Embed Size (px)
Citation preview
Verifying Keys through Publicity andCommunities of Trust 13
Eric Osterweil13 Dan Massey13
Danny McPherson13 Lixia Zhang13
DNSSEC Security for a Core Internet System13
bull DNS is a staple of todayrsquos online activities13 bull Is there a pedestrian online activity that doesnrsquot use DNS13 bull We use it to map unique names to network resources13 bull It has long been a very robust system13
bull DNSSEC makes DNS the first core Internet system toprotect itself and its data with hierarchical crypto13 bull Protects DNS from cache poisoning and spoofing13 bull 2010-2011 root and net and com deployed DNSSEC13 bull A straightforward design crypto-enhanced systems design13
bull The deployment has been growing and standards arebeing built on DNSSEC DANE (TLS SMIME etc)13
Verisign Public 13 2 13
Motivations Grow the Deployment (Graph From SecSpider)13
Verisign Public 13 3 13
Today we need a log-scale view ) httpsecspiderverisignlabscomgrowthhtml 13
Verisign Public 13 4 13
Some Challenges for DNSSEC Remain13
bull DNSSECrsquos early life has shown some stability concerns13 bull Wersquove already seen broken delegations (gov arpa fr)13
bull DNSSEC faces architectural misalignments13 bull Looking up unique names ne Verification of public keys13 bull The design struggles with misconfigurations and partial
deployment (though this may not be unique to DNSSEC)13
bull DNS is a core staple and outages are not OK13 bull If someone puts the wrong DS record in their zone is that
game over13 bull Network partitioning can break online delegations13
Verisign Public 13 5 13
Some Core Questions13
bull Is black and white verification the only option for dynamic Internet-scale systems like DNS13 bull DNS has thrived because its design tolerates failures and
misconfigurations13
bull What kind of verification can one derive for Internet-scale systems with dynamism like this13 bull Such a verification system must tolerate the Internetrsquos chaotic
setting13
bull Can any other verification model that is based on sucha shaky operational foundation be trustworthy13 bull Moreover can it be better than what we have now13
Verisign Public 13 6 13
We Propose to Verify Using the Networkhellip Public Dataand Communities of Trust13
bull Add distributed redundant measurements form independent paths as a new security substrate13 bull Redundancy can overcome errors 13 bull Publicity increases verifiability13 bull Who to trust is subjective13
bull We propose the theoretical model Public Data to augment DNSSECrsquos crypto substrate13
bull We implemented a candidate system called Vantages to demonstrate its feasibility13
Verisign Public 13 7 13
Outline13
bull DNSSEC background13
bull Public Data model and Vantages13
bull Measurements13
bull Conclusion13
Verisign Public 13 8 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
DNSSEC Security for a Core Internet System13
bull DNS is a staple of todayrsquos online activities13 bull Is there a pedestrian online activity that doesnrsquot use DNS13 bull We use it to map unique names to network resources13 bull It has long been a very robust system13
bull DNSSEC makes DNS the first core Internet system toprotect itself and its data with hierarchical crypto13 bull Protects DNS from cache poisoning and spoofing13 bull 2010-2011 root and net and com deployed DNSSEC13 bull A straightforward design crypto-enhanced systems design13
bull The deployment has been growing and standards arebeing built on DNSSEC DANE (TLS SMIME etc)13
Verisign Public 13 2 13
Motivations Grow the Deployment (Graph From SecSpider)13
Verisign Public 13 3 13
Today we need a log-scale view ) httpsecspiderverisignlabscomgrowthhtml 13
Verisign Public 13 4 13
Some Challenges for DNSSEC Remain13
bull DNSSECrsquos early life has shown some stability concerns13 bull Wersquove already seen broken delegations (gov arpa fr)13
bull DNSSEC faces architectural misalignments13 bull Looking up unique names ne Verification of public keys13 bull The design struggles with misconfigurations and partial
deployment (though this may not be unique to DNSSEC)13
bull DNS is a core staple and outages are not OK13 bull If someone puts the wrong DS record in their zone is that
game over13 bull Network partitioning can break online delegations13
Verisign Public 13 5 13
Some Core Questions13
bull Is black and white verification the only option for dynamic Internet-scale systems like DNS13 bull DNS has thrived because its design tolerates failures and
misconfigurations13
bull What kind of verification can one derive for Internet-scale systems with dynamism like this13 bull Such a verification system must tolerate the Internetrsquos chaotic
setting13
bull Can any other verification model that is based on sucha shaky operational foundation be trustworthy13 bull Moreover can it be better than what we have now13
Verisign Public 13 6 13
We Propose to Verify Using the Networkhellip Public Dataand Communities of Trust13
bull Add distributed redundant measurements form independent paths as a new security substrate13 bull Redundancy can overcome errors 13 bull Publicity increases verifiability13 bull Who to trust is subjective13
bull We propose the theoretical model Public Data to augment DNSSECrsquos crypto substrate13
bull We implemented a candidate system called Vantages to demonstrate its feasibility13
Verisign Public 13 7 13
Outline13
bull DNSSEC background13
bull Public Data model and Vantages13
bull Measurements13
bull Conclusion13
Verisign Public 13 8 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Motivations Grow the Deployment (Graph From SecSpider)13
Verisign Public 13 3 13
Today we need a log-scale view ) httpsecspiderverisignlabscomgrowthhtml 13
Verisign Public 13 4 13
Some Challenges for DNSSEC Remain13
bull DNSSECrsquos early life has shown some stability concerns13 bull Wersquove already seen broken delegations (gov arpa fr)13
bull DNSSEC faces architectural misalignments13 bull Looking up unique names ne Verification of public keys13 bull The design struggles with misconfigurations and partial
deployment (though this may not be unique to DNSSEC)13
bull DNS is a core staple and outages are not OK13 bull If someone puts the wrong DS record in their zone is that
game over13 bull Network partitioning can break online delegations13
Verisign Public 13 5 13
Some Core Questions13
bull Is black and white verification the only option for dynamic Internet-scale systems like DNS13 bull DNS has thrived because its design tolerates failures and
misconfigurations13
bull What kind of verification can one derive for Internet-scale systems with dynamism like this13 bull Such a verification system must tolerate the Internetrsquos chaotic
setting13
bull Can any other verification model that is based on sucha shaky operational foundation be trustworthy13 bull Moreover can it be better than what we have now13
Verisign Public 13 6 13
We Propose to Verify Using the Networkhellip Public Dataand Communities of Trust13
bull Add distributed redundant measurements form independent paths as a new security substrate13 bull Redundancy can overcome errors 13 bull Publicity increases verifiability13 bull Who to trust is subjective13
bull We propose the theoretical model Public Data to augment DNSSECrsquos crypto substrate13
bull We implemented a candidate system called Vantages to demonstrate its feasibility13
Verisign Public 13 7 13
Outline13
bull DNSSEC background13
bull Public Data model and Vantages13
bull Measurements13
bull Conclusion13
Verisign Public 13 8 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Today we need a log-scale view ) httpsecspiderverisignlabscomgrowthhtml 13
Verisign Public 13 4 13
Some Challenges for DNSSEC Remain13
bull DNSSECrsquos early life has shown some stability concerns13 bull Wersquove already seen broken delegations (gov arpa fr)13
bull DNSSEC faces architectural misalignments13 bull Looking up unique names ne Verification of public keys13 bull The design struggles with misconfigurations and partial
deployment (though this may not be unique to DNSSEC)13
bull DNS is a core staple and outages are not OK13 bull If someone puts the wrong DS record in their zone is that
game over13 bull Network partitioning can break online delegations13
Verisign Public 13 5 13
Some Core Questions13
bull Is black and white verification the only option for dynamic Internet-scale systems like DNS13 bull DNS has thrived because its design tolerates failures and
misconfigurations13
bull What kind of verification can one derive for Internet-scale systems with dynamism like this13 bull Such a verification system must tolerate the Internetrsquos chaotic
setting13
bull Can any other verification model that is based on sucha shaky operational foundation be trustworthy13 bull Moreover can it be better than what we have now13
Verisign Public 13 6 13
We Propose to Verify Using the Networkhellip Public Dataand Communities of Trust13
bull Add distributed redundant measurements form independent paths as a new security substrate13 bull Redundancy can overcome errors 13 bull Publicity increases verifiability13 bull Who to trust is subjective13
bull We propose the theoretical model Public Data to augment DNSSECrsquos crypto substrate13
bull We implemented a candidate system called Vantages to demonstrate its feasibility13
Verisign Public 13 7 13
Outline13
bull DNSSEC background13
bull Public Data model and Vantages13
bull Measurements13
bull Conclusion13
Verisign Public 13 8 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Some Challenges for DNSSEC Remain13
bull DNSSECrsquos early life has shown some stability concerns13 bull Wersquove already seen broken delegations (gov arpa fr)13
bull DNSSEC faces architectural misalignments13 bull Looking up unique names ne Verification of public keys13 bull The design struggles with misconfigurations and partial
deployment (though this may not be unique to DNSSEC)13
bull DNS is a core staple and outages are not OK13 bull If someone puts the wrong DS record in their zone is that
game over13 bull Network partitioning can break online delegations13
Verisign Public 13 5 13
Some Core Questions13
bull Is black and white verification the only option for dynamic Internet-scale systems like DNS13 bull DNS has thrived because its design tolerates failures and
misconfigurations13
bull What kind of verification can one derive for Internet-scale systems with dynamism like this13 bull Such a verification system must tolerate the Internetrsquos chaotic
setting13
bull Can any other verification model that is based on sucha shaky operational foundation be trustworthy13 bull Moreover can it be better than what we have now13
Verisign Public 13 6 13
We Propose to Verify Using the Networkhellip Public Dataand Communities of Trust13
bull Add distributed redundant measurements form independent paths as a new security substrate13 bull Redundancy can overcome errors 13 bull Publicity increases verifiability13 bull Who to trust is subjective13
bull We propose the theoretical model Public Data to augment DNSSECrsquos crypto substrate13
bull We implemented a candidate system called Vantages to demonstrate its feasibility13
Verisign Public 13 7 13
Outline13
bull DNSSEC background13
bull Public Data model and Vantages13
bull Measurements13
bull Conclusion13
Verisign Public 13 8 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Some Core Questions13
bull Is black and white verification the only option for dynamic Internet-scale systems like DNS13 bull DNS has thrived because its design tolerates failures and
misconfigurations13
bull What kind of verification can one derive for Internet-scale systems with dynamism like this13 bull Such a verification system must tolerate the Internetrsquos chaotic
setting13
bull Can any other verification model that is based on sucha shaky operational foundation be trustworthy13 bull Moreover can it be better than what we have now13
Verisign Public 13 6 13
We Propose to Verify Using the Networkhellip Public Dataand Communities of Trust13
bull Add distributed redundant measurements form independent paths as a new security substrate13 bull Redundancy can overcome errors 13 bull Publicity increases verifiability13 bull Who to trust is subjective13
bull We propose the theoretical model Public Data to augment DNSSECrsquos crypto substrate13
bull We implemented a candidate system called Vantages to demonstrate its feasibility13
Verisign Public 13 7 13
Outline13
bull DNSSEC background13
bull Public Data model and Vantages13
bull Measurements13
bull Conclusion13
Verisign Public 13 8 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
We Propose to Verify Using the Networkhellip Public Dataand Communities of Trust13
bull Add distributed redundant measurements form independent paths as a new security substrate13 bull Redundancy can overcome errors 13 bull Publicity increases verifiability13 bull Who to trust is subjective13
bull We propose the theoretical model Public Data to augment DNSSECrsquos crypto substrate13
bull We implemented a candidate system called Vantages to demonstrate its feasibility13
Verisign Public 13 7 13
Outline13
bull DNSSEC background13
bull Public Data model and Vantages13
bull Measurements13
bull Conclusion13
Verisign Public 13 8 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Outline13
bull DNSSEC background13
bull Public Data model and Vantages13
bull Measurements13
bull Conclusion13
Verisign Public 13 8 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
DNSSEC Crypto Key Learning + Verification13
bull First attempt to enhancecore Internet system with crypto13
bull DNSSEC zones create publicprivate keys13 bull Public key is DNSKEY13
bull Zones sign all RRsets and resolvers use DNSKEYs to verify them13 bull Each RRset has a signature attached to it RRSIG13
bull Resolvers are configured with a single root key and trust flows recursively down the hierarchy13
Verisign Public 13 9 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Using a zonersquos key13 on a standard RRset 13 (the NS)13
Signature (RRSIG) will only verify with the13 DNSKEY if no
Data Signing Example13
data was modified13
Verisign Public 13 10 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Getting the Keys13
bull Until a resolver gets DNSKEY(s) data can be spoofed13
bull Keys verified by secure delegations from parents to children13 bull So resolvers know DNSKEYs are not being spoofed13
bull DNSSECrsquos design needs the full hierarchy in orderto verify keys13 bull No middle ground either a key has a verifiable delegation or
you know nothing about it13 bull What if we just queried for crypto keys directly13
Verisign Public 13 11 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Public Data = Distributed polling + structured observations13
bull Verify DNSKEYs through Communities of Trust (CoTs)13 bull Consistency and
redundancy become the verification metric13
bull The network topologically diverse vantages13 bull G = (V E)13 bull V = v0 v1 hellip vn13
bull Observations bind data to time and a network path13 bull Path σ(ij) = (vi hellip vj)13 bull Data (such as a DNSKEY) d13 bull Observation oi = (dj t σ(ij))13
Verisign Public 13 12 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Public Data Model13 Path = σ13
i
Name Server Svj
Resolver vi
Public Data pd
KEY
Data di
KEY
Observation oi
Message mi
bull pdi = (ditk)13 bull Svj = pd0 pdm 13 bull m = (di SigK(di)) 13 bull hellip13
Verisign Public 13 13 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Peer-to-Peer CoTs13
bull P2P CoTs Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by PGP key13
14 13Verisign Public 13
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Threat Model for Key Learning Man in the Middle13
bull To attack Eve must see keys that are in transit 13 bull If she must own a
vantage ve in σ13 bull But she canrsquot
arbitrarily attack just anyone13 bull Attacks between a
resolver v and ai zonersquos name servers (VZ)13
bull Not a reduction of scope this is dictated by the nature of DNS13
bull Eve must expend a real cost to own these vantages13
Verisign Public 13 15 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
What Eve Really Needs to Do13
B
C
A
D
E
F
H
G
N
M
L I
J
K
bull To spoof Eve must be in the right place at the right time13 bull She must be able to
intercept responses from all (or most) name servers13
bull The minimum set size for Ve to cut Alice off from the zone will be the min-cut set Vcut = MinCut(vi VZ)13 bull This is the lower bound on Eversquos acquisition cost13
Verisign Public 13 16 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Security Analysis Attack Cost13
bull Eve must own vantage points (Ve) and be able to use them 13 13Acquisition + usage costs13
bull Acquisition ca(Ve) can specific nodes even be purchased13 bull Core routers at ATampT may not be on sale like grandmarsquos PC is13 bull Eve may have to get her hands dirty (if shersquos able to)13
bull Usage cu(Ve t) nodes in Ve may cost per hour or may get reclaimed if detected13 bull If renting nodes then snooping is a function of rent13 bull If Eve acquires her own nodes operators may notice her13
13 13 13C(Ve t) = ca (Ve) + cu (Ve t)13
Verisign Public 13 17 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Acquisition Cost The Cat and Mouse Game13
bull Alicersquos best defense is to make her CoT as large andtopologically diverse as possible13
bull Eve needs to know Alicersquos CoT (and all paths to VZrsquos name servers)13 bull Note knowing any AS path is an open challenge [1]13
bull We evaluate three example types of adversaries13 1 General does not know any path info13 2 Targeted knows Alicersquos path to VZ but not her CoTrsquos13 3 Nation State will try to compromise the largest ISPs first13
[1] Mao Z M Qiu L Wang J and Zhang Y 2005 On AS-level pathinference 2005 ACM SIGMETRICS13
Verisign Public 13 18 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Eversquos Probability of Success13
bull General the probability that Eve can subvert Alicersquos min-cut set is (where n is the size of Ve)13
bull Targeted as Alice augments her min-cut set theprobability of compromise approaches the General case13
bull Nation State the adversary is not focused on Alicersquos CoT but Alicersquos chances are still augmented as sheincreases her min-cut set13
Verisign Public 13 19 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Evaluation13
bull Simulated an AS-level topology using the Inet topology generator13 bull Simulate 22000 ASes13
bull Chose random ASes as VZ nodes and VCoT nodes13 bull Calculated min-cut set for VZ and VCoT combinations ranging
from 2-1113 bull Used shortest path routing metric to represent routing13
bull Also deployed actual Vantages CoT13 bull Vantages written in C++ with SQLite backed DB uses GPG to
verify witness communications13 bull httpwwwvantage-pointsorg13
bull Constantly automatically learns zones and polls13 bull Aligns costs with benefits verification aligns with needs13
Verisign Public 13 20 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Actual Measured Min Cut-Set Sizes13
bull Using a Vantages daemon peered with SecSpider we get the following actual min cut-set sizes for major DNS zones13 bull SecSpiderrsquos distributed key learning system online since 200613
21 13Verisign Public 13
bull These are on par with or better than our simulatedresults13
Actual Zone13 Min Cut-Set Size13 (root)13 2713 gov13 1813 br13 1813 bg13 1313 org13 1113 hellip13 hellip13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Simulated General Adversary13
bull Ran 10X10 simulations13 bull CoTs = [1-10]13 bull VZ = [2-11]13
bull General Adversary13 bull 90 ASes = 1013
13
bull Nation State13 bull 89 ASes = 2013
Verisign Public 13 22 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Conclusions13
bull With Public Data we seek to add an orthogonalsubstrate to our systems feasibility tested withVantages13 bull Large TLD failures did not black out Vantagesrsquo view of the tree13 bull When the rootrsquos DURZ unblinded Vantages automatically
bootstrapped and learned it13
bull Fixing these problems in DNSSEC allows systems built on DNSSEC to inherit robustness13 bull DNSSEC must be robust to misconfigs and outages13 bull People are adding services on DNS (DANE and more)13
bull Our Vantages deployment suggests its assurances areon par (or even better than) our simulated results13
Verisign Public 13 23 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Thank You13
Check out our technical report 13 httptechreportsverisignlabscomtr-lookupcgitrid=1110001amprev=1 13
copy 2012 VeriSign Inc All rights reserved VERISIGN and other trademarks service marks anddesigns are registered or unregistered trademarks of VeriSign Inc and its subsidiaries in the UnitedStates and in foreign countries All other trademarks are property of their respective owners13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Backup13
Verisign Public 13 25 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
General Lessons from Deployment Problems13
bull ldquoDistributing the authority for a [crypto-enhancedsystem] does not distribute the corresponding amountof expertiserdquo13
-- Paul Mockapetris13
bull Simple designs do not always equate to simpleoperations13
bull Cryptography adds a lot of operational complexity13
bull Failing to consider operational realities can result inserious outages13
Verisign Public 13 26 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Public Data Key Learning and Verification13
bull Motivated by measurements of the hierarchal model13
bull Goal get proper keys for zones to resolvers13 bull Avoid being spoofed without the hierarchy13 bull Use redundancy for protection13
bull Verification is now a measurable property of publically available data13 bull The more independent measurements the more secure13
bull Community of Trust (CoT) Trust is subjective13 bull Cross-check what you see with what your friends saw13 bull This is not the Web of Trust observations not attestations13
Verisign Public 13 27 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Public Data Model (again)13
Verisign Public 13 28 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Public Data Model (again)13
Verisign Public 13 29 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
General Adversary13
Verisign Public 13 30 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Targeted Adversary13
Verisign Public 13 31 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Nation State Adversary13
Verisign Public 13 32 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Vantages Implementation13
bull Written in C++ with SQLite backed DB uses GPG toverify witness communications13 bull Installs and can start running right away13 bull httpwwwvantage-pointsorg13
bull Can be administered via web admin interface13
bull Automatically learns zones and polls every day13
Verisign Public 13 33 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Peer-to-Peer CoTs13
bull Vantage daemons learnWeb DNSKEYs from DNS or web Scraper
pages13 bull Cross-check within CoT13 bull P2P CoTs
Compartmentalize13 bull CoTs are manual13
bull Trust must be bootstrapped13 bull Observed data is signed by
GPG key13
Verisign Public 13 34 13
dnskeyorg
Raw Data
Processed Data
DNS Scraper
dnskeyorg
ConsistencyScraper
dnskeyorg
lthtmlgt
lthtmlgt
httpdnskeyorg
dnssecdnskeyorg
v
v
v
v
v
v
v
v v v
v
v
CoT 1
CoT 2 CoT 3
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
Vantages A Public Data System13
bull Real system implementing Public Data needs somepractical re-mappings13 bull Some nodes may offer a set of observations (such as
SecSpider) cull data from different protocols etc13
bull Everyone runs their own Vantage daemon13 bull Peer-to-peer choose your own CoT13 bull Avoids the ldquowhorsquos going to run itrdquo question13
Verisign Public 13 35 13
