IETF Logo Mail Archive

Re: [DNSOP] key lengths for DNSSEC

Joe Abley <jabley@hopcount.ca> Wed, 02 April 2014 14:49 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E3BA1A0244 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 07:49:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id weulSmyNNiGX for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 07:49:37 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 9F32B1A022C for <dnsop@ietf.org>; Wed, 2 Apr 2014 07:49:37 -0700 (PDT)
Received: by mail-ig0-f173.google.com with SMTP id hl10so2807783igb.6 for <dnsop@ietf.org>; Wed, 02 Apr 2014 07:49:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=A9J0qLgS9NT9pvull02XDn4kWHAMBnNhyKh14gmoPvE=; b=jI9vTNW1uCQ3yUHdksopYOChn1rCe2YGXe8YvcJ0/oSW7qwuWqImj9AiWzkDKrz/vJ eUupXf//lSsqlMje6bvdQndkDa6jR/El8PLugniG21QO/ZOoSeY47iB4fVYm1JGhXKQE Wc+12vnVpsUqZY0GyGHmANiHCzeGcqD+kv+Wc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=A9J0qLgS9NT9pvull02XDn4kWHAMBnNhyKh14gmoPvE=; b=k2cs4/de1ZR+4uJP7eiRlsxZIGNEuHm0wRdMARFipNWOj0BsrI8B69oDcgbZMlW1dQ 5ezesaOmaTEYrugh75oaYb40k1INKeV7NaR4mu78a245qT9ko2ZbvZYpL4ZkhCVmeaEn IszxrogSgOnnrPWxgglC2W3/FVzp3FFGNeokiLNBwBB97CV9KJyOnjwRWUSD8HXVeUOg 2mD9pEzIK433/T1ZlkHRfmxu+RDEzL/4Qh2sloZmUxYsOl/zPZZLPLVYFZx6eAL6Vr7f HaBvkHNsmM3MdNtnVojiHHZifsnd+GqT+rr5F1fM9JDQTrMGETLdrxNvtfyCeECOTlj/ 3i5w==
X-Gm-Message-State: ALoCoQkbcyf/0l209S6vo+XYXNlB2T0AVUAJV2XrG9X+dQTuYoEg+OfpdYOhL4OKvoDr6b3MgoaF
X-Received: by 10.42.97.193 with SMTP id p1mr1043380icn.32.1396450173565; Wed, 02 Apr 2014 07:49:33 -0700 (PDT)
Received: from dh28.r1.hopcount.ca (24-52-234-221.cable.teksavvy.com. [24.52.234.221]) by mx.google.com with ESMTPSA id y9sm39679894igl.7.2014.04.02.07.49.32 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Apr 2014 07:49:32 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <16A7DDD8-AB8E-458F-B031-80E5141CAE5A@nominum.com>
Date: Wed, 02 Apr 2014 10:49:30 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <195BD466-22EF-4EE6-9E43-D1051502AF36@hopcount.ca>
References: <78F386B0-BC6B-4159-B9D4-4BFEB10252A6@rfc1035.com> <16A7DDD8-AB8E-458F-B031-80E5141CAE5A@nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/CesY1NqItR_Q30UbvTV-JkLcvFc
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] key lengths for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 14:49:42 -0000

On 2 Apr 2014, at 10:26, Ted Lemon <Ted.Lemon@nominum.com> wrote:

> The problem with the way you've phrased this question is that there does not seem to be agreement amongst the parties to this discussion whether old keys matter.   If you think they do, you need longer keys.   If you think they don't, you need shorter keys.   So rather than talking about key lengths first, it would be more productive to come to a consensus about which threat model we are trying to address.

I'm trying to understand the time-based attack, but I'm not seeing it.

The gist seems to be that if I can turn back the clock on a remote resolver, I can pollute its cache with old signatures (made with an old, presumably compromised key) and the results will appear to clients of the resolver to validate.

This sounds plausible, but without administrative compromise of the remote resolver (in which case you have much simpler options) this attack seems to involve:

1. subverting sufficient NTP responses over a long enough period to cause the remote resolver's clock to turn back in time (long period suggested due to many/most? implementations' refuse large steps in times, and hence many smaller steps might be required)

2. replacing every secure response that would normally arrive at the resolver with a new one that will validate properly at whatever the resolver's idea of the time and date is (or, if not every, sufficient that the client population don't see validation failures for non-target queries). This potentially involves having factored or otherwise recovered every ZSK and KSK that might be used to generate a signature in a response to the resolver, for the time period between now and then.

This seems like an intractably difficult thing to accomplish.

What am I missing?


Joe

v2.23.0 | Report a Bug | By Email