[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNSOP] A different question

To: David Conrad <drc at virtualized.org>
Subject: Re: [DNSOP] A different question
From: Dean Anderson <dean at av8.com>
Date: Fri, 22 Aug 2008 10:50:35 -0400 (EDT)
Cc: "dnsop at ietf.org WG" <dnsop at ietf.org>
Delivered-to: ietfarch-dnsop-web-archive at core3.amsl.com
Delivered-to: dnsop at core3.amsl.com
In-reply-to: <AF754766-F011-4ACD-A461-6C15771B6339@virtualized.org>
List-archive: <http://www.ietf.org/pipermail/dnsop>
List-help: <mailto:dnsop-request@ietf.org?subject=help>
List-id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-post: <mailto:dnsop@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
Sender: dnsop-bounces at ietf.org

Both of Ohta-san's points are entirely valid. 

On Ohta-san's first point: DJB is convinced that 1024bit RSA is
crackable with a botnet. And if 1024 isn't crackable now, it probably
will be shortly. So it is probably possible or soon will be possible to
crack keys and then forge many DNSSEC signatures, given enough
determination.  Using larger (2048bit) signatures creates more work to
verify signatures, and larger responses. [Note: increasing key size has
a corresponding impact on the crypto-overload DOS attack that I
(Anderson)  previously described, and also makes worse the forged query
DDOS attack that I described.]

On Ohta-san's second point: If the zone is compromised, (which means the
attacker has obtained the private key), then the attacker can construct
new signatures at will, and being a MitM, can inject these responses at
will, also.  The response that one gets (or seems to get) from a cache
or authority server is not necesarilly the response from an authority
server.  This can result in a number of problems for DNSSEC, and it is
the common factor in several different attacks described by Ohta-san and
myself.

		--Dean

On Thu, 21 Aug 2008, David Conrad wrote:

> *plonk*
> 
> On Aug 21, 2008, at 3:50 PM, Masataka Ohta wrote:
> > Paul Wouters wrote:
> >
> >>> Instead, MitM attack on DNSSEC is performed, for example, within
> >>> intermediate zones with forged signature on child zone with forged
> >>> end-users data.
> >
> >> Oh I see. DNSSEC is broken because we cannot trust RSA, DSA, SHA256,
> >> DiffieHellman, and perhaps eliptic curve....
> >
> > That is certainly a valid argument.
> >
> >From dnsop-bounces at ietf.org  Fri Aug 22 07:50:40 2008
Return-Path: <dnsop-bounces at ietf.org>
X-Original-To: dnsop-archive at lists.ietf.org
Delivered-To: ietfarch-dnsop-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 6E4033A67AE;
	Fri, 22 Aug 2008 07:50:40 -0700 (PDT)
X-Original-To: dnsop at core3.amsl.com
Delivered-To: dnsop at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 7AD453A677E
	for <dnsop at core3.amsl.com>; Fri, 22 Aug 2008 07:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.381
X-Spam-Level: 
X-Spam-Status: No, score=-2.381 tagged_above=-999 required=5 tests=[AWL=0.218, 
	BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id io1wAbiHenX9 for <dnsop at core3.amsl.com>;
	Fri, 22 Aug 2008 07:50:37 -0700 (PDT)
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66])
	by core3.amsl.com (Postfix) with ESMTP id 51E403A67DF
	for <dnsop at ietf.org>; Fri, 22 Aug 2008 07:50:37 -0700 (PDT)
Received: from citation2.av8.net (citation2.av8.net [130.105.12.10])
	(authenticated bits=0)
	by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id m7MEoaGG022390
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Fri, 22 Aug 2008 10:50:38 -0400
Date: Fri, 22 Aug 2008 10:50:35 -0400 (EDT)
From: Dean Anderson <dean at av8.com>
X-X-Sender: dean at citation2.av8.net
To: David Conrad <drc at virtualized.org>
In-Reply-To: <AF754766-F011-4ACD-A461-6C15771B6339 at virtualized.org>
Message-ID: <Pine.LNX.4.44.0808221025120.28785-100000 at citation2.av8.net>
MIME-Version: 1.0
Cc: "dnsop at ietf.org WG" <dnsop at ietf.org>
Subject: Re: [DNSOP] A different question
X-BeenThere: dnsop at ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request at ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop at ietf.org>
List-Help: <mailto:dnsop-request at ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request at ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces at ietf.org
Errors-To: dnsop-bounces at ietf.org

Both of Ohta-san's points are entirely valid. 

On Ohta-san's first point: DJB is convinced that 1024bit RSA is
crackable with a botnet. And if 1024 isn't crackable now, it probably
will be shortly. So it is probably possible or soon will be possible to
crack keys and then forge many DNSSEC signatures, given enough
determination.  Using larger (2048bit) signatures creates more work to
verify signatures, and larger responses. [Note: increasing key size has
a corresponding impact on the crypto-overload DOS attack that I
(Anderson)  previously described, and also makes worse the forged query
DDOS attack that I described.]

On Ohta-san's second point: If the zone is compromised, (which means the
attacker has obtained the private key), then the attacker can construct
new signatures at will, and being a MitM, can inject these responses at
will, also.  The response that one gets (or seems to get) from a cache
or authority server is not necesarilly the response from an authority
server.  This can result in a number of problems for DNSSEC, and it is
the common factor in several different attacks described by Ohta-san and
myself.

		--Dean

On Thu, 21 Aug 2008, David Conrad wrote:

> *plonk*
> 
> On Aug 21, 2008, at 3:50 PM, Masataka Ohta wrote:
> > Paul Wouters wrote:
> >
> >>> Instead, MitM attack on DNSSEC is performed, for example, within
> >>> intermediate zones with forged signature on child zone with forged
> >>> end-users data.
> >
> >> Oh I see. DNSSEC is broken because we cannot trust RSA, DSA, SHA256,
> >> DiffieHellman, and perhaps eliptic curve....
> >
> > That is certainly a valid argument.
> >
> > However, it has nothingn to do with the MitM case above because
> > forged signature from a compromized zone is cryptographically valid.
> >
> > 						Masataka Ohta
> >
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP at ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP at ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   

_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Follow-Ups:
- Re: [DNSOP] A different question
  - From: Masataka Ohta

References:
- Re: [DNSOP] A different question
  - From: David Conrad

Prev by Date: Re: [DNSOP] deprecating dangerous bit patterns and non-TC non-AXFR
Next by Date: Re: [DNSOP] A different question
Previous by thread: Re: [DNSOP] A different question
Next by thread: Re: [DNSOP] A different question
Index(es):
- Date
- Thread