Tài liệu Network Application Security Using The Domain Name System pptx

Royal Institute of Technology

Dept. of Numerical Analysis and Computer Science

Network Application Security Using

The Domain Name System

by

Simon Josefsson

TRITA-NA-E01107

N￾

ADA

Nada (Numerisk analys och datalogi) Department of Numerical Analysis

KTH and Computer Science

100 44 Stockholm Royal Institute of Technology

SE-100 44 Stockholm, SWEDEN

Network Application Security Using

The Domain Name System

by

Simon Josefsson

TRITA-NA-E01107

Master’s Thesis in Computer Science (20 credits)

at the School of Matematisk-datalogisk linje,

Royal Institute of Technology year 2001

Supervisor at Nada was Mikael Goldmann

Examiner was Stefan Arnbor

Abstract

A major problem for a distributed security system is the management of cryp￾tographic keys. Public key techniques are often used to overcome many of the

problems. However, successful use of public key techniques in large systems such

as the Internet requires a certificate directory, that is, a mechanism to locate and

retrieve the public keys. In this thesis we explore how a common name lookup

mechanism, the Domain Name System (DNS), can be used to provide this func￾tionality. We show how the idea can be implemented in a secure mail application

together with S/MIME. We compare the DNS lookup mechanism with traditional

Directory Access Protocol based systems and identify weaknesses and strenghts.

We also discuss and suggest a solution to privacy threats that arise because of recent

security additions to the DNS, namely Secure DNS.

Sakerhet f ¨ or n ¨ atverksapplikationer ¨

med Domannamnssystemet ¨

Sammanfattning

Vid design av sakra distribuerade system ¨ ar hanteringen av kryptografiska nycklar ¨

ett grundlaggande problem. Publik-nyckel (PK) teknologi anv ¨ ands ofta f ¨ or att l ¨ osa ¨

manga av dessa problem. F ˚ or att PK-teknik ska vara praktiskt till ¨ ampbart i stora ¨

system som t.ex. Internet kravs en ¨ certifikatsbibliotekstjanst ¨ som anvands f ¨ or att ¨

lokalisera och hamta publika nycklar. Den h ¨ ar rapporten beskriver hur den vanli- ¨

ga namnuppslagningstjansten, Dom ¨ annamnssystemet (DNS), kan anv ¨ andas f ¨ or att ¨

losa det problemet. Vi visar hur DNS kan anv ¨ andas f ¨ or att ¨ astadkomma s ˚ aker epost ¨

tillsammans med S/MIME. Vi jamf ¨ or DNS med den traditionella bibliotekstj ¨ ansten ¨

som ar baserad p ¨ a Directory Access Protocol och identifierar f ˚ ordelar och nackde- ¨

lar. Avslutningsvis diskuterar vi, och foresl ¨ ar en l ˚ osning p ¨ a, hot mot personlig in- ˚

tegritet; hot som ar en f ¨ oljd av en nyligen f ¨ orslagen s ¨ akerhetsut ¨ okning som kallas ¨

Secure DNS.

iii

iv

Preface

This thesis was presented to Stockholm University as partial fulfillment of the re￾quirements for the degree of Master of Science in Computing Science.

The work was performed at RSA Security in Stockholm, Sweden. Supervisor at

RSA Security was Magnus Nystrom. Mikael Goldmann was supervisor at the De- ¨

partment of Numerical Analysis and Computer Science (NADA). Examiner was

Stefan Arnborg.

v

vi

Acknowledgements

I would like to thank my supervisors, Magnus Nystrom and Mikael Goldmann, for ¨

advice and comments on my work, and their suggestions that helped to improve

this report. All errors are of course my own.

The idea to use public key encryption of owner names in the Secure DNS “NO”

record was suggested by Jonas Holmerin (the idea later developed into hashing).

This report was written in LATEX [61] and illustrated with Dia [62]. Also, BibTeX,

Emacs, ImageMagick and other free and open source software were instrumental

to the creation of this document.

vii

viii