Speaker
Prof.
Sharon Goldberg
(Boston University)
Description
DNSSEC is designed to prevent network attackers from tampering with domain name system (DNS) messages. The cryptographic machinery used in DNSSEC, however, also creates a new vulnerability--zone enumeration, where an adversary launches a small number of online DNSSEC queries and then uses offline dictionary attacks to learn which domain names are present or absent in a DNS zone.
We propose a new cryptographic construction that solves the problem of DNSSEC zone enumeration while remaining faithful to the operational realities of DNSSEC. NSEC5 can be thought of as a variant of NSEC3 in which the unkeyed hash function is replaced with a deterministic RSA-based keyed hashing scheme.
We also show that a public-key operation is necessary to prevent zone enumeration. Specifically, we prove that security against network attackers and privacy against zone enumeration cannot be satisfied simultaneously unless the DNSSEC server performs online public-key cryptographic operations.
Summary
See attached file.
Primary author
Prof.
Sharon Goldberg
(Boston University)
Co-authors
Mr
Asaf Ziv
(Weizmann Institute)
Mr
Dimitrios Papadopoulos
(Boston University)
Dr
Leonid Reyzin
(Boston University)
Dr
Moni Naor
(Weizmann Institute)
Mr
Sachin Vasant
(Boston University)
