Public Data : a New Substrate for Key Verification in DNSSEC

Motivated at least partly by operational problems associated with deploying global-scale PKIs, a growing number of alternative approaches propose to verify cryptographic keys by cross checking their consistency from topologically distinct locations and over time. These systems are experiencing growing operational use, but there has been no rigorous analysis to show the advantages and limitations. This paper provides a formal model of a consistency checking key learning and verification approach based on the concept of Public Data. Public Data offers a probabilistic description of users’ risks based on the structure of their own deployments. A user of this framework can provision her own Community of Trust in such a way that she can reduce and accurately estimate the probability of being spoofed by an adversary. The results are applied specifically to the DNS Security (DNSSEC) problem and show that after reasonable provisioning, a user can force an adversary to pay an unrealistic cost to launch a successful attack.

[1]  Jia Wang,et al.  Towards an accurate AS-level traceroute tool , 2003, SIGCOMM '03.

[2]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[3]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[4]  Daniel Massey,et al.  Quantifying the operational status of the DNSSEC deployment , 2008, IMC '08.

[5]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[6]  Steven M. Bellovin,et al.  Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[7]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[8]  Rob Thomas,et al.  The underground economy: priceless , 2006 .

[9]  Yin Zhang,et al.  On AS-level path inference , 2005, SIGMETRICS '05.

[10]  Daniel Massey,et al.  Deploying and Monitoring DNS Security (DNSSEC) , 2009, 2009 Annual Computer Security Applications Conference.

[11]  Lixia Zhang,et al.  Interadministrative Challenges in Managing DNSKEYs , 2009, IEEE Security & Privacy.

[12]  Kimberly C. Claffy,et al.  Toward Topology Dualism: Improving the Accuracy of AS Annotations for Routers , 2010, PAM.

[13]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[14]  Lixia Zhang,et al.  Observations from the DNSSEC Deployment , 2007, 2007 3rd IEEE Workshop on Secure Network Protocols.

[15]  Daniel Massey,et al.  Managing Trusted Keys in Internet-Scale Systems , 2009, 2009 Ninth Annual International Symposium on Applications and the Internet.

[16]  Ratul Mahajan,et al.  Inferring link weights using end-to-end measurements , 2002, IMW '02.

[17]  Adrian Perrig,et al.  Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[18]  Renata Teixeira,et al.  General Terms Measurement , 2022 .