PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

Slides:

Advertisements

Similar presentations

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Advertisements

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Network Infrastructure Security Research at Colorado State University Dan Massey November 19, 2004.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Security and Information Assurance for the DNS Dan Massey USC/ISI.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

Inter-domain Routing security Problems Solutions.

Security and Resilience for the Internet Infrastructure Dan Massey USC/ISI.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

DARPA NMS PI Meeting November 14, 2002 Understanding BGP in Action Dan Massey USC/ISI.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

The Resource Public Key Infrastructure Geoff Huston APNIC.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.

1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Module 9: Fundamentals of Securing Network Communication.

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

CPSC 441: DNS 1. DNS: Domain Name System Internet hosts: m IP address (32 bit) - used for addressing datagrams m “name”, e.g., - used by.

Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)

Reputation Systems Thomas Choi COMP 5104 March 5, 2008.

Using Public Key Cryptography Key management and public key infrastructures.

Designing a Secure and Resilient Internet Infrastructure Dan Massey USC/ISI.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

1 Is an Internet PKI the Right Approach? Eric Osterweil Join work with: Dan Massey and Lixia Zhang.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Security Issues with Domain Name Systems

DNS Security Advanced Network Security Peter Reiher August, 2014

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

APNIC Trial of Certification of IP Addresses and ASes

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

BGP Multiple Origin AS (MOAS) Conflict Analysis

DNS: Domain Name System

Unit 8 Network Security.

Advanced Computer Networks

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Presentation transcript:

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI

1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an SSH host public key for remote login. n Used an IMAP certificate to download . n Received a PGP signed message. n Accessed a secure website using an SSL certificate. l Proposed Infrastructure PKI related actions: n Secure BGP would use PKI to protect Internet routes. n Secure DNS would use PKI to protect Internet names.

1 March The Need for a Secure Infrastructure Internet c.gtld-servers.net BGP monitor originates route to /24 l BGP and DNS Provide No Authentication n Lack of BGP authentication misdirected DNS queries. –This happens to be DNS traffic, but could be , web, etc. n Server could have replied with false DNS data. ISPs announced new path for 20 minutes to 3 hours 1 of 13 DNS servers For com/net/org

1 March The PKI Solution l Routing: sign the routing updates n Use public key cryptography to verify the origin is allowed to originate the path. n Have each node sign its next link in the route (to prove the path is valid) n S-BGP (Kent/BBN), SoBGP (White/Cisco) l DNS: sign the DNS response n DNSSEC (IETF DNSEXT Working Group)

1 March Secure DNS Query and Response Caching DNS Server End-user A = RRSIG(A) = [signature by darpa.mil private key] Attacker can not forge this answer without knowing the darpa.mil private key. Authoritative DNS Servers

1 March So What’s the Problem? l Was my IPCCC use of PKI worthwhile? n SSH reported “host key has changed” –Has anyone ever rejected a key due to this message? n The IMAP certificate I used was self-signed. –Who should have signed this certificate? n I did not verify the PGP key for the signed . –How would I do this effectively? PGP key servers?? n Should I have checked the web SSL certificate? l No deployment of infrastructure (DNS,BGP) PKIs.

1 March Limitations of PKI Deployment l The theoretical promise of PKI technology greatly exceeds the deployed use. n Fundamental key management issues remain l Effectively Deployment Requires n Mechanism for learning the public key n Mechanism for changing the public key n Limit damage of compromised key (revocation?) l Claim this can only work in strong hierarchy.

1 March Steps To Real Deployment l S-BGP: create a hierarchy where none exists. n Who signs you are allowed to announce this prefix? n How do you distribute the database? l Secure DNS overlays PKI on the DNS tree. n Simple structure in theory –Root key signs the com, net, org, edu, uk, etc, keys –Com key signs the cisco.com, ibm.com, foo.com keys –Cisco.com key signs research.cisco.com, n But this assumes the entire tree deploys DNSSEC.

1 March DNS: The PKI Of The Future (?) l Can use a signed DNS as the missing PKI. n Store ssh host keys in the DNS along with host IP address (IETF working group for this) n Store SSL and IMAP certificates in the DNS (DNS CERT record is already defined) n Store PGP keys in the DNS (Functionality revoked by Massey and Rose) l What is wrong with the picture? n No revocation mechanism n Will this create a PKI or break the DNS? n Is the DNS an appropriate trust model?