Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | shawn-pitts |
View: | 213 times |
Download: | 0 times |
DNSSEC & Email Validation Tiger Team
DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC)
Earl CraneDepartment of
Homeland SecurityOffice of the CIO
Scott RoseNational Institute of
Standards and Technology
HomelandSecurity
Technology Background
• DNSSEC Overview• OMB M-08-23 “Securing the Federal Government's Domain Name System
Infrastructure”. All agencies must deploy DNSSEC by December 2009.• Internet Systems Consortium: DNSSEC “only full solution” to DNS attacks
• Considered more viable long-term solution• Cryptographic signatures over DNS data (not messages)
• Assures integrity of results returned from DNS queries• Users can validate source authenticity and data integrity
• Checks chain of signatures up to root• Protects against tampering in caches, during transmission
• Email Validation overview• Detects and Blocks spoofed/forged mail• Sender Policy Framework (SPF) for domains that do not send email
• “Path Based” - Senders publish acceptable message paths (IP) for domain• Near-zero deployment requirements for senders
• DNS records only, no change to outbound servers• Domain Keys Identified Mail (DKIM) for domains authorized to send mail
• “Signature based” - Senders insert digital cryptographic signature in emails for domain
• Requires cryptographic operation by sender and receiver’s gateway infrastructure
Cyber
and N
etw
ork
Secu
rity
Pro
gra
m
The “Kaminsky Bug”• Rapid, widespread and resilient• Reduces time required to poison recursive name
server's cache• All known name server implementations are
affected– Some more than others (took < 10s to poison the
cache)– Most implementations patched; now as easy/difficult
to poison as any other implementation• Even patched software vulnerable
– cache poisoning attempt possible in < 10 hours
Cyber
and N
etw
ork
Secu
rity
Pro
gra
m
What DNSSEC Provides• Cryptographic signatures over DNS data (not
messages)• Assures integrity of results returned from DNS
queries:– Users can validate source authenticity and data
integrity• Checks chain of signatures up to root
– Chain completely contained within DNS (no PKI or X.509 certs needed)
– Protects against tampering in caches, during transmission
• Not provided: message encryption, security for denial-of-service attacks
Cyber
and N
etw
ork
Secu
rity
Pro
gra
m
DNSSEC Chain of Trust
Data
ZSK
KSK
Data
ZSK
KSK
KSK
ZSK
KSK
KSKs
ZSK
KSK
KSK
ZSK
KSK
KSKs
ZSK
KSK
KSK
KSK
• KSK’s often serve as the “anchor” of authentication chain.
• The higher up in the tree, the more useful the trust anchor
Trust Anchors installed on client
resolvers.
“.” – DNS root.
gov.
opm.gov. nist.gov.
se.
HomelandSecurity
FNS Tiger Team: DNSSEC and E-Mail ValidationNetwork and Infrastructure Security Subcommittee, ISIMC, Federal CIO Council
7
FY11 FISMA Metrics for DNSSEC and Email Validation:
•Network Security Protocols: DNSSEC: •% of external-facing second-level DNS Names
signed; •% of external-facing DNS hierarchies with all sub-
domains (second-level and below) signed
•Boundary Protection: Email Validation: •% of agency email systems that implement sender
verification (anti-spoofing) technologies when sending messages from/to government agencies or the public such as S/MIME, DKIM, and SPF.