SYSTEMS ATTACKS AND DEFENSES Editors: Davide Balzarotti, [email protected] | William Enck, [email protected] | Samuel King, [email protected] | Angelos Stavrou, [email protected]

A Cybersecurity Terminarch: Use It Before We Lose It

Eric Osterweil | George Mason University

term · in · arch

e /’ t re m , närk/ noun an individual that is the last of its species or subspecies. Once the terminarch dies, the species becomes extinct.

hy can’t we send encrypt- in the Internet have a long history W ed email (secure, private of failure. correspondence that even our mail To date, there has only been one providers can’t read)? Why do our success story, and, fortunately, it is health-care providers require us to still operating. Today, almost ev- use secure portals to correspond erything we do online begins with a with us instead of directly emailing query to a single-rooted hierarchical us? Why are messaging apps the global database, whose namespace only way to send encrypted messag- is collision-free, and which we have es directly to friends, and why can’t relied on for more than 30 years: we send private messages without the (DNS). user-facing) layer(s). This has left the agreeing to using a single platform Moreover, although the DNS pro- potential to extend DNSSEC’s verifi- (WhatsApp, Signal, and so on)? Our tocol did not initially have verifica- cation protections largely untapped. cybersecurity tools have not evolved tion protections, it does now: the Moreover, the model we are using to offer these services, but why? DNS Security Extensions (DNS- exposes systemic vulnerabilities. Cybersecurity and cryptograph- SEC). DNSSEC’s protections stem Since the late 1990s, the verifica- ically enhanced tools in the Inter- from the DNS tree’s root TA [often tion and authentication used by es- net have faced an uphill battle for called the Root Zone’s Key Signing sentially all our security protocols many years, due in no small part to Key (Root KSK)]. have made do with a collision-prone the fact that we do not have a global Since its deployment, the man- hierarchical verification model architecture for deploying interor- agement, maintenance, and policies called the Web public-key infra- ganizational (platform-agnostic) surrounding the Root KSK have structure (Web PKI). Interfaces like verifiability, authentication, been overseen by an international secure sockets use the Web PKI so and . This deficiency multistakeholder community, the that applications can benefit from stems largely from the absence of Internet Corporation for Assigned protections from this model without a single/unambiguous global-root Names and Numbers (ICANN) needing to delve into its complexity. cryptographic key for verification community.1 This model ensures Under these covers, the Web PKI’s [i.e., a public key that is usable as that there is no single entity that verification substrate uses multiple a global Trust Anchor (TA)]. A has unilateral jurisdiction over the roots (i.e., multirooted verification). global TA could be used to foun- Root KSK. Today, DNSSEC’s pro- It is a loosely organized list of cer- dationally enhance protections tocol, policies, and infrastructure tification authorities (CAs) that our for security tools, protocols, and are operationally mature and widely software uses to verify essentially more, but attempts to deploy one distributed. However, these protec- all our interorganizational data and tions lie at the low level of the Inter- transactions (TLS tunnels, HTTPS,

Digital Object Identifier 10.1109/MSEC.2020.2989703 net’s foundation and are not often secure SMTP, file encryption, etc.). Date of current version: 9 July 2020 noticed at the application (or other The Web PKI provides verification

1540-7993/20©2020IEEE Copublished by the IEEE Computer and Reliability Societies July/August 2020 67 Authorized licensed use limited to: George Mason University. Downloaded on September 14,2020 at 14:31:43 UTC from IEEE Xplore. Restrictions apply. SYSTEMS ATTACKS AND DEFENSES

and also asserts trust, but these are services, but single-rooted verifi- could worry that we will not be able separable protections. cation has proven to be a difficult to create and operationalize another. Although the Web PKI has raised species to breed. In 1989, there was New standards, like the DNS- the bar on miscreants, it has also left an attempt to create a single global based Authentication of Named En- important security doors unguard- root for Privacy-Enhanced Mail in tities (DANE) suite (RFC-6698, ed. Without a definitive starting RFC-1114, but the question of who RFC-8162, and RFC-7929)4 have point for verification, multirooted would operate that root was never emerged that have the immediate po- verification hierarchies suffer from answered. Later the Web PKI began tential to be used to unambiguously architectural vulnerabilities. For in- deployment but not as a multiroot- secure our protocols and data by us- stance, when a multirooted verifi- ed hierarchy. In 1995, VeriSign, Inc. ing DNSSEC. At a time when recent cation hierarchy like the Web PKI had its CA certificate configured in global events have caused a dramatic is used to authenticate HTTPS web the then-dominant Netscape Navi- increase in teleworking, distance transactions, relying party software gator .3 learning, and reliance on online com- packages (like web browsers) have At that time, secure web con- munications and when our Internet no way to know which CA is autho- nections verified all websites’ cryp- privacy has become top-of-mind to rized to vouch for a website. This is tographic keys by tracing secure many, why shouldn’t we be able to a problem because it can lead to at- delegation paths from that single root. apply end-to-end encryption and testation collisions; whereby brows- However, the Web PKI did not have object-security to our online lives? ers have no choice but to trust any protections that mandated a single Looking forward, this should certificate that is verified by any CA. root, and as browser software contin- also include email, medical records, One of the earliest high-profile ued to diversify and the World Wide cybersecurity information sharing, exploits of this attack vector was on Web continued to grow, the list of root and much more. Indeed, now is a CA named DigiNotar in 2011.2 CAs also grew. Today, there are hun- the right time for us to reassess the That event served as a large-scale dreds of root CAs in the Web PKI that foundations that we have built our existence proof of the vulnerability are configured in browsers, and they protections on, and also consider if of this model. In multirooted hierar- are often maintained (i.e., rolled over, we may be undermining our stron- chies, RPs generally don’t even have revoked, or otherwise changed) in gest (and largely untapped) founda- a way to know who all the roots are nontransparent/nonstandard ways. tional component. supposed to be. Knowing all the More recently, the Internet En- CA roots in the Web PKI is an open gineering Task Force (IETF) has Problems on the Horizon challenge. Browsers attempt to standardized protocols for verify- Recent DNSSEC-based protocols, stay current with each other’s trust ing the proper holders of Internet like DANE, enable rich protections stores, and there is an organization Protocol (IP) addresses and au- and are within our grasp; that is, if called the CA/Browser (CAB Fo- tonomous system numbers using we don’t lose them before we use rum) to coordinate this, but other an architecture called the Resource them. Several recent proposals for systems that have tried to use TLS Public-Key Infrastructure (RPKI) DNS over HTTPS, DNS over TLS, (HTTPS’s underlying secure con- in RFC-6480. After years of trying and even DNS over QUIC aim to nection protocol) have found this to align Internet stakeholders, and add security and privacy protections intractable. Uses in software like even after unambiguous advice from in ways that would actually create mail servers have essentially be- the Internet Architecture Board in verification loops and thereby fun- come nonstarters for that reason. 2010, the RPKI has not been able to damentally (albeit inadvertently) Single-rooted verification hierar- agree on a single root and now plans jeopardize the security, stability, and chies (like traditional PKIs) address to operate in perpetuity as a multi- resiliency (SSR) of the DNSSEC. the aforementioned problems at an rooted hierarchy. Just as with the These proposals focus on using architectural level. With a single root, Web PKI, the RPKI now has attesta- transport-layer security protections, there is no ambiguity about which tion collisions. Missed attempts like derived from verification performed signing authority is allowed to vouch these underscore the singular op- by the Web PKI, to access DNS- for whom (the single root clearly dis- portunity that DNSSEC represents. SEC. This would be a disastrous ambiguates this), and there is only It has even succeeded at an - weakness because it would funda- one single (well-known) root for RPs tional scale that other large (private) mentally undercut DNSSEC’s veri- to bootstrap and maintain. single-rooted PKIs have failed. As fication substrate. Our single-rooted There have been several commu- the first and only example of a de- verification hierarchy would (effec- nity attempts to create single-rooted ployed Internet-scale single-rooted tively) become a subtree under the verification hierarchies for Internet verification hierarchy species, one multirooted Web PKI. DNSSEC’s

68 IEEE Security & Privacy July/August 2020 Authorized licensed use limited to: George Mason University. Downloaded on September 14,2020 at 14:31:43 UTC from IEEE Xplore. Restrictions apply. protections would be subordinated munity processes. The DNSSEC root a critical starting point for almost and thereby have an architectural and TLDs are being meticulously pro- all our transactions on the Inter- dependency. Although the proposal tected and managed to ensure the SSR net, the DNS was designed to be to protect the transport of DNS is of the entire DNS hierarchy with the used to look up essentially arbitrary well intended, the approach must same level of security as CAs. data. Based on this, DNSSEC has not come at the greater cost of our Even exceptions are treated with evolved the DNS into a global PKI. architectural correctness. If we the highest level of prudence. In 2017, DNSSEC is in a position to imple- aren’t conscientious in our designs, the Root KSK was scheduled to grace- ment general-purpose object secu- we may never get another global sin- fully transition to a newer key (i.e., rity. This could be used to secure gle root, making DNSSEC a termin- rollover) because of proactive opera- threat intelligence, cybersecurity arch (i.e., the last of its kind). tional hygiene. However, before this information sharing, the Internet of Other proposals for alternate rollover was executed, measurements Things, email, electronic protected (i.e., competing) DNS roots (such indicated a potential problem, which health information (e-PHI), and as the Yeti DNS project) threaten prompted operators to postpone this much more. potential disaster, alternate naming rollover. This prudence serves as just By using DNSSEC as the Inter- schemes (like those of Namecoin, one of many examples of the diligence net’s global single root, we will get Ethereum Name Service, or the and care that exists in the manage- interoperability across all those In- GNU Name System) could portend ment of DNSSEC’s global root key. In ternet systems that already speak extinction, and alternate verification short, experts are plugged in and tak- DNS. With DNSSEC, we can secure schemes like certificate transparen- ing every precaution necessary to en- caches against poisoning attacks cy, which essentially enshrine a glob- sure proper operation and success of and reduce transitive trust attack al default trusted source (the way this critical resource. surfaces.6 The DNSSEC deploy- the Web PKI started), herald the ment is now counted in the millions same. In its current state, the DNS Deploying DNSSEC of domains and has been grow- has been an extensible resource for Now that DNSSEC is enjoying ing and succeeding at exponential more than 30 years, and we have broad adoption by service provid- rates, and operators are becoming only just begun to tap its potential as ers, there are increasingly easy ways increasingly adept at managing their a cybersecurity substrate. for administrators to deploy it. For cryptographic deployments.7 It is those who operate their own DNS ready to be built on. How Secure Is DNSSEC? infrastructure, almost all modern Protocols like DANE propose You Be the Judge! DNS software plat- to do exactly that, thereby repairing The operations of the DNSSEC root forms can enable DNSSEC via trivi- architectural holes that have ham- zone follow the strictest form of secu- al configurations. For those who use strung HTTPS. This will allow us to rity hygiene. The DNSSEC root fol- DNS registrars or other managed enable fallow object-security mod- lows a DNSSEC Practice Statement DNS (mDNS) providers to operate els, like using S/MIME for secure (which is published and available to their DNS infrastructures, many of end-to-end email encryption and anyone to inspect at iana.org); its these providers offer to deploy and signing.4 This would not only plug cryptographic keys are maintained manage DNSSEC through configu- existing security holes, it would in FIPS 140-2 Level 4 hardware se- ration pages in their online portals. also give us never-before-seen cy- curity modules, the process and Often, simply looking at the existing bersecurity facilities. Even DANE’s installations have achieved SOC 3 configuration options of either one’s nascent deployment already num- certification for nine consecutive own infrastructure or the pages of bers in the hundreds of thousands. years, there are multiple geographi- one’s provider can be the one-stop It has opened new possibilities for cally distributed disaster recovery shopping for turning DNSSEC on. Internet cybersecurity companies, sites, and high-value top-level do- The DNSSEC communities want to start-ups, and more. mains (TLDs) (like .com, .net, and help, and resources like the Internet so on) are also following the same Society’s Deploy 3605 pages offer level of security practices. resources for guidance to answer his all stems from DNS- Even routine processes like gen- questions and to otherwise help TSEC’s global single root, the erating zone signing keys require a with deploying DNSSEC. DNS Root KSK, the multistake- quorum of trusted community rep- holder policy community, and the resentatives to be physically present Use It Before We Lose It state-of-the art operations that and to verify material, transactions, Although using the DNS to resolve support the cryptographic mate- and adherence to the ICANN com- a domain name to an IP address is rial. Cybersecurity professionals www.computer.org/security 69 Authorized licensed use limited to: George Mason University. Downloaded on September 14,2020 at 14:31:43 UTC from IEEE Xplore. Restrictions apply. SYSTEMS ATTACKS AND DEFENSES

have the opportunity now to em- -compromise-ca-servers-103112/ tem’s attack surface,” inProc. 2014 brace this resource and capitalize 77170/ IEEE 22nd Int. Conf. Network Pro- on it to bring the Internet’s cyber- 3. N. Wingfield, “Digital IDs to help tocols (ICNP), pp. 636–641. doi: security to a new high watermark, secure Internet,” InfoWorld, Oct. 10.1109/ICNP.2014.101. [Online]. but we as a community need to 23, 1995. [Online]. Available: Available: ://ieeexplore.ieee continue to carefully protect the https://tinyurl.com/yaf6cwun .org/abstract/document/6980440 Internet’s first (and possibly last) 4. “How DANE strengthens security 7. “Growth and health metrics for global single-root verification ter- for TLS, S/MIME, and other ap- the global deployment,” 2020. minarch: DNSSEC. plications,” Verisign, Nov. 19, 2015. [Online]. Available: http://secspi [Online]. Available: https://blog der.net/ References .verisign.com/security/how-dane 1. “ICANN’s multistakeholder model,” -strengthens-security-for-tls-smi Eric Osterweil is the vice-chair of ICANN. [Online]. Available: https:// me-and-other-applications/ the ICANN Second Security, www.icann.org/community 5. Internet Society. Accessed on: May, Stability, and Resiliency Review 2. D. Fisher, “Final report on Digi- 9, 2020. [Online]. Available: https:// Team (SSR2 RT). Osterweil Notar hack shows total compro- www.internetsociety.org/deploy360/ received a Ph.D. from the Com- mise of CA servers,” Threatpost, dnssec/ puter Science Department, Oct. 31, 2012. [Online]. Avail- 6. E. Osterweil, D. McPherson, and George Mason University, Fair- able: https://threatpost.com/final L. Zhang, “The shape and size of fax, Virginia. Contact him at -report-diginotar-hack-shows-total threats: Defining a networked sys- [email protected].

Rejuvenating Binary Executables ■ Visual Privacy Protection ■ Communications Jamming Policing Privacy ■ Dynamic Cloud Certification■ Security for High-Risk Users Smart TVs ■ Code Obfuscation ■ The Future of Trust

IEEE Symposium on Security and Privacy

January/February 2016 March/April 2016 May/June 2016 Vol. 14, No. 1 Vol. 14, No. 2 Vol. 14, No. 3

IEEE Security & Privacy magazine provides articles with both a practical and research bent by the top thinkers in the fi eld. • stay current on the latest security tools and theories and gain invaluable practical and research knowledge, • learn more about the latest techniques and cutting-edge technology, and computer.org/security • discover case studies, tutorials, columns, and in-depth interviews and podcasts for the information security industry. Digital Object Identifier 10.1109/MSEC.2020.3002086

70 IEEE Security & Privacy July/August 2020 Authorized licensed use limited to: George Mason University. Downloaded on September 14,2020 at 14:31:43 UTC from IEEE Xplore. Restrictions apply.