IETF Logo Mail Archive

Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)

Rene Bartsch <ietf@bartschnet.de> Thu, 31 July 2014 10:37 UTC

Return-Path: <ietf@bartschnet.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D69971A01C6 for <dane@ietfa.amsl.com>; Thu, 31 Jul 2014 03:37:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VzcntCF7kMJe for <dane@ietfa.amsl.com>; Thu, 31 Jul 2014 03:37:04 -0700 (PDT)
Received: from triangulum.uberspace.de (triangulum.uberspace.de [95.143.172.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56D6B1A0AAE for <dane@ietf.org>; Thu, 31 Jul 2014 03:37:02 -0700 (PDT)
Received: (qmail 23195 invoked from network); 31 Jul 2014 10:37:00 -0000
Received: from localhost (HELO www.bartschnet.de) (127.0.0.1) by triangulum.uberspace.de with SMTP; 31 Jul 2014 10:37:00 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Thu, 31 Jul 2014 12:36:59 +0200
From: Rene Bartsch <ietf@bartschnet.de>
To: dane@ietf.org
In-Reply-To: <20140730132106.432C11B1536F@rock.dv.isc.org>
References: <1d002b9795bf8f9946f1375fef78abd6@triangulum.uberspace.de> <alpine.LFD.2.10.1407280941250.30319@bofh.nohats.ca> <e2a23385d5698a1022b201915817ed40@triangulum.uberspace.de> <1B773935-7CE3-4507-A196-EAC4D7B21C5F@ogud.com> <0af38c6c3987f9537d16a7c20f517665@triangulum.uberspace.de> <CFFE5FC9.4D653%gwiley@verisign.com> <20140730132106.432C11B1536F@rock.dv.isc.org>
Message-ID: <9442c2a6edad0cdc971e78aaa4b50b70@triangulum.uberspace.de>
X-Sender: ietf@bartschnet.de
User-Agent: Roundcube Webmail/1.0.1
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/oZDFsJBCDJNLnzE4K7npKCzYmGI
Subject: Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 10:37:09 -0000

Am 2014-07-30 15:21, schrieb Mark Andrews:
> In message <CFFE5FC9.4D653%gwiley@verisign.com>, "Wiley, Glen" writes:
>> Renne,
>> 
>> While it is technically true that the holder of the trust anchor could
>> alter key material it would be impossible to accomplish unnoticed.  In
>> order for a trust anchor to change your zone (say by changing an A 
>> record)
>> they would have to create a new private key (and corresponding public 
>> key)
>> then sign the altered RR set.
>> 
>> Your DNS key signing and zone signing keys should be protected with as
>> much diligence as your private signing and encryption keys.
>> 
>> It is as though a locksmith would have to change the locks on a house 
>> in
>> order to open the door.  Sure they can do it but the homeowner will 
>> notice
>> immediately when their keys no longer work.  My analogy breaks down if 
>> you
>> take it too far, but I hope it conveys the point.
>> 
>> I am far more worried about vectors that can be leveraged passively 
>> and
>> unobtrusively.
>> 
>> I agree that we should be open about DNSSEC/DANE however the holder of 
>> the
>> trust anchor can not manipulate the DNS without being detected.
> 
> If one can intecept the packets one could fake up a world view.
> This would be detectable if you have trust anchors for the parts
> of the world being faked.
> 
> If one can't intercept the packets it will be almost certainly be
> detected.
> 
> Maintaining a set trust anchors for all the TLD's would defeat most
> of the threat.  A state agency would have to compromise multiple
> tlds to pull this off not just the root.

I have the following attack in mind:

An attacker (Mallory) with access to the trust anchor keys runs a 
man-in-the-middle attack on sender and recipient. He forges the 
OPENPGPKEY RRs, the ZSK-RRs and KSK-RRs of the sender and recipient 
domains and the TLDs but uses the current origin keys of the trust 
anchor to sign the forged DNSSEC RRs.

Alice gets the OPENPGPKEY 1 of Mallory as Bob's and Bob gets the 
OPENPGPKEY 2 of Mallory as Alice's via DANE.

Alice -> OPENPGPKEY 1 of Mallory -> Mallory -> OPENPGPKEY of Bob   -> 
Bob
Bob   -> OPENPGPKEY 2 of Mallory -> Mallory -> OPENPGPKEY of Alice -> 
Alice

Unless Alice and Bob do not accidentially compare their public OpenPGP 
keys manually they won't realize the attack.

It seems DNSSEC/DANE helps against most hackers and attackers but cannot 
protect from attackers which have access to both the trust anchor keys 
and routing infrastructure.

Do the DNSSEC RFCs allow to distribute public KSKs of TLDs with resolver 
software?

Renne


-- 
Best regards,

Rene Bartsch, B. Sc. Informatics

v2.23.0 | Report a Bug | By Email