DANE: The Future of Transport Layer Security (TLS)

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Secure Teleradiology Nick Collett Brookside Consulting
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012
The Business Case for DNSSEC InterOp/ION Mumbai October 2012
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
Masud Hasan Secue VS Hushmail Project 2.
DNSSEC AsiaPKI - Bangkok, Thailand June 2013
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Module 9: Fundamentals of Securing Network Communication.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
DNSSEC 101 IGF 2012, Baku, Azerbaijan 6 November 2012
Stroeder.COM TF-LSD Meeting S/MIME Certificate Collector  Motivation  Proposed Solution  Discussion.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
DNSSEC Update SANOG 27 Kathmandu, Nepal January 2016
Let’s Encrypt and DANE ENOG 11 | Moscow | 8 Jun 2016.
| Presenters: Chris Phillips – CANARIE, Canada Stefan Winter – RESTENA, Luxembourg Looking into the Future:
Geoff Huston Chief Scientist, APNIC
Key management issues in PGP
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
SaudiNIC Riyadh, Saudi Arabia May 2017
DNS Team IETF 99 Hackathon.
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
Security, Internet of Things, DNS and ICANN
Cryptography and Network Security
Grid Security.
Secure Sockets Layer (SSL)
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Cybersecurity and Governance
Security Services for
Organized by governmental sector (National Institute of information )
Tallinn, Estonia Sep 2017 Why DNSSEC Tallinn, Estonia Sep 2017
SWIM Common PKI and policies & procedures for establishing a Trust Framework                           Kick-off meeting Patrick MANA Project lead 29 November.
Public Key Infrastructure (PKI)
Misc. Security Items.
CS 465 Secure Last Updated: Nov 30, 2017.
S/MIME T ANANDHAN.
Welcome To : Group 1 VC Presentation
DNSSEC Basics, Risks and Benefits
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
CompTIA Security+ Study Guide (SY0-401)
CompTIA Security+ Study Guide (SY0-501)
Cryptography and Network Security
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
Security in ebXML Messaging
Public Key Infrastructure from the Most Trusted Name in e-Security
Encryption in Office 365 Shobhit Sahay Technical Product Manager
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
CS – E-commerce Technologies – Lecture 07
The Business Case for DNSSEC
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
Unit 8 Network Security.
Advanced Computer Networks
Addressing security challenges on a global scale
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Cryptography and Network Security
Presentation transcript:

DANE: The Future of Transport Layer Security (TLS) Dr. Richard Lamb Santa Venera, Malta ION Malta 18 September 2017

DNSSEC: A Global Platform for Innovation or.. I* $mell opportunity ! *and a few others. See all the patent filings relying on DNSEC !!

Game changing Internet Core Infrastructure Upgrade “More has happened here today than meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re‐purposed in a number of different ways. ..” – Vint Cerf (June 2010)

Another source of trust on the Internet CA Certificate roots ~1482 Symantec, Thawte, Godaddy DNSSEC root - 1 Internet of Things IoT Content security “Free SSL” certificates for Web and e-mail and “trust agility” DANE Cross-organipltional and trans-national authentication and security Content security Commercial SSL Certificates for Web and e-mail SSL cert for tata.in can be provided by 1482 CAs including govts!! How do you know who to trust? The Internet community started by with just trying to secure the DNS but we ended up with something much more. (see Vint Cerf’s quote) With so many, trust is diluted. Used to be good when there were fewer. Any one can encrypt. Few can Identify : Encryption != Identity Examples of this problem: Comodo, MD5 crack, DigiNotar etc.. Failures. Fact is that DNS has been unfortunately used as an independent authentication tool for some time: e.g. email authentication Looking forward: Build and improve on established trust models, e.g., CAs Greatly expanded SSL usage (currently ~4M/200M) Make SMIME (secured email - SMIMEA) a reality. All email packages already have support for this. They just don’t have a way to distribute keys. /w DNSSEC – now they do. May work in concert with in enhancing or extending other cyber security efforts like digital Identities, WebID, BrowserID, CAs, .. Securing VoIP Simplify WiFi roaming security Secure distribution of configurations (e.g., blacklists, anti-virus sigs) Cryptocurrency?? Crypto currencies and e-commerce? DANE and other yet to be discovered security innovations, enhancements, and synergies E-mail security SMIME, DKIM RFC4871 Securing VoIP Login security SSHFP RFC4255 Domain Names https://www.eff.org/observatory http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers/

DNS-Based Authentication of Named Entities (DANE) Q: How do you know if the TLS/SSL certificate is the correct one? A: Store the certificate (or fingerprint/hash of it) in the DNS and sign it with DNSSEC Certificate stored in the DNS is controlled by the domain name holder. But not just for web pages. Could also be: Email, voip, chat, pgp ….

Opportunity: New Security Solutions Improved Web SSL and certificates for all* Secured e-mail (e.g., s/mime, pgp) for all* Securing VoIP Cross organizational authentication+security Secured content delivery (e.g. configurations, updates, keys) – Internet of Things Securing the Smart Grid Increasing trust in e-commerce Securing cryptocurrencies and other new models A Global Built-in PKI Configuration data examples: anti-virus signatures, blacklists, etc… Imagine if you could trust “the ‘Net” – again? Inter email server exchange (SMTP) security using DNSSEC+DANE+TLS is becoming very popular in Germany and elsewhere post-Snowden. At the 2015 Prague IETF meeting Snowden (via video conference) publicly singled out DNSSEC as a key technology for enhancing privacy. A good ref http://www.internetsociety.org/deploy360/dnssec/ *IETF standards complete and interest by govt procurement.

A thought: Scalable Security for IoT root DNS is already there DNSSEC adds security com and crosses organipltional boundaries. google.com pl iot.pl iotdevices.iot.pl security.iot.pl electric.iot.pl car.rickshome.iotdevices.iot.pl water.rickshome.security.iot.pl aircond.rickshome.electric.iot.pl window.rickshome.security.iot.pl thermostat.rickshome.iotdevices.iot.pl meter.rickshome.electric.iot.pl door.rickshome.security.iot.pl refrigerator.rickshome.iotdevices.iot.pl Animated slide

Lots of excitement (and standards) in the Internet The underlying mechanism that secures all these processes is DANE RFC6698 (protocol), RFC6394 (use cases), RFC7671 (operational guidance) RFC7672 SMTP Security RFC7673 Chat RFC7929 PGP email RFC8162 S/MIME email OpenSSL supports DANE

Govt interest? NIST published Special Publication 1800-6, “DNS-Based E-Mail Security” https://beta.csrc.nist.gov/publications/detail/sp/1800-6/draft

DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity. DANE is a key example.

Thank You Thanks to many including: Dan York / ISOC Email: richard.lamb@icann.org ICANN provided KSK Rollover Information and Tools: Thanks to many including: Dan York / ISOC https://www.icann.org/kskroll https://github.com/iana-org/get-trust-anchor https://go.icann.org/KSKtest youtube.com/icannnews Root Zone DNSSEC Trust Anchor: linkedin/company/icann https://data.iana.org/root-anchors www.icann.org Call for TCRs: https://www.iana.org/help/tcr-application

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.