80 likes | 207 Views
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC). Earl Crane Department of Homeland Security Office of the CIO. Scott Rose National Institute of Standards and Technology. Technology Background.
E N D
DNSSEC & Email Validation Tiger TeamDHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department of Homeland Security Office of the CIO Scott Rose National Institute of Standards and Technology
Technology Background • DNSSEC Overview • OMB M-08-23 “Securing the Federal Government's Domain Name System Infrastructure”. All agencies must deploy DNSSEC by December 2009. • Internet Systems Consortium: DNSSEC “only full solution” to DNS attacks • Considered more viable long-term solution • Cryptographic signatures over DNS data (not messages) • Assures integrity of results returned from DNS queries • Users can validate source authenticity and data integrity • Checks chain of signatures up to root • Protects against tampering in caches, during transmission • Email Validation overview • Detects and Blocks spoofed/forged mail • Sender Policy Framework (SPF) for domains that do not send email • “Path Based” - Senders publish acceptable message paths (IP) for domain • Near-zero deployment requirements for senders • DNS records only, no change to outbound servers • Domain Keys Identified Mail (DKIM) for domains authorized to send mail • “Signature based” - Senders insert digital cryptographic signature in emails for domain • Requires cryptographic operation by sender and receiver’s gateway infrastructure
The “Kaminsky Bug” • Rapid, widespread and resilient • Reduces time required to poison recursive name server's cache • All known name server implementations are affected • Some more than others (took < 10s to poison the cache) • Most implementations patched; now as easy/difficult to poison as any other implementation • Even patched software vulnerable • cache poisoning attempt possible in < 10 hours
What DNSSEC Provides Cryptographic signatures over DNS data (not messages) Assures integrity of results returned from DNS queries: Users can validate source authenticity and data integrity Checks chain of signatures up to root Chain completely contained within DNS (no PKI or X.509 certs needed) Protects against tampering in caches, during transmission Not provided: message encryption, security for denial-of-service attacks
DNSSEC Chain of Trust “.” – DNS root. Trust Anchors installed on client resolvers. KSK ZSK KSK KSK se. gov. KSK KSK KSK ZSK ZSK ZSK KSKs KSKs KSK KSK nist.gov. opm.gov. • KSK’s often serve as the “anchor” of authentication chain. • The higher up in the tree, the more useful the trust anchor KSK KSK ZSK ZSK Data Data
FNS Tiger Team: DNSSEC and E-Mail ValidationNetwork and Infrastructure Security Subcommittee, ISIMC, Federal CIO Council • FY11 FISMA Metrics for DNSSEC and Email Validation: • Network Security Protocols: DNSSEC: • % of external-facing second-level DNS Names signed; • % of external-facing DNS hierarchies with all sub-domains (second-level and below) signed • Boundary Protection: Email Validation: • % of agency email systems that implement sender verification (anti-spoofing) technologies when sending messages from/to government agencies or the public such as S/MIME, DKIM, and SPF.