Top Banner
Seminar: Network and Communication Privacy Presenter: Sabbir Ahmmed
17
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: DNSCurve

Seminar: Network and Communication Privacy

Presenter: Sabbir Ahmmed

Page 2: DNSCurve

DNS Privacy And Confidential DNS

DNSCurve: Usable security for DNS

Page 3: DNSCurve

DNS ReviewImage Credit: [5]

Page 4: DNSCurve

DNS ReviewImage Credit: [5]

Page 5: DNSCurve

DNS Vulnerabilities

● Three important questions○ How do attackers target DNS in general?○ How do attackers spy on your DNS queries?○ How do attackers forge DNS responses?

Image Credit: [5]

Page 6: DNSCurve

DNSSEC

● Limitations○ availability/confidentiality○ responses are authenticated but not encrypted○ DNSSEC only signs RRs○ does not protect against DoS attacks directly○ DNSSEC cannot protect against false assumptions

Source: DataStax

Page 7: DNSCurve

Introduction to DNSCurve

● Uses elliptic-curve cryptography [1], not RSA● Daniel J. Bernstein● Uses a particular elliptic curve, Curve25519

○ 1 chance in 1000000000000000000000000000 !○ 3000-bit RSA

● What does DNSCurve do for me? ○ confidentiality○ integrity○ availability○ other aspects

Source: DataStax

Page 8: DNSCurve

DNSCurve Protocol

uz5………………………………...51-byte 255-bit public key

Page 9: DNSCurve

DNSCurve Protocol

● What are sent to the server?

Page 10: DNSCurve

DNSCurve Protocol

● How does the server open the box?

Page 11: DNSCurve

DNSCurve Protocol

● What does the server send back?

Page 12: DNSCurve

DNSCurve Protocol

Page 13: DNSCurve

DNSCurve Protocol

● Speedups○ The server○ The cache

● Computing Curve25519 shared secrets for ten million servers : 10 mins

Page 14: DNSCurve

DNSCurve: How to get it

● Simply upgrade your DNS cache○ dnscache /BIND○ PowerDNS Recursor /nominum○ MaraDNS /Unbound

● No extra cache configuration is required.● No extra firewall configuration is required● Network bandwidth remains essentially unchanged● ISP's DNS vs. Cache DNS (side benefits)● Daily copies of root zone (side benefits)

Page 15: DNSCurve

Implementations

● CurveDNS○ allows DNS administrators to protect existing

installations without patching● DNSCrypt from OpenDNS

○ protects the channel between OpenDNS and its users● Curve-Protect

○ for common services like DNS, SSH, HTTP, and SMTP

Page 16: DNSCurve

References and bibliography

1. http://dnscurve.org/index.html

2. "Curve25519: new Diffie–Hellman speed records", 2006, Daniel J. Bernstein

3. NSA: The Case for Elliptic Curve Cryptography

4. Adam Langley: What a difference a prime makes

5. CURVEPROTECT SOFTWARE (EXPERIMENTAL)

6. DNS Cache Poisoning: Definition and Prevention

http://www.nsa.gov/business/programs/elliptic_curve.shtml
http://www.nsa.gov/business/programs/elliptic_curve.shtml
https://www.imperialviolet.org/2010/12/21/eccspeed.html
https://www.imperialviolet.org/2010/12/21/eccspeed.html
http://mojzis.com/software/curveprotect/
http://mojzis.com/software/curveprotect/
http://adventuresinsecurity.com/Papers/DNS_Cache_Poisoning.pdf
http://adventuresinsecurity.com/Papers/DNS_Cache_Poisoning.pdf
Page 17: DNSCurve

Conclusion

The slides are published under a permissive license (Creative Commons: BY-SA)