www.huawei.com

CGA-TSIG/e:

Algorithms for Secure DNS

Authentication and DNS

Confidentiality

http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig

Authors:

Hosnieh Rafiee

Christoph Meinel, Martin v Löwis

Hasso Plattner Institute, Potsdam, Germany

HUAWEI TECHNOLOGIES Duesseldorf GmbH, Munich, Germany

IETF90

21 July 2014

Toronto

Intarea WG

CGA-TSIG/e | Hosnieh Rafiee | int-area 2

Problem Addressed

Mitigates/prevents DNS compromising

IP spoofing

DNS amplification

Unauthorized DNS update

etc.

Automation for DNS authentication and authorization

(minimizing human interactions)

Securely automates DNS authentication

Securely automates key managements

DNS privacy and confidentiality

Automates key exchange for DNS encryption without the need of

infrastructure (in IPv6) and with minimum efforts in IPv4

Encrypts the DNS packet using symmetric encryption algorithm

CGA-TSIG/e | Hosnieh Rafiee | int-area 3

Comparison of the current DNS

Authentication & Authorization Algorithms

Protection

-------------

Algorithm Privacy Spoofing

amplificati

on

Unautho

rized

update

Data Integrity Automation/

scalability

TSIG

SIG0

DNSSEC

CGA-

TSIG/e

Yes No Conditional

CGA-TSIG/e | Hosnieh Rafiee | int-area 4

Do we need a big change on DNS

protocol to support CGA-TSIG/e? NO

The CGA-TSIG/e is a new algorithm to an existing DNS protocol.

It uses only TSIG as a carrier protocol to avoid changing to DNS protocol

One can register a new algorithms in TSIG with IANA

This document only updates a few parts of TSIG standard protocol to allow

TSIG only be able to handle CGA-TSIG/e. It does not have any impact on

the current implementations or does not change TSIG protocol for other

algorithms.

Advantage

Firewalls or other intermediate devices will not prevent this protocol since it

is only an option to TSIG

Flexibility

Can be used in different scenarios based on the requirements

CGA-TSIG/e | Hosnieh Rafiee | int-area 5

DNS privacy? What scenario?

Not different what scenario we want to use this algorithm

Protection of data between stub resolver and recursive resolver

Protection of data between recursive resolver and authoritative

DNS server

Protection of data between master DNS server and slave DNS

server (DNS IXFR/AXFR)

CGA-TSIG/e | Hosnieh Rafiee | int-area 6

Number of Exchanged Messages

Secure Authentication Scenarios

DNS message with CGA-TSIG option

No. of Message Exchanged

1

DNS Privacy Scenarios

What is your key? With CGA-TSIGe option

Do I have a key in my cache? NO?

Include CGA-TSIGe option

4

No key cached

2

Encrypted Data With CGA-TSIGe option

key cached

CGA-TSIG/e | Hosnieh Rafiee | int-area 7

Comparison of the current DNS Privacy

Algorithms

Algorithm

Performance Firewall

bypass

No Change

to DNS

Protocol

Automation/

scalability

Protection for

IP Spoofing

Private-DNS

(JSON)-

DTLS

No. of

messages

DNSCrypt

(similar to

DNS over

HTTPS)

Dependency

to DNSSEC

CGA-TSIGe

Key exchange And distribution

CGA-TSIG/e | Hosnieh Rafiee | int-area 8

Updates to the Document

Introduces two similar algorithms for DNS secure

authentication and DNS data integrity called CGA-TSIG and for

DNS privacy and data confidentially called CGA-TSIGe

The algorithms works in both IPv4 and IPv6 -enabled networks

Includes explanation of DNS privacy and packet encryption

Next Steps?

Update the document with the comparison of different DNS

privacy algorithm

How to proceed this document?

Can be approved by Intarea WG?

Thank you

Supplementary Slides

What is CGA?

What is SSAS?

What is CGA-TSIG/e?

How to receive DNS IP address or keys in a secure

manner?

What if I am in a Cafe’ (unsecure environment)

CGA-TSIG Generation Steps (IPv6)

CGA-TSIGe Generation Steps (IPv6)

CGA-TSIG Generation Steps (IPv4)

CGA-TSIGe Generation Steps (IPv4)

How It Works? (explanation of CGA-TSIG in different

Scenarios)

CGA-TSIG/e | Hosnieh Rafiee | int-area 11

What is CGA? (RFC 3972 in Simple Example)

+ Other CGA Parameters

SHA1 05e49fdac2e71e5586125faa0395488a80c7e95a

27e4:9fda:c2e7:1e55

64 leftmost bits

05e49fdac2e71e55

set some parameters in first byte

Subnet Prefix Interface ID

IPv6 address

IPv6 address

CGA value = binding

For Our Purpose CGA sec value 1 SHA256 is a default value

CGA-TSIG/e | Hosnieh Rafiee | int-area 12

What is SSAS?

Elliptic Curve Cryptography (ECC) 9be64fdac2e71e5586125faa0395488a80c7e95a7a4b8c22

64bits

9be64fda0395488a

Subnet Prefix Interface ID

IPv6 address

IPv6 address

SSAS value = binding

draft-rafiee-6man-ssas

CGA-TSIG/e | Hosnieh Rafiee | int-area 13

What is CGA-TSIG/e

The CGA-TSIG is an algorithm to provide a node with data

integrity and secure authentication

The CGA-TSIGe is an algorithm to provide a node with both

data integrity and data confidentiality

CGA-TSIG/e | Hosnieh Rafiee | int-area 14

How to receive DNS IP addresses or keys in

a secure manner? Receiving DNS IP address or key finger print securely

IPv6 IPv4

NO. 1

NO. 2

SAVI-Device

DHCPv6 server

Node receives Hash (DNS IPv6+DNS public key) From DHCP server

NO. 1

SAVI-Device

DHCPv6 server

DNS IPv4 address + Public key

Hashing algorithm like SHA2

Sent hash value to the node

CGA-TSIG/e | Hosnieh Rafiee | int-area 15

What if I am in a unsecure environment

(Café) Receiving DNS IP address or key finger print securely

IPv6 & IPv4

DNS IPv4 address + Public key

Hashing algorithm like SHA2

Return to home DNS server or the one I can trust by adding the hash of IP address + public key in the cache

This step can be easily done Via an external script!

CGA-TSIG/e | Hosnieh Rafiee | int-area 16

CGA-TSIG Generation Steps (IPv6

enabled)

is parameters

available in cache?

Start

Uses a script to

generate it NO

Yes

Retrieves CGA/SSAS parameters from Cache

Generates Signature (section 4.1.3 cga-tsig-09)

Does it change the IP

address or public key? End

NO

Yes

Generate old signature

CGA-TSIG/e | Hosnieh Rafiee | int-area 17

CGA-TSIGe Generation Steps (IPv6

enabled) Is DNS server public key

available in cache? Start

Uses public key

request/response

messages (section 4.2.1.1

and 4.2.1.2 cga-tsig-09)

NO

Yes

Is it DNS resolving scenario?

Generates a 16 byte random number calls it secret key

Encrypt DNS message using this

secret key (symmetric encryption)

End

Generates

signature

is parameters

available in cache?

Uses a script to

generate it Yes

Retrieves CGA/SSAS parameters from Cache

NO

Executes SHA2 on

the whole message

and add it to

signature section

Does it change the IP

address or public key?

NO

Yes

Generate old

signature

NO

Yes

Encrypt secret key using DNS server public key

CGA-TSIG/e | Hosnieh Rafiee | int-area 18

CGA-TSIG Generation Steps (IPv4

enabled)

is public available

in cache?

Start

Uses a script to

generate it NO

Yes

Generates Signature (section 4.1.3 cga-tsig-09)

Does it change the IP

address or public key? End

NO

Yes

Generate old signature

DNS server stores the hash of IPv4 address + Public key of the node In its cache

CGA-TSIG/e | Hosnieh Rafiee | int-area 19

CGA-TSIGe Generation Steps (IPv4

enabled) Is DNS server public key

available in cache? Start

Uses public key

request/response

messages (section 4.2.1.1

and 4.2.1.2 cga-tsig-09)

NO

Yes

Is it DNS resolving scenario?

Generates a 16 byte random number calls it secret key

Encrypt DNS message using this

secret key (symmetric encryption)

End

Generates

signature

is parameters

available in cache? Uses a script to

generate it

NO Yes

Yes

NO

Executes SHA2 on

the whole message

and add it to

signature section

Does it change the IP

address or public key?

NO

Yes

Generate old

signature

The hash of IPv4 + public key Of DNS server received Securely from DHCPv4 (SAVI-DHCP)

Encrypt secret key using DNS server public key

CGA-TSIG/e | Hosnieh Rafiee | int-area 20

The CGA-TSIG in PTR Dynamic Update

Scenario (IPv6)

Server Client

My new IP address is 2010::3b2c:81aa:4d9d:727a My old IP address is 2020::27bb:bdec:6911:9ded

Ack update

Node verification • CGA/SSAS verification • Old Signature verification • New signature verification • Replace the IP address

with the old one

1- change in IP address 2- Create a packet 3- Sign the packet using its Own private key 4- Send the packet with CGA-TSIG option

CGA-TSIG/e | Hosnieh Rafiee | int-area 21

Problem addressed

No option to update PTR or FQDN Resource Record in Neighbor

Discovery Protocol (NDP)

Maintain privacy = change IP address = need to update PTR

No security option by using DHCPv6 option

Avoid IP spoofing and unauthorized update

CGA-TSIG/e | Hosnieh Rafiee | int-area 22

The CGA-TSIGe in Resolver Scenario

Server Client

Node verification • CGA/SSAS/hash of public

key verification • signature verification • Keep the public key in

cache • Generates a secret key • Encrypts the whole

message • Encrypts the secret key

with DNS server public key

1- There is no public key on The cache, ask for public key

What is your public key?

Retrieves iP address or Hash of IP+key in secure manner

1- Decrypts the secret key 2- Decrypts the whole message 3- encrypt the response with secret key

CGA-TSIG/e | Hosnieh Rafiee | int-area 23

Performance – Average Encryption/Decryption

Time

CGA-TSIG/e | Hosnieh Rafiee | int-area 24

Performance – Average Signature

Generation/Verification Time

CGA-TSIG/e | Hosnieh Rafiee | int-area 25

More information

Please refer to CGA-TSIG Draft for more information about other

scenarios

http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig