DOCSLIB.ORG

Mctiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Mctiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J. Bernstein, University of Illinois at Chicago, Ruhr University Bochum; Tanja Lange, Eindhoven University of Technology https://www.usenix.org/conference/usenixsecurity20/presentation/bernstein This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. ARTIFACT McTiny: EVALUATED Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers PASSED Daniel J. Bernstein Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology Ruhr University Bochum Abstract 1 Introduction TLS 1.3 highlights the importance of “forward secrecy” by Recent results have shown that some post-quantum cryp- switching completely to Diffie–Hellman-based cryptography tographic systems have encryption and decryption perfor- for confidentiality. The client initiates the connection and al- mance comparable to fast elliptic-curve cryptography (ECC) ready on the first message sends the preferred cipher suite and or even better. However, this performance metric is con- a public key. These systems are typically based on elliptic sidering only CPU time and ignoring bandwidth and stor- curves though some finite-field options remain. Elliptic-curve age. High-confidence post-quantum encryption systems have keys consume only 32–64 bytes and thus add very little over- much larger keys than ECC. For example, the code-based head to the packets and computation is very fast, even on cryptosystem recommended by the PQCRYPTO project uses small devices. public keys of 1MB. Unfortunately, if large quantum computers are built then Fast key erasure (to provide “forward secrecy”) requires Shor’s quantum algorithm [33] breaks ECC in polynomial new public keys to be constantly transmitted. Either the server time. In the two decades since Shor found this quantum needs to constantly generate, store, and transmit large keys, or speedup, research in cryptography has progressed to find sys- it needs to receive, store, and use large keys from the clients. tems that remain secure under attacks with quantum comput- This is not necessarily a problem for overall bandwidth, but it ers. There are several approaches to designing such post- is a problem for storage and computation time on tiny network quantum systems but the main categories for public-key servers. All straightforward approaches allow easy denial-of- encryption systems are based on codes, lattices, or—more service attacks. recently—isogenies between supersingular elliptic curves. Code-based cryptography [23] was invented by McEliece This paper describes a protocol, suitable for today’s net- in 1978 and is thus just one year younger than RSA and works and tiny servers, in which clients transmit their code- has held up much stronger against cryptanalysis than RSA. based one-time public keys to servers. Servers never store full Lattice-based cryptography started more than 15 years later client public keys but work on parts provided by the clients, and security estimates are still developing; see, e.g., the re- without having to maintain any per-client state. Intermediate cent paper [1] claiming a 400× speedup in lattice attacks. results are stored on the client side in the form of encrypted Isogenies in their current use started only in 2011 [17]. cookies and are eventually combined by the server to obtain In 2015, the European project PQCRYPTO issued recom- the ciphertext. Requirements on the server side are very small: mendations [2] for confidence-inspiring post-quantum sys- storage of one long-term private key, which is much smaller tems; for public-key encryption the only recommended sys- than a public key, and a few small symmetric cookie keys, tem was a code-based system which is closely related to which are updated regularly and erased after use. The proto- McEliece’s original proposal. However, when in 2016 Google col is highly parallel, requiring only a few round trips, and ran an experiment [8] deploying post-quantum cryptography involves total bandwidth not much larger than a single public to TLS connections between Chrome (Canary) browsers and key. The total number of packets sent by each side is 971, Google sites they did not choose a code-based system but a each fitting into one IPv6 packet of less than 1280 bytes. much more recent system based on lattices. The main issue The protocol makes use of the structure of encryption in with the high-confidence code-based system is that it requires code-based cryptography and benefits from small ciphertexts a much larger key size—1MB vs. 1kB—for the same esti- in code-based cryptography. mated level of security. Google piggybacked the lattice-based USENIX Association 29th USENIX Security Symposium 1731 system with ECC so that the security of the combined system number of connections to a server. These attacks fill up all would not be weaker than a pure ECC system. of the memory available on the server for keeping track of In April 2018, Google’s Langley reported [21] on another connections. The server is forced to stop serving some con- experiment with post-quantum cryptography, this time test- nections, including connections from legitimate clients. These ing no particular system but different key sizes. They tested attacks are usually much less expensive than comparably ef- initiation packets of sizes 400, 1100, and 10000 bytes, saying fective attacks that try to use all available network bandwidth that these are meant to represent systems based on isogenies or that try to consume all available CPU time. and based on different types of lattices. Langley justified their choice by writing “in some cases the public-key + cipher- text size was too large to be viable in the context of TLS”. 2.1 A Classic Example: SYN Flooding There were too many sites that dropped the largest size so it The “SYN flooding” denial-of-service attack [14] rose to was skipped from further experiments and replaced by 3300 prominence twenty years ago when it was used to disable an bytes. For these sizes they measured the increase in latency. ISP in New York, possibly in retaliation for anti-spam efforts; In a second experiment they measured round-trip times, this see [9]. “SYN cookies” [4] address SYN flooding, but from a time even skipping the 3300-byte size. These sizes are a far broader security perspective they are highly unsatisfactory, as cry from what is needed to transmit the 1MB keys of the we now explain. McEliece cryptosystem. See also the failure reported in [12] Recall that in a normal TCP connection, say an HTTP to handle 300KB keys in OpenSSL. connection, the client sends a TCP “SYN” packet to the server For the experiments it is reasonable to use new systems in containing a random 32-bit initial sequence number (ISN); combination with ECC; see [18–20] for a new lattice-plus- the server sends back a “SYNACK” packet acknowledging ECC experiment by Google and Cloudflare. However, this the client ISN and containing another random ISN; the client does not help with post-quantum security if lattices turn out sends an “ACK” packet acknowledging the server ISN. At this to be much weaker than currently assumed. This raises the point a TCP connection is established, and both sides are free question how network protocols could possibly use the high- to send data. The client sends an HTTP request (preferably as confidence McEliece cryptosystem. part of the ACK packet), and the server responds. Of course, the key could be chopped into pieces and sent in The server allocates memory to track SYN-SYNACK pairs, separate packets and the server could be instructed to buffer including IP addresses, port numbers, and ISNs. This is ex- the pieces and reassemble the pieces but this allows rogue actly the memory targeted by SYN flooding. A SYN-flooding clients to flood the RAM on the server. See Section2. attacker simply sends a stream of SYNs to the server with- This paper introduces McTiny, a new protocol that solves out responding to the resulting SYNACKs. Once the SYN- the problem of memory-flooding denial-of-service attacks SYNACK memory fills up, the server is forced to start throw- for code-based cryptography. McTiny handles the 1MB keys ing away some SYN-SYNACK pairs, and is no longer able to of the McEliece cryptosystem, having the same basic data handle the corresponding ACKs. The server can try to guess flow as TLS in which the client creates a fresh public key for which SYN-SYNACK pairs are more likely to be from le- each connection and sends it as the first step of the protocol. gitimate clients, and prioritize keeping those, but a sensible McTiny splits the public keys into pieces small enough to fit attacker will forge SYNs that look just like legitimate SYNs. into network packets. On the client side the overhead is small If the server has enough SYN-SYNACK memory for c con- compared to creating the key and sending 1MB. The server is nections, but is receiving 100c indistinguishable SYNs per not required to allocate any memory per client and only ever RTT, then a legitimate client’s ACK fails with probability at needs to process information that fits into one Internet packet, least 99%. making McTiny suitable for tiny network servers. SYN cookies store SYN-SYNACK pairs in the network Sections2 and3 motivate tiny network servers and review rather than in server memory. Specifically, the server encodes existing results. Section4 gives background in coding the- its SYN-SYNACK pair as an authenticated cookie inside the ory. Sections5 and6 explain our new McTiny protocol.
Load more

Recommended publications
  • NSA's MORECOWBELL
    NSA's MORECOWBELL: Knell for DNS Christian Grothoff Matthias Wachs Monika Ermert Jacob Appelbaum Inria TU Munich Heise Verlag Tor Project 1 Introduction On the net, close to everything starts with a request to the Domain Name System (DNS), a core Internet protocol to allow users to access Internet services by names, such as www.example.com, instead of using numeric IP addresses, like 2001:DB8:4145::4242. Developed in the \Internet good old times" the contemporary DNS is like a large network activity chart for the visually impaired. Consequently, it now attracts not only all sorts of commercially-motivated surveillance, but, as new documents of the NSA spy program MORECOWBELL confirm, also the National Security Agency. Given the design weaknesses of DNS, this begs the question if DNS be secured and saved, or if it has to be replaced | at least for some use cases. In the last two years, there has been a flurry of activity to address security and privacy in DNS at the Internet Engineering Task Force (IETF), the body that documents the DNS standards. The Internet Architecture Board, peer body of the IETF, just called on the engineers to use encryption everywhere, possibly including DNS. [4] A recent draft [6] by the IETF on DNS privacy starts by acknowledging that the DNS \... is one of the most important infrastructure components of the Internet and one of the most often ignored or misunderstood. Almost every activity on the Internet starts with a DNS query (and often several). Its use has many privacy implications ..." Despite seemingly quick consensus on this assessment, the IETF is not expecting that existing industry solutions will change the situation anytime soon: \It seems today that the possibility of massive encryption of DNS traffic is very remote." [5] From a surveillance perspective, DNS currently treats all information in the DNS database as public data.
    [Show full text]
  • DNS-Sicherheit Am Beispiel Eines Mittelständischen Softwareunternehmens
    Bachelorarbeit Kevin Hüsgen DNS-Sicherheit am Beispiel eines mittelständischen Softwareunternehmens Fakultät Technik und Informatik Faculty of Computer Science and Engineering Department Informatik Department Computer Science Kevin Hüsgen DNS-Sicherheit am Beispiel eines mittelständischen Softwareunternehmens Bachelorarbeit eingereicht im Rahmen der Bachelorprüfung im Studiengang Bachelor of Science Angewandte Informatik am Department Informatik der Fakultät Technik und Informatik der Hochschule für Angewandte Wissenschaften Hamburg Betreuender Prüfer: Prof. Dr.-Ing. Martin Hübner Zweitgutachter: Prof. Dr. Klaus-Peter Kossakowski Eingereicht am: 08.12.2020 Kevin Hüsgen Thema der Arbeit DNS-Sicherheit am Beispiel eines mittelständischen Softwareunternehmens Stichworte DNS, IT-Sicherheit, IT-Grundschutz, DNSSEC, DNS-over-TLS, DNS-over-HTTPS, Be- drohungsanalyse, Risikoanalyse, DNS-Sicherheit, DNSCurve, DNS-Cookies, TSIG, DoT, DoH Kurzzusammenfassung Das Ziel dieser Forschungsarbeit ist es, die Sicherheit von DNS anhand eines fiktiven, mit- telständischen Softwareunternehmens aus der Versicherungsbranche zu analysieren. Dazu werden die Schwachstellen, Bedrohungen und Angriffe beim Betrieb von DNS analysiert und die Risiken für das Unternehmen evaluiert. Es werden DNS-Sicherheitserweiterungen vorgestellt und die identifizierten Bedrohungen im Hinblick auf diese überprüft. Ein Maß- nahmenkatalog wurde erarbeitet, um die Risiken zu vermeiden oder zu reduzieren. Zum Schluss werden Empfehlungen ausgesprochen und im Bezug auf das Anwendungsszenario
    [Show full text]
  • Securing Communication
    news from leading universities and research institutes in the Netherlands reSearcherS • Daniel J. Bernstein, Eindhoven University of Technology, the Netherlands, and University of Illinois at Chicago, USA • Tanja Lange, Eindhoven University of Technology, the Netherlands • Peter Schwabe, Academia Sinica, Taiwan. High-security and high-speed protection for computer networks Securing communication Internet and mobile communication has become a vital part of our lives in the past decade, but almost all of it is exposed to criminals. Researchers at the Eindhoven University of Technology have developed a new cryptographic library that is fast enough to allow universal deployment of high-security encryption. We often assume that communication downloading a game from an online These essential requirements over the internet is just as secure store. Users begin by accessing the of communication over computer as traditional forms of personal online store, and want to be sure that networks are ensured through communication. We assume that we they are in fact accessing the right cryptographic protection. Encryption know who we are communicating website and not a look-alike that will is what provides communication with; we assume our conversations are take their money but not let them with confidentiality, the assurance private, that only the person we talk download the software. Users then that transmitted information is only to can hear what we are saying; and submit their credit-card details or other read by the recipient and not by we assume that what we are saying banking information, and want to be an eavesdropper. Authentication will reach the recipient without being sure that this information is protected of users and data is provided by modified.
    [Show full text]
  • Dnscurve: Usable Security for DNS D
    DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name System cert.org has mail to deliver to [email protected]. '&Mail client%$ at cert.org ! O "# “The mail server for uic.edu has IP address 128.248.155.49.” '&!Administrator"#%$ at uic.edu Now cert.org delivers mail to IP address 128.248.155.49. Same for web browsing. dhs.gov wants to see http://www.uic.edu. '&Browser%$ at dhs.gov ! O "# “The web server www.uic.edu has IP address 128.248.155.210.” '&!Administrator"#%$ at uic.edu Now dhs.gov retrieves web page from IP address 128.248.155.210. DNS software security holes: BIND libresolv buffer overflow, Microsoft cache promiscuity, BIND 8 TSIG buffer overflow, BIND 9 dig promiscuity, etc. Fix: Use better DNS software. http://cr.yp.to/djbdns.html carries a $1000 reward for first verifiable public report of a software security hole. But what about protocol holes? Forging DNS packets cert.org has mail to deliver to [email protected]. '&Mail client%$ at cert.org ! O "# “The mail server for uic.edu has IP address 157.22.245.20.” '&!Attacker"#%$ anywhere on network Now cert.org delivers mail to IP address 157.22.245.20, actually the attacker’s machine. “Can attackers do that?” “Can attackers do that?” — Yes. “Can attackers do that?” — Yes. “Really?” “Can attackers do that?” — Yes. “Really?” — Yes. “Can attackers do that?” — Yes. “Really?” — Yes.
    [Show full text]
  • Connection-Oriented DNS to Improve Privacy and Security
    Connection-Oriented DNS to Improve Privacy and Security Liang Zhu∗, Zi Hu∗, John Heidemann∗, Duane Wesselsy, Allison Mankiny, Nikita Somaiya∗ ∗USC/Information Sciences Institute yVerisign Labs Abstract—The Domain Name System (DNS) seems ideal for requires memory and computation at the server. Why create a connectionless UDP, yet this choice results in challenges of connection if a two-packet exchange is sufficient? eavesdropping that compromises privacy, source-address spoofing This paper makes two contributions. First, we demonstrate that simplifies denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and that DNS’s connectionless protocol is the cause of a range of reply-size limits that constrain key sizes and policy choices. fundamental weaknesses in security and privacy that can be We propose T-DNS to address these problems. It uses TCP addressed by connection-oriented DNS. Connections have a to smoothly support large payloads and to mitigate spoofing well understood role in longer-lived protocols such as ssh and and amplification for DoS. T-DNS uses transport-layer security HTTP, but DNS’s simple, single-packet exchange has been (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. TCP and TLS are hardly seen as a virtue. We show that it results in weak privacy, novel, and expectations about DNS suggest connections will denial-of-service (DoS) vulnerabilities, and policy constraints, balloon client latency and overwhelm server with state. Our and that these problems increase as DNS is used in new contribution is to show that T-DNS significantly improves security applications, and concerns about Internet safety and privacy and privacy: TCP prevents denial-of-service (DoS) amplification grow.
    [Show full text]
  • A Lightweight Privacy-Preserving Name Resolution Service
    EncDNS: A Lightweight Privacy-Preserving Name Resolution Service Dominik Herrmann, Karl-Peter Fuchs, Jens Lindemann, and Hannes Federrath University of Hamburg, Computer Science Department, Germany Abstract. Users are increasingly switching to third party DNS resolvers (e. g., Google Public DNS and OpenDNS). The resulting monitoring ca- pabilities constitute an emerging threat to online privacy. In this paper we present EncDNS, a novel lightweight privacy-preserving name res- olution service as a replacement for conventional third-party resolvers. The EncDNS protocol, which is based on DNSCurve, encapsulates en- crypted messages in standards-compliant DNS messages. User privacy is protected by exploiting the fact that a conventional DNS resolver pro- vides sender anonymity against the EncDNS server. Unlike traditional privacy-preserving techniques like mixes or onion routing, which intro- duce considerable delays due to routing messages over multiple hops, the EncDNS architecture introduces only one additional server in order to achieve a sufficient level of protection against realistic adversaries. EncDNS is open source software. An initial test deployment is available for public use. Keywords: anonymity, obfuscation, confidentiality, encapsulation, DNSCurve, nameserver, DNS proxy, encryption, third-party DNS, open source 1 Introduction The Domain Name System (DNS) is a globally distributed name resolution ser- vice that is used to translate domain names like www.google.com to IP addresses. Clients offload most of the work to so-called \DNS resolvers" that query the au- thoritative name servers, which store the mapping information, on behalf of users. Due to their central role, DNS resolvers are a preeminent entity for be- havioral monitoring as well as for access control.
    [Show full text]
  • Private DNS-Over-TLS with TEE Support
    PDoT: Private DNS-over-TLS with TEE Support Yoshimichi Nakatsuka Andrew Paverd∗ Gene Tsudik University of California, Irvine Microsoft Research University of California, Irvine [email protected] [email protected] [email protected] ABSTRACT practicality of DNS-over-TLS in real-life applications. Several open- Security and privacy of the Internet Domain Name System (DNS) source recursive resolver (RecRes) implementations, including Un- have been longstanding concerns. Recently, there is a trend to pro- bound [23] and Knot Resolver [12], currently support DNS-over- tect DNS traffic using Transport Layer Security (TLS). However, TLS. In addition, commercial support for DNS-over-TLS has been at least two major issues remain: (1) how do clients authenticate increasing, e.g., Android P devices [18] and Cloudflare’s 1.1.1.1 DNS-over-TLS endpoints in a scalable and extensible manner; and RecRes [9]. However, despite attracting interest in both academia (2) how can clients trust endpoints to behave as expected? In this pa- and industry, some problems remain. per, we propose a novel Private DNS-over-TLS (PDoT) architecture. The first challenge is how clients authenticate the RecRes. Certificate- PDoT includes a DNS Recursive Resolver (RecRes) that operates based authentication is natural for websites, since the user (client) within a Trusted Execution Environment (TEE). Using Remote Attes- knows the URL of the desired website and the certificate securely tation, DNS clients can authenticate, and receive strong assurance binds this URL to a public key. However, the same approach cannot of trustworthiness of PDoT RecRes. We provide an open-source be used to authenticate a DNS RecRes because the RecRes does not proof-of-concept implementation of PDoT and use it to experimen- have a URL or any other unique long-term user-recognizable iden- tally demonstrate that its latency and throughput match that of the tity that can be included in the certificate.
    [Show full text]
  • Connection-Oriented DNS to Improve Privacy and Security (Extended) USC/ISI Technical Report ISI-TR-695, Feb 2015
    Connection-Oriented DNS to Improve Privacy and Security (extended) USC/ISI Technical Report ISI-TR-695, Feb 2015 Liang Zhu∗, Zi Hu∗, John Heidemann∗, Duane Wesselsy, Allison Mankiny, Nikita Somaiya∗ ∗USC/Information Sciences Institute yVerisign Labs Abstract—The Domain Name System (DNS) seems ideal for more expensive than UDP, since connection setup adds latency connectionless UDP, yet this choice results in challenges of with additional packet exchanges, and tracking connections eavesdropping that compromises privacy, source-address spoofing requires memory and computation at the server. Why create a that simplifies denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and connection if a two-packet exchange is sufficient? reply-size limits that constrain key sizes and policy choices. This paper makes two contributions. First, we demonstrate We propose T-DNS to address these problems. It uses TCP that DNS’s connectionless protocol is the cause of a range of to smoothly support large payloads and to mitigate spoofing fundamental weaknesses in security and privacy that can be and amplification for DoS. T-DNS uses transport-layer security addressed by connection-oriented DNS. Connections have a (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers. TCP and TLS are hardly well understood role in longer-lived protocols such as ssh and novel, and expectations about DNS suggest connections will HTTP, but DNS’s simple, single-packet exchange has been balloon client latency and overwhelm server with state. Our seen as a virtue. We show that it results in weak privacy, contribution is to show that T-DNS significantly improves security denial-of-service (DoS) vulnerabilities, and policy constraints, and privacy: TCP prevents denial-of-service (DoS) amplification and that these problems increase as DNS is used in new against others, reduces the effects of DoS on the server, and simplifies policy choices about key size.
    [Show full text]
  • Network Working Group Z. Hu Internet-Draft L
    Network Working Group Z. Hu Internet-Draft L. Zhu Intended status: Standards Track J. Heidemann Expires: September 18, 2016 USC/Information Sciences Institute A. Mankin D. Wessels Verisign Labs P. Hoffman ICANN March 17, 2016 Specification for DNS over TLS draft-ietf-dprive-dns-over-tls-09 Abstract This document describes the use of TLS to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS-over-TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE working group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. Note: this document was formerly named draft-ietf-dprive-start-tls- for-dns. Its name has been changed to better describe the mechanism now used. Please refer to working group archives under the former name for history and previous discussion. [RFC Editor: please remove this paragraph prior to publication] Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any Hu, et al.
    [Show full text]
  • Shaping DNS Security with Curves a Comparative Security Analysis of DNSSEC and Dnscurve
    Eindhoven University of Technology MASTER Shaping DNS security with curves a comparative security analysis of DNSSEC and DNSCurve van Tilborg, H.H.A. Award date: 2010 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain SHAPING DNS SECURITY WITH CURVES ACOMPARATIVE SECURITY ANALYSIS OF DNSSEC AND DNSCURVE Master Thesis Coding Theory and Cryptology Department of Mathematics and Computer Science Eindhoven University of Technology Author: Committee: ing. Harm H.A. VAN TILBORG dr. D.S. JARNIKOV drs. J. SCHEERDER dr. B. SˇKORIC´ Graduation tutor: dr. B.M.M. DE WEGER drs. J. SCHEERDER Graduation supervisor:
    [Show full text]
  • Comparing the Effects of DNS, Dot, and Doh on Web Performance
    Comparing the Effects of DNS, DoT, and DoH on Web Performance Austin Hounsel Kevin Borgolte Paul Schmitt Princeton University Princeton University Princeton University [email protected] [email protected] [email protected] Jordan Holland Nick Feamster Princeton University University of Chicago [email protected] [email protected] ABSTRACT 1 INTRODUCTION Nearly every service on the Internet relies on the Domain Name The Domain Name System (DNS) underpins nearly all Internet System (DNS), which translates a human-readable name to an IP communication; DNS maps human-readable domain names to cor- address before two endpoints can communicate. Today, DNS traffic responding IP addresses of Internet endpoints. Because nearly every is unencrypted, leaving users vulnerable to eavesdropping and Internet communication is preceded by a DNS query, and because tampering. Past work has demonstrated that DNS queries can reveal some applications may require tens to hundreds of queries for a a user’s browsing history and even what smart devices they are single transaction, such as a web browser loading a page, the perfor- using at home. In response to these privacy concerns, two new mance of DNS is paramount. Many historical DNS design decisions protocols have been proposed: DNS-over-HTTPS (DoH) and DNS- and implementations (e.g., caching, running DNS over UDP instead over-TLS (DoT). Instead of sending DNS queries and responses in of TCP) have thus focused on minimizing latency. the clear, DoH and DoT establish encrypted connections between In the past several years, however, DNS privacy has become a users and resolvers. By doing so, these protocols provide privacy significant concern and design consideration.
    [Show full text]
  • Understanding Dnscurve DJ Bernstein
    Understanding DNSCurve D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Disclaimer: I haven't released DNSCurve software yet. But you can try prototypes: @mdempsky's DNSCurve cache, @hhavt's CurveDNS server. See also related projects: NaCl, DNSCrypt, CurveCP, MinimaLT. Varying release levels. DNS in a nutshell 1 Browser ! DNS: twitter.com? DNS in a nutshell 1 Browser ! DNS: twitter.com? 2 DNS ! browser: twitter.com A 199.16.156.38 DNS in a nutshell 1 Browser ! DNS: twitter.com? 2 DNS ! browser: twitter.com A 199.16.156.38 0 Admin ! ns2.twitter.com: twitter.com A 199.16.156.38 DNS in a nutshell 1 Browser ! DNS: twitter.com? 2 DNS ! browser: twitter.com A 199.16.156.38 0 Admin ! ns2.twitter.com: twitter.com A 199.16.156.38 1 Browser ! ns2.twitter.com: twitter.com? DNS in a nutshell 1 Browser ! DNS: twitter.com? 2 DNS ! browser: twitter.com A 199.16.156.38 0 Admin ! ns2.twitter.com: twitter.com A 199.16.156.38 1 Browser ! ns2.twitter.com: twitter.com? 2 ns2.twitter.com ! browser: twitter.com A 199.16.156.38 3 com admin ! f.ns.com: twitter.com NS ns2... ns2... A 204.13.250.34 3 com admin ! f.ns.com: twitter.com NS ns2... ns2... A 204.13.250.34 2 Browser ! f.ns.com: twitter.com? 3 com admin ! f.ns.com: twitter.com NS ns2... ns2... A 204.13.250.34 2 Browser ! f.ns.com: twitter.com? 1 f.ns.com ! browser: twitter.com NS ns2..
    [Show full text]