Domain Validation++ For MitM-Resilient PKI

The security of Internet-based applications fundamentally relies on the trustworthiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a weak off-path attacker can effectively subvert the trustworthiness of popular commercially used CAs. Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificates market. The attack utilises DNS Cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own -- namely certificates binding the attacker's public key to a victim domain. We discuss short and long term defences, but argue that they fall short of securing DV. To mitigate the threats we propose Domain Validation++ (DV++). DV++ replaces the need in cryptography through assumptions in distributed systems. While retaining the benefits of DV (automation, efficiency and low costs) DV++ is secure even against Man-in-the-Middle (MitM) attackers. Deployment of DV++ is simple and does not require changing the existing infrastructure nor systems of the CAs. We demonstrate security of DV++ under realistic assumptions and provide open source access to DV++ implementation.

[1]  Daniel Massey,et al.  Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC , 2011, IEEE Transactions on Dependable and Secure Computing.

[2]  Adrian Perrig,et al.  Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[3]  Amir Herzberg,et al.  Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[4]  Mark Allman,et al.  On measuring the client-side DNS infrastructure , 2013, Internet Measurement Conference.

[5]  Ben Laurie Certificate Transparency , 2014, ACM Queue.

[6]  Mark Ryan,et al.  DTKI: a new formalized PKI with no trusted parties , 2014, IACR Cryptol. ePrint Arch..

[7]  Daniel Anderson,et al.  Splinternet Behind the Great Firewall of China , 2012 .

[8]  Amir Herzberg,et al.  Security of Patched DNS , 2012, ESORICS.

[9]  Haya Shulman,et al.  Path MTU Discovery Considered Harmful , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[10]  Haya Shulman,et al.  Counting in the Dark: DNS Caches Discovery and Enumeration in the Internet , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[11]  Ralf Sasse,et al.  Design, Analysis, and Implementation of ARPKI: An Attack-Resilient Public-Key Infrastructure , 2016, IEEE Transactions on Dependable and Secure Computing.

[12]  Sharon Goldberg,et al.  Let the market drive deployment: a strategy for transitioning to BGP security , 2011 .

[13]  Jeffrey Knockel,et al.  Counting Packets Sent Between Arbitrary Internet Hosts , 2014, FOCI.

[14]  Haya Shulman,et al.  One Key to Sign Them All Considered Vulnerable: Evaluation of DNSSEC in the Internet , 2017, NSDI.

[15]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[16]  Haya Shulman,et al.  Towards Security of Internet Naming Infrastructure , 2015, ESORICS.

[17]  Sharon Goldberg,et al.  Modeling on quicksand: dealing with the scarcity of ground truth in interdomain routing data , 2012, CCRV.

[18]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM 2007.

[19]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[20]  Angelos Stavrou,et al.  End-Users Get Maneuvered: Empirical Analysis of Redirection Hijacking in Content Delivery Networks , 2018, USENIX Security Symposium.

[21]  Margaret Hu Taxonomy of the Snowden Disclosures , 2015 .

[22]  Amir Herzberg,et al.  Fragmentation Considered Vulnerable , 2013, TSEC.

[23]  Haya Shulman,et al.  DNSSEC Misconfigurations in Popular Domains , 2016, CANS.

[24]  Haya Shulman,et al.  Internet-wide study of DNS cache injections , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[25]  Robin Sommer,et al.  Extracting Certificates from Live Traffic : A Near Real Time SSL Notary Service , 2012 .

[26]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.

[27]  Adrian Perrig,et al.  PoliCert: Secure and Flexible TLS Certificate Management , 2014, CCS.

[28]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[29]  Moti Yung,et al.  Perfectly secure message transmission , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[30]  Elaine B. Barker,et al.  SP 800-131A. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .

[31]  Haya Shulman,et al.  Fragmentation Considered Leaking: Port Inference for DNS Poisoning , 2014, ACNS.

[32]  Amir Herzberg,et al.  Socket overloading for fun and cache-poisoning , 2013, ACSAC.

[33]  Amir Herzberg,et al.  Vulnerable Delegation of DNS Resolution , 2013, ESORICS.

[34]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[35]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[36]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[37]  Vinod Yegneswaran,et al.  An empirical reexamination of global DNS behavior , 2013, SIGCOMM.

[38]  Martín Abadi,et al.  Global Authentication in an Untrustworthy World , 2013, HotOS.

[39]  Collin Jackson,et al.  Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure , 2013, WWW.

[40]  Elaine B. Barker,et al.  Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .