protection of data between stub resolver and recursive resolver
Protection of data between recursive resolver and authoritative
DNS server
Protection of data between master DNS server and slave DNS
server (DNS IXFR/AXFR)
CGA-TSIG/e | Hosnieh Rafiee | int-area 6
Number of Exchanged Messages
Secure Authentication Scenarios
DNS message with CGA-TSIG option
No. of Message Exchanged
1
DNS Privacy Scenarios
What is your key? With CGA-TSIGe option
Do I have a key in my cache? NO?
Include CGA-TSIGe option
4
No key cached
2
Encrypted Data With CGA-TSIGe option
key cached
CGA-TSIG/e | Hosnieh Rafiee | int-area 7
Comparison of the current DNS Privacy
Algorithms
Algorithm
Performance Firewall
bypass
No Change
to DNS
Protocol
Automation/
scalability
Protection for
IP Spoofing
Private-DNS
(JSON)-
DTLS
No. of
messages
DNSCrypt
(similar to
DNS over
HTTPS)
Dependency
to DNSSEC
CGA-TSIGe
Key exchange And distribution
CGA-TSIG/e | Hosnieh Rafiee | int-area 8
Updates to the Document
Introduces two similar algorithms for DNS secure
authentication and DNS data integrity called CGA-TSIG and for
DNS privacy and data confidentially called CGA-TSIGe
The algorithms works in both IPv4 and IPv6 -enabled networks
Includes explanation of DNS privacy and packet encryption
Next Steps?
Update the document with the comparison of different DNS
privacy algorithm
How to proceed this document?
Can be approved by Intarea WG?
Thank you
Supplementary Slides
What is CGA?
What is SSAS?
What is CGA-TSIG/e?
How to receive DNS IP address or keys in a secure
manner?
What if I am in a Cafe’ (unsecure environment)
CGA-TSIG Generation Steps (IPv6)
CGA-TSIGe Generation Steps (IPv6)
CGA-TSIG Generation Steps (IPv4)
CGA-TSIGe Generation Steps (IPv4)
How It Works? (explanation of CGA-TSIG in different
Scenarios)
CGA-TSIG/e | Hosnieh Rafiee | int-area 11
What is CGA? (RFC 3972 in Simple Example)
+ Other CGA Parameters
SHA1 05e49fdac2e71e5586125faa0395488a80c7e95a
27e4:9fda:c2e7:1e55
64 leftmost bits
05e49fdac2e71e55
set some parameters in first byte
Subnet Prefix Interface ID
IPv6 address
IPv6 address
CGA value = binding
For Our Purpose CGA sec value 1 SHA256 is a default value
CGA-TSIG/e | Hosnieh Rafiee | int-area 12
What is SSAS?
Elliptic Curve Cryptography (ECC) 9be64fdac2e71e5586125faa0395488a80c7e95a7a4b8c22
64bits
9be64fda0395488a
Subnet Prefix Interface ID
IPv6 address
IPv6 address
SSAS value = binding
draft-rafiee-6man-ssas
CGA-TSIG/e | Hosnieh Rafiee | int-area 13
What is CGA-TSIG/e
The CGA-TSIG is an algorithm to provide a node with data
integrity and secure authentication
The CGA-TSIGe is an algorithm to provide a node with both
data integrity and data confidentiality
CGA-TSIG/e | Hosnieh Rafiee | int-area 14
How to receive DNS IP addresses or keys in
a secure manner? Receiving DNS IP address or key finger print securely
IPv6 IPv4
NO. 1
NO. 2
SAVI-Device
DHCPv6 server
Node receives Hash (DNS IPv6+DNS public key) From DHCP server
NO. 1
SAVI-Device
DHCPv6 server
DNS IPv4 address + Public key
Hashing algorithm like SHA2
Sent hash value to the node
CGA-TSIG/e | Hosnieh Rafiee | int-area 15
What if I am in a unsecure environment
(Café) Receiving DNS IP address or key finger print securely
IPv6 & IPv4
DNS IPv4 address + Public key
Hashing algorithm like SHA2
Return to home DNS server or the one I can trust by adding the hash of IP address + public key in the cache
This step can be easily done Via an external script!
CGA-TSIG/e | Hosnieh Rafiee | int-area 16
CGA-TSIG Generation Steps (IPv6
enabled)
is parameters
available in cache?
Start
Uses a script to
generate it NO
Yes
Retrieves CGA/SSAS parameters from Cache
Generates Signature (section 4.1.3 cga-tsig-09)
Does it change the IP
address or public key? End
NO
Yes
Generate old signature
CGA-TSIG/e | Hosnieh Rafiee | int-area 17
CGA-TSIGe Generation Steps (IPv6
enabled) Is DNS server public key
available in cache? Start
Uses public key
request/response
messages (section 4.2.1.1
and 4.2.1.2 cga-tsig-09)
NO
Yes
Is it DNS resolving scenario?
Generates a 16 byte random number calls it secret key
Encrypt DNS message using this
secret key (symmetric encryption)
End
Generates
signature
is parameters
available in cache?
Uses a script to
generate it Yes
Retrieves CGA/SSAS parameters from Cache
NO
Executes SHA2 on
the whole message
and add it to
signature section
Does it change the IP
address or public key?
NO
Yes
Generate old
signature
NO
Yes
Encrypt secret key using DNS server public key
CGA-TSIG/e | Hosnieh Rafiee | int-area 18
CGA-TSIG Generation Steps (IPv4
enabled)
is public available
in cache?
Start
Uses a script to
generate it NO
Yes
Generates Signature (section 4.1.3 cga-tsig-09)
Does it change the IP
address or public key? End
NO
Yes
Generate old signature
DNS server stores the hash of IPv4 address + Public key of the node In its cache
CGA-TSIG/e | Hosnieh Rafiee | int-area 19
CGA-TSIGe Generation Steps (IPv4
enabled) Is DNS server public key
available in cache? Start
Uses public key
request/response
messages (section 4.2.1.1
and 4.2.1.2 cga-tsig-09)
NO
Yes
Is it DNS resolving scenario?
Generates a 16 byte random number calls it secret key
Encrypt DNS message using this
secret key (symmetric encryption)
End
Generates
signature
is parameters
available in cache? Uses a script to
generate it
NO Yes
Yes
NO
Executes SHA2 on
the whole message
and add it to
signature section
Does it change the IP
address or public key?
NO
Yes
Generate old
signature
The hash of IPv4 + public key Of DNS server received Securely from DHCPv4 (SAVI-DHCP)
Encrypt secret key using DNS server public key
CGA-TSIG/e | Hosnieh Rafiee | int-area 20
The CGA-TSIG in PTR Dynamic Update
Scenario (IPv6)
Server Client
My new IP address is 2010::3b2c:81aa:4d9d:727a My old IP address is 2020::27bb:bdec:6911:9ded
Ack update
Node verification • CGA/SSAS verification • Old Signature verification • New signature verification • Replace the IP address
with the old one
1- change in IP address 2- Create a packet 3- Sign the packet using its Own private key 4- Send the packet with CGA-TSIG option
CGA-TSIG/e | Hosnieh Rafiee | int-area 21
Problem addressed
No option to update PTR or FQDN Resource Record in Neighbor
Discovery Protocol (NDP)
Maintain privacy = change IP address = need to update PTR
No security option by using DHCPv6 option
Avoid IP spoofing and unauthorized update
CGA-TSIG/e | Hosnieh Rafiee | int-area 22
The CGA-TSIGe in Resolver Scenario
Server Client
Node verification • CGA/SSAS/hash of public
key verification • signature verification • Keep the public key in
cache • Generates a secret key • Encrypts the whole
message • Encrypts the secret key
with DNS server public key
1- There is no public key on The cache, ask for public key
What is your public key?
Retrieves iP address or Hash of IP+key in secure manner
1- Decrypts the secret key 2- Decrypts the whole message 3- encrypt the response with secret key
CGA-TSIG/e | Hosnieh Rafiee | int-area 23
Performance – Average Encryption/Decryption
Time
CGA-TSIG/e | Hosnieh Rafiee | int-area 24
Performance – Average Signature
Generation/Verification Time
CGA-TSIG/e | Hosnieh Rafiee | int-area 25
More information
Please refer to CGA-TSIG Draft for more information about other
scenarios
http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig