Presentation is loading. Please wait.

Presentation is loading. Please wait.

DANE: The Future of Transport Layer Security (TLS)

Published byStella Ray Modified over 6 years ago

Similar presentations

Presentation on theme: "DANE: The Future of Transport Layer Security (TLS)"— Presentation transcript:

1 DANE: The Future of Transport Layer Security (TLS)
Dr. Richard Lamb Santa Venera, Malta ION Malta 18 September 2017

2 DNSSEC: A Global Platform for Innovation or.. I* $mell opportunity !
*and a few others. See all the patent filings relying on DNSEC !!

3 Game changing Internet Core Infrastructure Upgrade
“More has happened here today than meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re‐purposed in a number of different ways. ..” – Vint Cerf (June 2010)

4 Another source of trust on the Internet
CA Certificate roots ~1482 Symantec, Thawte, Godaddy DNSSEC root - 1 Internet of Things IoT Content security “Free SSL” certificates for Web and and “trust agility” DANE Cross-organipltional and trans-national authentication and security Content security Commercial SSL Certificates for Web and SSL cert for tata.in can be provided by 1482 CAs including govts!! How do you know who to trust? The Internet community started by with just trying to secure the DNS but we ended up with something much more. (see Vint Cerf’s quote) With so many, trust is diluted. Used to be good when there were fewer. Any one can encrypt. Few can Identify : Encryption != Identity Examples of this problem: Comodo, MD5 crack, DigiNotar etc.. Failures. Fact is that DNS has been unfortunately used as an independent authentication tool for some time: e.g. authentication Looking forward: Build and improve on established trust models, e.g., CAs Greatly expanded SSL usage (currently ~4M/200M) Make SMIME (secured - SMIMEA) a reality. All packages already have support for this. They just don’t have a way to distribute keys. /w DNSSEC – now they do. May work in concert with in enhancing or extending other cyber security efforts like digital Identities, WebID, BrowserID, CAs, .. Securing VoIP Simplify WiFi roaming security Secure distribution of configurations (e.g., blacklists, anti-virus sigs) Cryptocurrency?? Crypto currencies and e-commerce? DANE and other yet to be discovered security innovations, enhancements, and synergies security SMIME, DKIM RFC4871 Securing VoIP Login security SSHFP RFC4255 Domain Names

5 DNS-Based Authentication of Named Entities (DANE)
Q: How do you know if the TLS/SSL certificate is the correct one? A: Store the certificate (or fingerprint/hash of it) in the DNS and sign it with DNSSEC Certificate stored in the DNS is controlled by the domain name holder. But not just for web pages. Could also be: , voip, chat, pgp ….

6 Opportunity: New Security Solutions
Improved Web SSL and certificates for all* Secured (e.g., s/mime, pgp) for all* Securing VoIP Cross organizational authentication+security Secured content delivery (e.g. configurations, updates, keys) – Internet of Things Securing the Smart Grid Increasing trust in e-commerce Securing cryptocurrencies and other new models A Global Built-in PKI Configuration data examples: anti-virus signatures, blacklists, etc… Imagine if you could trust “the ‘Net” – again? Inter server exchange (SMTP) security using DNSSEC+DANE+TLS is becoming very popular in Germany and elsewhere post-Snowden. At the 2015 Prague IETF meeting Snowden (via video conference) publicly singled out DNSSEC as a key technology for enhancing privacy. A good ref *IETF standards complete and interest by govt procurement.

7 A thought: Scalable Security for IoT
root DNS is already there DNSSEC adds security com and crosses organipltional boundaries. google.com pl iot.pl iotdevices.iot.pl security.iot.pl electric.iot.pl car.rickshome.iotdevices.iot.pl water.rickshome.security.iot.pl aircond.rickshome.electric.iot.pl window.rickshome.security.iot.pl thermostat.rickshome.iotdevices.iot.pl meter.rickshome.electric.iot.pl door.rickshome.security.iot.pl refrigerator.rickshome.iotdevices.iot.pl Animated slide

8 Lots of excitement (and standards) in the Internet
The underlying mechanism that secures all these processes is DANE RFC6698 (protocol), RFC6394 (use cases), RFC7671 (operational guidance) RFC7672 SMTP Security RFC7673 Chat RFC7929 PGP RFC8162 S/MIME OpenSSL supports DANE

9 Govt interest? NIST published Special Publication , “DNS-Based Security”

10 DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity. DANE is a key example.

11 Thank You Thanks to many including: Dan York / ISOC
ICANN provided KSK Rollover Information and Tools: Thanks to many including: Dan York / ISOC youtube.com/icannnews Root Zone DNSSEC Trust Anchor: linkedin/company/icann Call for TCRs:

Download ppt "DANE: The Future of Transport Layer Security (TLS)"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Secure Teleradiology Nick Collett Brookside Consulting

Secure Teleradiology Nick Collett Brookside Consulting
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.

PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012

ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012
The Business Case for DNSSEC InterOp/ION Mumbai 2012 11 October 2012

The Business Case for DNSSEC InterOp/ION Mumbai October 2012
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
Masud Hasan 03-60-475 SecueEmail VS Hushmail Project 2.

Masud Hasan Secue VS Hushmail Project 2.
DNSSEC AsiaPKI - Bangkok, Thailand 2013 12 June 2013

DNSSEC AsiaPKI - Bangkok, Thailand June 2013
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY

DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Module 9: Fundamentals of Securing Network Communication.

Module 9: Fundamentals of Securing Network Communication.

Similar presentations

Ads by Google