One Year of DANE Tales and Lessons learned sys4.de Why DANE? Issues with opportunistic TL > CA model > Downgrade Attack > MITM attack > Incomplete automation for certification rollover Br0ken CA Model Today > Any CA can issue certificates for any domain > CAs have been compromised in the past > CAs have issued wrong or unauthorized certificates > Declining Trust in CA root certificates (since Snowden) DANE > Can secure „on top% of the CA model > Can be used with „self-signed% certificates (without CA# Türktrust? Diginotar? Session downgrade Today > Client doesn't know server supports T'" > MITM Attacker may downgrade session to „non T'"% DANE > T'"A RR signals T'" support !„strong ")*+'D%# via D,"!"-C) > Client can detect Downgrade Attacks !a server that advertises T'S via D,". but does not perform a T'S handshake# Session downgrade MITM Attack Today > Attacker can intercept T'" secured communication with a matching certificate (Common Name# DANE > Identification via D,""EC detects false identity of attacker > /012 fingerprint is only valid for the original server Automation. NOT! Today > Certification Authority is warrantor > Manual verification > ,eed to monitor certificate rollover DANE > Trusted D,""-C Domain acts as the warrantor (CA# > Identifcation on the same media via a different service (D,"# > Automatic certificate rollover possible How DANE works… DANE/TLS > DA,E / T'" creates a !new) T'"A R( in D," > T'"A R( publishes certificate fingerprint > 4D," based Authentication of ,amed -ntities4 ((5C 6627# > Authenticate T'" enabled server using a trusted channel !D,""EC) TLSA RR .uery $ dig +dnssec TLSA _25._tcp.mail.sys4.de _25._tcp.mail.sys4.de. 3600 IN TLSA 3 0 1 ( 9273B4E9040C1B9EE7C946EFC0BA8AAF2C6E5F05A1B2 C960C41655E32B15CBE0 ) _25._tcp.mail.sys4.de. 3600 IN RRSIG TLSA 8 5 3600 ( 20141124104604 20141117195102 19786 sys4.de. afEJbtmKZVn995XiI2BFQwYKC1ZfcsIK/j2JA9C8oYSp pneBLVYuX8C0ZW9zTHCExtXS1kJrNf48sFRaOWwbZvPy 1vRiB+c46QRG0kwceDUjzZGtpG3Al2LKBVKw4bxMMOzu DeqECrf/n1W8XF6UQcrB0PdTY81Y6IZTUovYhak= ) TLSA resource record _25._tcp.mail.sys4.de. IN TLSA 3 0 1 9273B4E9040C1B... | | | | | | | | Port-- | | | | | | | Protocol- | | | | | | Host---------- | | | | | Resource type------------------ | | | | Certificate Usage ------------------ | | | Selector ----------------------------- | | Matching Type -------------------------- | Certificate Association Data ------------- What is it good for? Use $ases > HTTPS Connect service/server to a certificate > SMTP Connect service3server to a certificate > OpenPGP Associate 8ublic 9eys to email address > S/MIME Associate Certificates with Domain ,ames and email addresses *TTPS Browser Plugin $PEs can create issues ! 6 # 4 " " $ D," 8ro:y issues. C8- modem study over 15 common C8E devices sys< for Unitymedia Deutschland. August =1;< %TP Security via Opportunistic DANE TL > Initial (5C draft published =1;> ?iktor Dukhovni. 8atrick @en 9oetter (lector# > Currently in DA,- AB $Last Call% > 5irst implementations > 8ostfi: > *penSMT8d > -:im > In production Csys< since ;=3=1;> 23erified“ makes all the difference Today Jul 14 11:03:31 mail postfix/smtp[6477]: Trusted TLS connection established to mx-ha03.web.de [213.165.67.104]:25: TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits) DANE Jul 14 11:04:44 mail postfix/smtp[6409]: Verified TLS connection established to mail.sys4.de [194.126.158.139]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) DANE o1er %TP Adoption Currently about 1D=11 email domains > posteo.de > mailbox.org > bund.de > +nitymedia (+PC Germany) > bayern.de > "AITC) > I-T5 Top 10 DANE TLDs Dde ;=; >2E Dinfo 0 =E Dnl 0 =E Duk 5 =E Dcz 2 >E Dch ;3 <E Deu ;0 0E Dcom >4 ;;E Dnet 67 ==E Dorg >0 ;;E ?iktor Dukhovni on IET5 DANE mailinglist, 14.;;D=1;< DANE OPEN0607EY > Store 8B83B8B public keys in D," > 'ocal part of mail address hashed !currently: ")A=06 shortened to =7 bytes# > (eplaces or augments 8B8 keyserver > Benefits over current 9eyserversG > 9ey removalH > 9eys authenticated by DN""EC domain ownership and web of trust DANE OPEN6067EY Mail client !;# reIuest for *8-,8B89-J record!s# D,"!SEC# !;# reIuest for *8-,8B89-J resolver record!s# authoritative Mail server D," DANE OPEN6067EY Mail client !># D,""EC validation D,"!SEC# !=# public 8BP key!s# resolver for recipient email address authoritative Mail server D," DANE OPEN6067EY Mail client !<# mail encrypted with public key D,"!SEC# resolver !0# encrypted email is sent authoritative Mail server D," DANE %IMEA > Authenticates email x512 certificates for S3MIME > "tores hash or certificate in D,""EC secured domain > Email localpart hashed (=7 byte of SHA=06# > email clients !M+A. mail user agent) validate :012 certificate3public-key in incoming email > email clients fetch :012 public key certificates from D," DANE ,MIME Alice @ob !;# Bob sends Alice email with S3MIM- cert attached D,"!SEC# resolver authoritative D," DANE ,MIME Alice @ob !=# reIuest for "MIM-A records D,"!SEC# resolver !=# reIuest for "MIMEA records authoritative Mail server D," DANE ,MIME Alice @ob D,"!SEC# resolver !0# "/MIME :012 !<# D,""EC cert (or hash) + AD validation !># S/MIME x012 cert (or hash) authoritative D," DANE ,MIME Alice @ob D,"!SEC# resolver !6# Alice encrypts !F# encrypted email email with Bob's sent public key authoritative D," s(illa > "MIMEA aware Milter > $"milla&s Sense of Snowden% > Transparent for users > In- and outbound encryption > To be released as Open Source when R5C becomes standard > Download at https:33github.com/sys43 Ne8t Steps DANE W6 > ra%&Certificates > M't'a( Aut)entication client side authentication via T'"A R( > Pay*ent Association +ecords 'ink account information3bitcoin wallet to a email adress Markets for DANE Who benefits from DANE? > $"ecurity services% providers > Email users with „defined“ security requirements > Online 8ayment. insurance. banks > Enterprises > "ubcontractor TLS in .de "TA(TT'" 00E 8lainte:t <0E 2,7 Mio. MX RR > 275.000 MTAs with 12.092 IPv6 \o/ MTAs DNS EC in .DE signed $. 'nsi,ned --. $"MT8. "TA(TT'". DA,- Aer spielt mit wemL%. 8eter 9och, D-,IC eB D-,IC M Technisches Meeting. 5rankfurt, =1;< 12 >1 DN SE$ growth in .de "#/// "//// $#/// $//// #/// / ;>31; ;>31= ;>31> ;>31< ;>310 ;>316 ;>31F ;>317 ;>312 ;>3;1 ;>3;; ;>3;= ;<31; ;<31= ;<31> ;<31< ;<310 ;<316 ;<31F ;<317 $"MT8. "TARTT'". DANE Aer spielt mit wemL%. 8eter Koch. DENIC eB DENIC – Technisches Meeting, Frankfurt, =1;< 12 >1 DN SE$ growth in .NL 8owerDNS D,""EC deployment graphG httpsG33:sDpowerdnsDcom/dnssec nl-graph3 DANE road-blocks? What people tell > D,S provider with incomplete or non existent D,""-C support > D,""-C is technology but not a use case > Aith D,""-C issues become mission critical > Missing D,""-C/DA,- monitoring and alarming > Missing know-how for automated certificate-management and D,""-C signing > Missing toolchain for automated management -egistrars > Major registrars do not offer D,""EC > Costs/risks of moving domains between registrars Coordination > :012 certs, PB8 keys in D," > D," is a loosely consistent database > don&t forget about the cachesH old cert removed from mail-server. T'"A record T'"A of old cert for old cert deleted from D," zone new cert created. new T'"A record published Oonetransfer K TT' of T'"A ((set DNSSEC is Mission Critical > D," is the „ugly duckling% of network management > D,""EC might require a new3better D," design > D,""EC reIuires „trusted peers% > Expired D,""EC signatures can make domain „vanish% (until the SIGs are renewed) DANE 3alidator Takeaway > DA,E is open standard > DA,E allows scalable and secure trust management > DA,E requires D,""EC as a „one time cost% > "oftware support is hereG Postfi:. Exim. OpenSMT8d. OpenPB89-J milter. smilla > Get knowledge and experience now! sys4.de https;,/sys4.de/download/dane:N$ $:en.pdf.