NDLI: NSEC5: Provably Preventing DNSSEC Zone Enumeration

Please wait, while we are loading the content...

NSEC5: Provably Preventing DNSSEC Zone Enumeration

Content Provider	CiteSeerX
Abstract	Abstract—We use cryptographic techniques to study zone enu-meration in DNSSEC. DNSSEC is designed to prevent attackers from tampering with domain name system (DNS) messages. The cryptographic machinery used in DNSSEC, however, also creates a new vulnerability, zone enumeration, enabling an adversary to use a small number of online DNSSEC queries combined with offline dictionary attacks to learn which domain names are present or absent in a DNS zone. We prove that the current DNSSEC standard, with NSEC and NSEC3 records, inherently suffers from zone enumeration: specifically, we show that security against (1) attackers that tamper with DNS messages and (2) privacy against zone enu-meration cannot be satisfied simultaneously, unless the DNSSEC nameserver performs online public-key cryptographic operations. We then propose a new construction that uses online public-key cryptography to solve the problem of DNSSEC zone enu-meration. NSEC5 can be thought of as a variant of NSEC3, in which the unkeyed hash function is replaced with a deterministic RSA-based keyed hashing scheme. With NSEC5, a zone remains protected against network attackers and compromised name-servers even if the secret NSEC5-hashing key is compromised; leaking the NSEC5-hashing key only harms privacy against zone enumeration, effectively downgrading the security of NSEC5 back to that of the current DNSSEC standard (with NSEC3). I.
File Format	PDF
Access Restriction	Open
Subject Keyword	Dnssec Zone Enumeration Current Dnssec Standard Secret Nsec5-hashing Key Cryptographic Technique Online Public-key Cryptography Online Dnssec Query Dns Message Network Attacker Dnssec Nameserver Performs Nsec5-hashing Key Enu-meration Cannot Nsec3 Record New Vulnerability Zone Enumeration Public-key Cryptographic Operation Small Number New Construction Offline Dictionary Attack Dns Zone Domain Name System Unkeyed Hash Function Cryptographic Machinery Domain Name
Content Type	Text

Central Library (ISO-9001:2015 Certified)
Indian Institute of Technology Kharagpur
Kharagpur, West Bengal, India | PIN - 721302

See location in the Map
03222 282435
Mail: support@ndl.gov.in

Sl.	Authority	Responsibilities	Communication Details
1	Ministry of Education (GoI), Department of Higher Education	Sanctioning Authority	https://www.education.gov.in/ict-initiatives
2	Indian Institute of Technology Kharagpur	Host Institute of the Project: The host institute of the project is responsible for providing infrastructure support and hosting the project	https://www.iitkgp.ac.in
3	National Digital Library of India Office, Indian Institute of Technology Kharagpur	The administrative and infrastructural headquarters of the project	Dr. B. Sutradhar bsutra@ndl.gov.in
4	Project PI / Joint PI	Principal Investigator and Joint Principal Investigators of the project	Dr. B. Sutradhar bsutra@ndl.gov.in Prof. Saswat Chakrabarti will be added soon
5	Website/Portal (Helpdesk)	Queries regarding NDLI and its services	support@ndl.gov.in
6	Contents and Copyright Issues	Queries related to content curation and copyright issues	content@ndl.gov.in
7	National Digital Library of India Club (NDLI Club)	Queries related to NDLI Club formation, support, user awareness program, seminar/symposium, collaboration, social media, promotion, and outreach	clubsupport@ndl.gov.in
8	Digital Preservation Centre (DPC)	Assistance with digitizing and archiving copyright-free printed books	dpc@ndl.gov.in
9	IDR Setup or Support	Queries related to establishment and support of Institutional Digital Repository (IDR) and IDR workshops	idr@ndl.gov.in