11-13 October 2014
Hyatt Regency Century Plaza
US/Pacific timezone

NSEC5: Provably Preventing DNSSEC Zone Enumeration

12 Oct 2014, 14:40
30m
Westside (Hyatt Regency Century Plaza)

Westside

Hyatt Regency Century Plaza

2025 Avenue of the Stars Los Angeles California 90067 USA
Public Workshop Sunday Workshop (Public)

Speaker

Prof. Sharon Goldberg (Boston University)

Description

DNSSEC is designed to prevent network attackers from tampering with domain name system (DNS) messages. The cryptographic machinery used in DNSSEC, however, also creates a new vulnerability--zone enumeration, where an adversary launches a small number of online DNSSEC queries and then uses offline dictionary attacks to learn which domain names are present or absent in a DNS zone. We propose a new cryptographic construction that solves the problem of DNSSEC zone enumeration while remaining faithful to the operational realities of DNSSEC. NSEC5 can be thought of as a variant of NSEC3 in which the unkeyed hash function is replaced with a deterministic RSA-based keyed hashing scheme. We also show that a public-key operation is necessary to prevent zone enumeration. Specifically, we prove that security against network attackers and privacy against zone enumeration cannot be satisfied simultaneously unless the DNSSEC server performs online public-key cryptographic operations.

Summary

See attached file.

Primary author

Prof. Sharon Goldberg (Boston University)

Co-authors

Mr. Asaf Ziv (Weizmann Institute) Mr. Dimitrios Papadopoulos (Boston University) Dr. Leonid Reyzin (Boston University) Dr. Moni Naor (Weizmann Institute) Mr. Sachin Vasant (Boston University)

Presentation Materials

Your browser is out of date!

Update your browser to view this website correctly. Update my browser now

×