Reducing the X.509 Attack Surface with DNSSEC’s DANE!

E. Osterweil, B. Kaliski, M. Larson and D. McPherson!!SATIN 2012, March 22-23!Teddington, UK!!

2!

SSL/TLS Authentication!

•  SSL/TLS has been fantastically successful •  But there have been some highly publicized failures (Comodo,

DigiNotar) •  What can be done?

•  Authentication uses X.509 certificates •  Server sends cert at SSL/TLS session start •  How does client trust the cert presented by the server?

•  Certificate Authority (CA) model predominates •  CAs vouch for servers’ public keys •  Clients trust multiple CAs •  Clients transit trust from CA to server cert

3!

Problems With the CA Model!

•  Conflates authentication and trustworthiness •  “This is an authentic cert from the named entity.” •  “You can trust the named entity.”

•  CA confirmed the named entity controls its domain name (Domain Validated)

•  Name entity passed certain checks (Extended Validation)

•  Only as strong as weakest CA •  Clients trust many CAs for flexibility •  All CAs are trusted equivalently •  Any CA can vouch for anyone •  Named entity can’t specify who can vouch for it •  One compromised CA affects everyone

4!

CA Model Attack Surface Illustrated!

CA List

root

foo.com

.com

Resolvinghttps://www.foo.com

Web Server

2 - DNSresponse

3 - HTTPS

Client

OCSPservers

CRLservers

4 - CheckCert

CheckCA Rev

CheckCA Rev

Attack Surface~150 targets

Attack Surface~150 targets

5!

CA Model Aggregate Attack Surface!

•  All trusted CAs •  O(n) •  n = number of CAs (~150)

•  All OCSP and CRL servers •  O(m + p) •  m = number of OCSP servers •  p = number of CRL servers

•  Name servers hosting OCSP servers, CRL servers and the target domain’s zone •  O(|NS|) •  |NS| = number of name servers involved in entire precedessor

graph

6!

DNS Transitive Trust Illustrated: starbucks.com!

7!

DNS Transitive Trust Illustrated: .bg!

8!

The DANE Alternative!

•  DNS-based Authentication of Named Entities (DANE) •  Protocol to transit trust from DNSSEC to TLS certificate

•  TLSA record holds cert info •  For TLS server at specific domain name, transport and port

number •  E.g., _443._tcp.www.example.com

•  Multiple options for specifying cert info in TLSA record •  Cert provided by TLS server must…

•  …match specified cert •  …be issued by specified CA cert •  …chain to specified trust anchor

•  DANE authenticates certs; makes no assertions about trustworthiness of named entity

9!

DANE Potential Liabilities!

•  DNS response modification •  Transitive trust incurred via target zone secondaries and

predecessor zone secondaries •  Missing CA policy framework •  Need for DNSSEC validation •  Encoding DNSSEC data in certificates

10!

DANE Future!

•  S/MIME •  DNS as distribution, DNSSEC as authentication

•  Trustworthiness checks •  As attempted by CAs

•  DANE provides motivation for DNSSEC deployment