NSEC5: Provably Preventing DNSSEC Zone Enumeration.
作者: Leonid Reyzin , Moni Naor , Sharon Goldberg , Dimitrios Papadopoulos , Asaf Ziv
DOI:
关键词: Computer science 、 Hash function 、 Vulnerability (computing) 、 Name server 、 Cryptography 、 Dictionary attack 、 Domain Name System 、 Computer security 、 DNS zone 、 Key (cryptography)
摘要: We use cryptographic techniques to study zone enumeration in DNSSEC. DNSSEC is designed prevent attackers from tampering with domain name system (DNS) messages. The machinery used DNSSEC, however, also creates a new vulnerability, enumeration, enabling an adversary small number of online queries combined offline dictionary attacks learn which names are present or absent DNS zone. prove that the current standard, NSEC and NSEC3 records, inherently suffers enumeration: specifically, we show security against (1) tamper messages (2) privacy cannot be satisfied simultaneously, unless nameserver performs public-key operations. then propose construction uses publickey cryptography solve problem enumeration. NSEC5 can thought as variant NSEC3, unkeyed hash function replaced deterministic RSA-based keyed hashing scheme. With NSEC5, remains protected network compromised nameservers even if secret NSEC5-hashing key compromised; leaking only harms effectively downgrading back standard (with NSEC3).
参考文章(39)
Roberto Tamassia, Nikolaos Triandopoulos, Certification and authentication of data structures AMW. ,(2007)
Moni Naor, Asaf Ziv, Primary-Secondary-Resolver Membership Proof Systems Theory of Cryptography. pp. 199- 228 ,(2015) , 10.1007/978-3-662-46497-7_8
Roy Arends, Scott Rose, Dan Massey, Matt Larson, Rob Austein, Resource Records for the DNS Security Extensions RFC. ,vol. 4034, pp. 1- 29 ,(2005)
Rafail Ostrovsky, Charles Rackoff, Adam Smith, Efficient Consistency Proofs for Generalized Queries on a Committed Database Automata, Languages and Programming. pp. 1041- 1053 ,(2004) , 10.1007/978-3-540-27836-8_87
Mihir Bellare, Phillip Rogaway, Optimal asymmetric encryption theory and application of cryptographic techniques. pp. 92- 111 ,(1994) , 10.1007/BFB0053428
Jesper Buus Nielsen, Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case international cryptology conference. pp. 111- 126 ,(2002) , 10.1007/3-540-45708-9_8
Amos Fiat, Adi Shamir, How to prove yourself: practical solutions to identification and signature problems international cryptology conference. ,vol. 263, pp. 186- 194 ,(1987) , 10.1007/3-540-47721-7_12
Rob Austein, Derek Atkins, Threat Analysis of the Domain Name System (DNS) RFC. ,vol. 3833, pp. 1- 16 ,(2004)
J. Staddon, B. Kaliski, PKCS #1: RSA Cryptography Specifications Version 2.0 RFC. ,vol. 2437, pp. 1- 39 ,(1998)
Roy Arends, Scott Rose, Dan Massey, Matt Larson, Rob Austein, Protocol Modifications for the DNS Security Extensions RFC. ,vol. 4035, pp. 1- 53 ,(2005)