Layering Public Key Distribution Over Secure DNS using Authenticated Delegation ∗ John P. Jones, Daniel F. Berger, Chinya V. Ravishankar Department of Computer Science & Engineering University of California, Riverside Riverside, CA, 92521 {jjones,dberger,ravi}@cs.ucr.edu Abstract specifications for securing email, they have not been widely adopted. We present the Internet Key Service (IKS), a distributed architecture for authenticated distribution of public keys, layered on Secure DNS (DNSSEC). Clients use DNSSEC to 1.1. The Internet Key Service securely discover the identities of the relevant IKS servers, and send key lookup or management requests directly to these servers using a special-purpose protocol. Clients au- We focus on a capability crucial to pervasive adop- thenticate keys retrieved from IKS servers using key commit- tion of cryptography: simple, scalable, authenticated pub- ments published in DNSSEC. IKS derives its authentication lic key distribution. We present the Internet Key Service authority from the authority DNS domains have over Inter- (IKS), a practical and deployable architecture for providing net names. The IKS architecture is loosely coupled with application-independent public key distribution layered on DNS to minimize overhead on DNS servers. We also present top of Secure DNS (DNSSEC). Our approach is flexible and RIKS, a prototype IKS implementation. extensible, and can store and serve a variety of key types in support of a variety of applications. The Internet Key Service bases its key-authentication au- 1. Introduction thority on DNS’s authority to manage Internet names. This is a significant feature, since all global names encountered on the Internet, regardless of their syntax or structure, ulti- Digital communication has become pervasive, but there mately represent resources or entities that are only address- are few guarantees that such communications are secure and ible over the network as a part of the DNS namespace. A private. Indeed, security and privacy threats, long seen as DNS domain has naming authority over the objects that be- hypothetical, are already real; in 2004, for the first time long to it so, in this sense at least, all names are ultimately ever, an arrest was publicly acknowledged as having re- DNS names. sulted from passive email monitoring [2]. The DNS namespace is the Internet-wide standard for Though cryptographic techniques exist that can address defining who has control over which names. IKS is loosely these concerns, no infrastructure is available to facilitate coupled to DNS, so that it can provide specialized key dis- their use by a variety of applications, and across the In- tribution protocols without requiring changes to or impos- ternet. Cryptography has been most successfully deployed ing significant overhead on DNS. in protocols where a clear client-server relationship ex- ists, such as Secure Socket Layer/Transport Layer Security The remainder of this document is organized as follows: (SSL/TLS) [22, 13], and Secure Shell (SSH) [50]. While Section 2 provides necessary background. Section 3 briefly proposals exist for securing less hierarchical applications, surveys related work. Section 4 gives a high-level view of such as the Privacy Enhanced Mail (PEM) [32], and Se- our proposed solution. Section 5 delves deeper into the pro- cure Multimedia Internet Mail Extensions (S/MIME) [29] tocol design. Section 6 presents the Riverside Internet Key Server (RIKS) our proof-of-concept implementation of the ∗This work was supported in part by the Defense Advanced Projects IKS. Finally, Section 7 summarizes our findings, and points Research Agency under contract F30602-01-2-0536. out avenues for future exploration. 2. Background Security was not a primary consideration during the de- sign and implementation of DNS. Its security shortcomings We assume familiarity with asymmetric (public key) were first discussed in [7, 47]. The Internet Engineering cryptography, digital signatures and one-way hash func- Task Force (IETF) launched the DNSSEC effort in 1993 to tions. Readers unfamiliar with these topics are encouraged secure DNS. Presently, the DNSSEC working group pro- to consult a cryptography text, such as [42]. posal is nearing operational readiness, bringing with it the promise of a trustworthy name service. 2.1. Key Authentication 2.3. DNSSEC Overview Key authentication is the process of validating the bind- DNSSEC is a collection of proposals for securing the ing of a cryptographic key to a named entity. Public key data stored in DNS. Using cryptographic techniques, re- cryptosystems simplify, but do not solve, the problem of sponses can be strongly authenticated, greatly reducing the key distribution, since public keys must be authenticated to potential for abuse present in the current DNS. An IETF prevent impersonation and man-in-the-middle attacks. The draft [5] enumerates the threats DNSSEC is intended to most widely used approaches for solving the key authenti- guard against. We focus here on the portions of DNSSEC cation problem are the certifying authority model, exempli- relevant to our work. A detailed overview appears in [3]. fied by SSL/TLS, and the web-of-trust model, exemplified by Pretty Good Privacy (PGP). Zone Signing. A DNSSEC-enabled DNS server responsi- ble for a given domain (called a zone) signs the resource Certifying Authorities. The certifying authority (CA) records comprising the zone with a public/private key pair model assumes a small number of highly trusted individuals bound to that zone, and delivers those signatures to querying or organizations. Each key-identity binding must be certi- clients. These Resource Record SIGnatures are stored in a fied by one of these trusted entities. Certificate verification new DNS record type, RRSIG, which contains a signature requires the certifier’s public key to first be authenticated. that authenticates a specific named set of resource records In practice, a small set of root certificates, which are public (RRSet). Each named resource in a secured DNS zone will keys for various recognized certifying authorities, are typi- have at least one associated RRSIG record. cally preloaded into the cryptographic application. DNSSEC responds to a query from a DNSSEC-enabled Webs Of Trust. The web-of-trust model, relies on peers to client with the DNS record for the name specified, along vouch for the validity and trustworthiness of other peers. An with the associated RRSIG record. The client obtains the unfamiliar key is accompanied by affirmations (digital sig- public key associated with the zone and verifies the pro- natures) from a set of community members who assert that vided signature. If the signature is valid, the client can trust the provided key is associated with the claimed identity. A that the response was provided by the authoritative source. recipient accepts the key only upon receiving enough veri- Key Distribution in DNSSEC. To verify signatures, the fiable affirmations from individuals that they trust. client must be either statically configured with the public IKS follows the certifying authority model; the IKS server key for the queried zone (the zone key), or be able to obtain for a domain acts as a CA for that domain and its public key and authenticate it. To facilitate distribution of zone keys, can be authenticated by its key commitment published via DNSSEC defines a DNSKEY resource record type. DNSSEC. A DNS client queries for a zone key in the same way it queries for any other DNS record type. To authenticate the 2.2. The Domain Name System (DNS) retrieved key, the DNSKEY record must be signed by a key which the client has previously authenticated, typically the key of the parent domain. By recursively requesting keys The Domain Name System (DNS) [36] is the most effec- and moving up the DNS hierarchy, the client will either find tive and widely-used mechanism for name registration and a trusted key, or exhaust the name space without doing so, resolution on the Internet, and is a critical component of the causing the key authentication attempt to fail. (This descrip- Internet infrastructure. DNS names are assigned from a hi- tion is conceptually sufficient, but not technically precise. erarchical namespace, and organizations are granted control Full details are in [27].) over a sub-tree rooted at the domain they have registered. The DNS top-level domains (e.g. .com, .org, .edu, .us, .uk) DNSSEC Implementation Status. DNSSEC has recently are administered by ICANN. Domain administrators man- matured into an implementable system. An IETF draft ex- age DNS servers to provide authoratitive answers to queries ists that updates RFC 2535 and details the DNS protocol regarding the domain and to participate in resolving DNS changes required to support DNSSEC [4]. A DNSSEC de- queries for clients belonging to the domain. ployment working group has been formed with support of NIST and ICANN. Consensus is growing that DNSSEC is 3.1. In-Band Key Transmission largely ready for deployment, and that 2006 may see the beginnings of wide-spread adoption. A common approach to key distribution is to relegate it to the communication protocol. The SSH and SSL/TLS proto- 2.4. Barriers to Distributing Keys in DNS cols both transmit the necessary keying information during connection setup, but use different authentication methods. Secure Shell (SSH) Unfortunately, DNSSEC does not generally solve au- . SSH performs initial key authentica- thenticated key distribution. The KEY record was originally tion by asking the user to certify the key-host association. A key fingerprint intended to store various key types, including application hash of the public key (a ) is then stored lo- keys [14]. This decision was explicitly reversed due to scal- cally. Subsequent connections use this stored fingerprint to ability concerns, query interface limitations, and adminis- authenticate known hosts without further user intervention. trative authority mismatches [33]. This approach assumes that the end-user will know the appropriate key fingerprint during initial connection setup.