DNSCurve
0 likes1,271 views
The document summarizes a seminar on network and communication privacy focusing on DNS privacy and confidential DNS. It discusses vulnerabilities in the current DNS system and how attackers can target and forge DNS queries. It then introduces DNSCurve as an alternative to DNSSEC that uses elliptic curve cryptography to provide confidentiality, integrity, and availability for DNS queries. Implementations of DNSCurve like CurveDNS and DNSCrypt are presented as ways to protect existing DNS installations and the channel between users and DNS providers.
![DNS Review
Image Credit: [5]](https://image.slidesharecdn.com/seminar-networkprivacy-140519142737-phpapp01/85/DNSCurve-3-320.jpg)
![DNS Review
Image Credit: [5]](https://image.slidesharecdn.com/seminar-networkprivacy-140519142737-phpapp01/85/DNSCurve-4-320.jpg)
![DNS Vulnerabilities
● Three important questions
○ How do attackers target DNS in general?
○ How do attackers spy on your DNS queries?
○ How do attackers forge DNS responses?
Image Credit: [5]](https://image.slidesharecdn.com/seminar-networkprivacy-140519142737-phpapp01/85/DNSCurve-5-320.jpg)
![Introduction to DNSCurve
● Uses elliptic-curve cryptography [1], not RSA
● Daniel J. Bernstein
● Uses a particular elliptic curve, Curve25519
○ 1 chance in 1000000000000000000000000000 !
○ 3000-bit RSA
● What does DNSCurve do for me?
○ confidentiality
○ integrity
○ availability
○ other aspects](https://image.slidesharecdn.com/seminar-networkprivacy-140519142737-phpapp01/85/DNSCurve-7-320.jpg)
DNSCurve
- 1. Seminar: Network and Communication Privacy Presenter: Sabbir Ahmmed
- 2. DNS Privacy And Confidential DNS DNSCurve: Usable security for DNS
- 3. DNS Review Image Credit: [5]
- 4. DNS Review Image Credit: [5]
- 5. DNS Vulnerabilities ● Three important questions ○ How do attackers target DNS in general? ○ How do attackers spy on your DNS queries? ○ How do attackers forge DNS responses? Image Credit: [5]
- 6. DNSSEC ● Limitations ○ availability/confidentiality ○ responses are authenticated but not encrypted ○ DNSSEC only signs RRs ○ does not protect against DoS attacks directly ○ DNSSEC cannot protect against false assumptions
- 7. Introduction to DNSCurve ● Uses elliptic-curve cryptography [1], not RSA ● Daniel J. Bernstein ● Uses a particular elliptic curve, Curve25519 ○ 1 chance in 1000000000000000000000000000 ! ○ 3000-bit RSA ● What does DNSCurve do for me? ○ confidentiality ○ integrity ○ availability ○ other aspects
- 8. DNSCurve Protocol uz5………………………………...51-byte 255-bit public key
- 9. DNSCurve Protocol ● What are sent to the server?
- 10. DNSCurve Protocol ● How does the server open the box?
- 11. DNSCurve Protocol ● What does the server send back?
- 13. DNSCurve Protocol ● Speedups ○ The server ○ The cache ● Computing Curve25519 shared secrets for ten million servers : 10 mins
- 14. DNSCurve: How to get it ● Simply upgrade your DNS cache ○ dnscache /BIND ○ PowerDNS Recursor /nominum ○ MaraDNS /Unbound ● No extra cache configuration is required. ● No extra firewall configuration is required ● Network bandwidth remains essentially unchanged ● ISP's DNS vs. Cache DNS (side benefits) ● Daily copies of root zone (side benefits)
- 15. Implementations ● CurveDNS ○ allows DNS administrators to protect existing installations without patching ● DNSCrypt from OpenDNS ○ protects the channel between OpenDNS and its users ● Curve-Protect ○ for common services like DNS, SSH, HTTP, and SMTP
- 16. References and bibliography 1. http://dnscurve.org/index.html 2. "Curve25519: new Diffie–Hellman speed records", 2006, Daniel J. Bernstein 3. NSA: The Case for Elliptic Curve Cryptography 4. Adam Langley: What a difference a prime makes 5. CURVEPROTECT SOFTWARE (EXPERIMENTAL) 6. DNS Cache Poisoning: Definition and Prevention
- 17. Conclusion The slides are published under a permissive license (Creative Commons: BY-SA)