Re: DNSSEC to be strangled at birth.
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of course, false, and presumably is _exactly_ why DHS wants the root signing key: because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. Plus, now that applications are keeping public keys for services in the DNS, one can, in fact, forge those entries and thus conduct man in the middle surveillance on anyone dumb enough to use DNS alone as a trust conveyor for those protocols (e.g. SSH and quite possibly soon HTTPS). I know you understand this stuff well enough to know these risks exist. I'm curious why you'd minimize them. Thor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of course, false, This is, of course false. In order to control the contents of the second level of the DNS, they have to either change the control of the first level (it's kinda obvious when they take .net away from VeriSign) or they have to sign across the hierarchy (it's kinda obvious when furble.net is signed by someone other than .net). and presumably is _exactly_ why DHS wants the root signing key: Um, since when are you (or I) so good at figuring out what DHS wants? For that matter, assuming that a massive bureaucracy like DHS has one thing that it wants also seems silly. For all we know, this could be one clue-deprived dork who can write press releases after not really listening to the one technical person whom he asked. Or it could be a conspiracy to take over the Department of Commerce. Or ... because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. If the owner of any key signs below their level, it is immediately visible to anyone doing active checking. The root signing furble.net instead of .net signing furble.net is a complete giveaway to a violation of the hierarchy and an invitation for everyone to call bullshit on the signer. Doing so would completely negate the value of owning the root-signing key. Plus, now that applications are keeping public keys for services in the DNS, one can, in fact, forge those entries and thus conduct man in the middle surveillance on anyone dumb enough to use DNS alone as a trust conveyor for those protocols (e.g. SSH and quite possibly soon HTTPS). ...again assuming that the users of those keys don't bother to look who signed them. Given that this thread is about an entity whom almost no one trusts being the key holder, that scenario seems unlikely. I know you understand this stuff well enough to know these risks exist. I'm curious why you'd minimize them. Because I believe that ISPs, not just security geeks, will be vigilant in watching whether there is any layer-hopping signing and will scream loudly when they see it. AOL and MSN have much more to lose if DHS decides to screw with the DNS than anyone on this list does. Having said that, it is likely that we will be the ones to shoot the signal flares if DHS (or ICANN, for that matter) misuses the root signing key. But it won't be us that causes DHS to stand down or, more likely, get thrown off the root: it's the companies who have billions of dollars to lose if the DNS becomes untrusted. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. If the owner of any key signs below their level, it is immediately visible to anyone doing active checking. The root signing furble.net instead of .net signing furble.net is a complete giveaway to a violation of the hierarchy and an invitation for everyone to call bullshit on the signer. Doing so would completely negate the value of owning the root-signing key. You're missing the point. The root just signs itself a new .net key, and then uses that to sign a new furble.net key, and so forth. No unusual key use is required. It's a hierarchy of trust: if you have the top, you have it all, and you can forge anything you like, including the keys used to sign the application key records used to encrypt user data, where they are present in the system. Thor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: because, with it, one can sign the appropriate chain of keys to forge records for any zone one likes. If the owner of any key signs below their level, it is immediately visible to anyone doing active checking. The root signing furble.net instead of .net signing furble.net is a complete giveaway to a violation of the hierarchy and an invitation for everyone to call bullshit on the signer. Doing so would completely negate the value of owning the root-signing key. You're missing the point. The root just signs itself a new .net key, and then uses that to sign a new furble.net key, and so forth. No unusual key use is required. And you seem to be missing my point. If the root signs itself a new .net key, it will be completely visible to the entire community using DNSSEC. The benefit of doing so in order to forge the key for furble.net (or microsoft.com) will be short-lived, as will the benefit of owning the root key. It's a hierarchy of trust: if you have the top, you have it all, and you can forge anything you like, including the keys used to sign the application key records used to encrypt user data, where they are present in the system. The only reason for concern is if the top of the hierarchy can forge without people noticing, or if people notice that they won't care. I claim that that isn't possible, particularly if the root owner is someone as unloved as USDHS. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
On Thu, Apr 05, 2007 at 05:30:53PM -0700, Paul Hoffman wrote: At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote: You're missing the point. The root just signs itself a new .net key, and then uses that to sign a new furble.net key, and so forth. No unusual key use is required. And you seem to be missing my point. If the root signs itself a new .net key, it will be completely visible to the entire community using DNSSEC. The benefit of doing so in order to forge the key for furble.net (or microsoft.com) will be short-lived, as will the benefit of owning the root key. You assume the new .net key (and what's signed with it) would be supplied to all users of the DNS, rather than used for a targeted attack on one user (or a small number of users). Why assume the potential adversary will restrict himself to the dumbest possible way to use the new tools you're about to hand him? Do you really think that the administrator of the _average_ DNS client would notice that a new key for .net showed up? It's trivial to inject forged UDP packets, after all, so it is hardly the case that one has to give the new forged key chain to every DNS server along the way in order to run a nasty MITM attack on a client. Thor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of course, false, This is, of course false. In order to control the contents of the second level of the DNS, they have to either change the control of the first level (it's kinda obvious when they take .net away from VeriSign) or they have to sign across the hierarchy (it's kinda obvious when furble.net is signed by someone other than .net). You're arguement is that DHS couldn't do this covertly, but that's only part of the picture. I can imagine scenarios where they do things *overtly*. [...] Because I believe that ISPs, not just security geeks, will be vigilant in watching whether there is any layer-hopping signing and will scream loudly when they see it. AOL and MSN have much more to lose if DHS decides to screw with the DNS than anyone on this list does. Having said that, it is likely that we will be the ones to shoot the signal flares if DHS (or ICANN, for that matter) misuses the root signing key. But it won't be us that causes DHS to stand down or, more likely, get thrown off the root: it's the companies who have billions of dollars to lose if the DNS becomes untrusted. 1) It's untrusted now. 2) The argument could be that they are doing it to make it more trusted. I agree: highly unlikely. But not impossible. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote: At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote: On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote: Control: The root signing key only controls the contents of the root, not any level below the root. That is, of course, false, This is, of course false. In order to control the contents of the second level of the DNS, they have to either change the control of the first level (it's kinda obvious when they take .net away from VeriSign) or they have to sign across the hierarchy (it's kinda obvious when furble.net is signed by someone other than .net). Think of the DNSSEC root as the root CA of a universal PKI (finally). The root CA of any PKI can act as an MITM between any pair of peers in that PKI, no matter how many intervening CAs there may be between the root and each peer. The problem with wanting the DNSSEC root keys for facilitating MITM attacks is that people are likely to notice, and secrecy is typically something that an MITM attacker wants. To avoid detection the MITM would have to get between the target client and all of DNS; and that's difficult because typically clients get DNS cache service from their immediate network service provider -- which cache the MITM does not want to pollute, so as to avoid discovery... Which means that the MITM would need the cooperation of the client's provider in many/most cases (a political problem) in order to be able to quickly get in the middle so close to a leaf node (a technical problem). Then there's the need to scale this -- if you can only use this MITM capability occasionally, what's the point? And what targets would DHS have that it could subvert in this way but not in other, simpler ways? Criminals? Not likely (besides, isn't that DoJ's job?). Spies? Less likely. Clients abroad? Less likely still. Dumb spies/criminals? Well, there'd be other ways to attack those. IMO, DHS gets too little real value from having the DNSSEC root keys in terms of MITM attack capability. And it will not get much value in terms of DoS attacks on, say, ccTLDs -- alternate roots would spring up and if the DoS were widely seen as unjustified most of the world outside the U.S. would end up using the alternate root. A DoS on a ccTLD would be a one-time deal, politically. The DHS would get real value in terms of veto power over new TLDs, IFF it is the only one to possess the root private key. But that's not what the story said, IIRC. The real problem with DHS having these keys in _addition_ to ICANN is that the more fingers in the pie the more likely it is that the key will be breached, leading to key rollover. I must admit that I am mystified as to why DHS would want these keys. Count me as among those who think the story is in error, or that DHS has received bad advice. I am NOT among those who are prepared to believe the worst of DHS; I expect that those of you more paranoid than I will discount my analysis of the MITM attack potential. Or perhaps I discount the difficulty of pulling off these MITM attacks too much (perhaps noone would notice cache pollution?). Tell me. Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
[[ Agree with Nico's MITM arguments; different point below ]] At 10:49 AM -0500 4/6/07, Nicolas Williams wrote: The DHS would get real value in terms of veto power over new TLDs, IFF it is the only one to possess the root private key. But that's not what the story said, IIRC. Whoever owns the root key would only get to veto the inclusion of new or current TLDs in the DNSSEC-protected namespace, not in the root itself. No one expects that ICANN will be signing the zone keys for most of the TLDs for many, many years, if for no other reason than those TLDs don't even want to be responsible for protecting their zone key. The real problem with DHS having these keys in _addition_ to ICANN is that the more fingers in the pie the more likely it is that the key will be breached, leading to key rollover. Fully agree. It also means that, if there is a breach, the first few days / months will be spent finger-pointing instead of fixing. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: hoofbeats of zebras, was DNSSEC to be strangled at birth.
You assume the new .net key (and what's signed with it) would be supplied to all users of the DNS, rather than used for a targeted attack on one user (or a small number of users). Why assume the potential adversary will restrict himself to the dumbest possible way to use the new tools you're about to hand him? I dunno about you, but if some part of the Federal government wanted to mess with a particular target, it's much more likely they would arrange for some large NSPs do some adjusted BGP. Or even more likely some guys in suits would show up at Verisign and say, We're from [redacted] and we would appreciate it if you arranged for requests for [redacted].net from network [redacted]/15 to resolve to [redacted] for the next couple of weeks. Personally, I like Paul's theory about the DHS dork with a press release. He doesn't understand zones or delegation or the root servers or routing or anything else, but the signing key will let them Take Control of this Vital Resource in case of National Emergency. You know, like they did in New Orleans. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: hoofbeats of zebras, was DNSSEC to be strangled at birth.
On Fri, Apr 06, 2007 at 05:13:00PM -, John Levine wrote: You assume the new .net key (and what's signed with it) would be supplied to all users of the DNS, rather than used for a targeted attack on one user (or a small number of users). Why assume the potential adversary will restrict himself to the dumbest possible way to use the new tools you're about to hand him? I dunno about you, but if some part of the Federal government wanted to mess with a particular target, it's much more likely they would arrange for some large NSPs do some adjusted BGP. Or even more likely some guys in suits would show up at Verisign and say, We're from [redacted] and we would appreciate it if you arranged for requests for [redacted].net from network [redacted]/15 to resolve to [redacted] for the next couple of weeks. Personally, I like Paul's theory about the DHS dork with a press release. He doesn't understand zones or delegation or the root servers or routing or anything else, but the signing key will let them Take Control of this Vital Resource in case of National Emergency. You know, like they did in New Orleans. Exactly, no need to assume a deep conspiracy when mere incompetence explains this quite well. I expect that this story will be long forgotten by the time the root zone is signed, and that the keys will not be given over to DHS or any other agency that is not ICANN/IANA or whoever is actually responsible for the root zone at that point in time. Note also that a small, but non-negligible number of sites obtain the root zone via FTP, and run nameservers authoritative for .. The zone is small enough to make this a good idea, may even a poorly publicized best-practice. Name server operators who serve their own root zone should notice any changes. The attack is most practical against SOHO DHCP users known to get all their DNS from upstream providers. I don't believe this is useful enough to warrant the bad press. Time will tell of course, but my instinct is that this is story is only interesting to the extent that it makes the feared scenario less likely, so though I don't find it a credible threat, the publicity may help to avert any silliness from coming to pass. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DNSSEC to be strangled at birth.
Nicolas Williams wrote: Which means that the MITM would need the cooperation of the client's provider in many/most cases (a political problem) in order to be able to quickly get in the middle so close to a leaf node (a technical problem). Not a very large political problem. Most ISPs not only roll over for the DOJ, the FBI, and the DHS, they also roll over for the russian mafias. With the root key and the cooperation of nodes close to the client, you can intercept SSH and SSL communications that rely on DNSSEC. Without the root key, you cannot. This is huge. This, of course, means the sensible man configures SSH not to rely on DNSSEC by default, which substantially reduces the benefit of SSH. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]