draft-whr-dnsext-secure-online-update-00.txt

     
INTERNET-DRAFT	                       X. Wang, Y. Huang, D Rine (GMU)
<draft-whr-dnsext-secure-online-update-00.txt>              June 2000

Updates:  RFC 2136
Replaces: RFC 2137



       Secure Online Domain Name System (DNS) Dynamic Update


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-Drafts
   as reference material or to cite them other than as ``work in
   progress.''

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   Comments should be sent to the authors or the DNSIND WG mailing
   list namedroppers@internic.net.

   This draft expires on December 9, 2000.

   Copyright Notice

   Copyright (C) The Internet Society (2000).  All rights reserved.


Abstract

   This document proposes an alternate architecture to enable secure
   online Domain Name System (DNS) dynamic updates.  It is intended



Expires December 2000                                           [Page 1]

INTERNET-DRAFT    Secure Online DNS Dynamic Update            June 2000


   to enable a DNS zone to provide online dynamic update and at the
   same time, maintain the zone's security including role separation
   and intrusion tolerance against insider and outsider attacks.
   Threshold digital signature is used to implement the proposed
   architecture.

1 - Introduction

   This document proposes an alternate architecture to allow a
   DNS zone to provide secure online dynamic update. In contrast
   to existing dynamic update scheme, the proposed architecture
   distinguishes itself in that it provides high security
   for a zone when allowing it support online dynamic update.

   Familiarity with the DNS system [RFC1034, RFC1035], DNS
   Security Extension [RFC2535], dynamic update [RFC2136] and
   secure dynamic update [RFC2137] is helpful and is assumed by
   this document.

   This document obsoletes RFC 2137, an alternate proposal
   for secure dynamic update, due to implementation experience.

   1.1 - Overview of DNS Security Extension

      DNS Security Extension (DNSSEC) is proposed in [RFC2535].
      The DNSSEC provides RR authentication by the use of digital
      signatures. In DNSSEC, each zone is equipped with a
      public/private key pair. The private key is used to digitally
      sign all the RRs in that zone. The response to a DNS query
      will also include the requested RRs and a SIG RR
      (signature RR), which contains the digital signature of the
      requested RRs. The zone public key, used to verify signatures,
      is disseminated by means of KEY RRs.

      A major security principle of the DNSSEC is the role separation:
      it differentiates the roles of the DNS server administrator from
      the DNS zone manager. One advantage of the role separation
      is that it helps to prevent power abuses [SBM99]. In DNSSEC,
      it is the DNS zone manager, not the DNS server administrator,
      who is responsible for the security of a zone. A DNS server is
      just a place to publish the digitally signed DNS data of the zone.
      Thus, compromise of a secondary server or, if the zone private
      key is kept off line, even the primary server for a zone, will
      not necessarily affect the degree of assurance that a DNS
      client receives [RFC2535]. When zone data is updated, the zone
      manager will sign the new zone data off-line.

   1.2 - Overview of DNS Dynamic Update and DNS Secure Dynamic Update

      The idea of keeping zone private key off-line and computing
      the signatures of RRs off-line is based on the assumption
      that RRs in a DNS zone are relatively static. Indeed, in
      normal situations we can expect that bindings between domain
      names and IP addresses do not change frequently. However, it
      has been pointed out that DNS dynamic updates, which enable
      real-time changes (that is, add, delete, or update) in
      name/address bindings, are useful under many circumstances
      [Liu99,RFC2136]. (For example, such an update allows a

Wang, Huang & Rine	                                   [Page 2]

INTERNET-DRAFT    					  June 2000


      corporation to switch to a new domain name without waiting for
      the slow, manual processing of the name change request by a
      domain name registrar.) For a dynamic RR update to take effect
      immediately and securely, the signature of the updated RR must
      be computed online. It is worthwhile to note that although
      a DNS dynamic update requestor is communicating with a name
      server, the name server itself has no rights to update the
      zone data. Instead, it is the zone private key, instead of
      the name server's private key, that is needed in the dynamic
      update.

      In [RFC2137], two modes are defined to achieve the above goal.
      In mode A, the zone private key is kept off-line and any
      dynamic requests will be authorized by a dynamic update key
      that is kept online. However, in this mode, since the zone
      private key is not kept online,  zone transfer security is
      not automatically provided for dynamically added RRs, where
      they could be omitted, and authorization is not provided for
      the server denial of the existence of a dynamically added
      type [RFC2137]. In this sense, this mode is not a genuine
      DNS dynamic update. In mode B, on the other hand, the zone
      private key is kept online at the zone primary name server;
      thus, any legitimate DNS dynamic updates can be in effect
      immediately.

   1.3 - The existing drawbacks

      Both of the above modes above require that a zone security
      related private key be kept on line at the primary name server.
      This practice raises security concerns [RFC2137]. First, it makes
      the primary name server a single point of attack to an outside
      attacker. Should the primary server be compromised, the on¡line
      private key will be exposed, rendering dynamic RRs insecure
      in mode A or, even worse, all RRs in the entire zone insecure
      in mode B. Second, as an insider, the name server administrator
      has access of this private key, compromising the role separation
      principle and making it possible for the name server
      administrator to abuse his/her power. (The importance of fending
      off insider attacks has been emphasized by the security
      community [RFC2196].)

2 - The Secure On-line DNS Dynamic Update Architecture

   2.1 - Background: Threshold Cryptography

      Threshold cryptography is a branch of cryptography that
      enables a group of n members, 1,2, ..., n, to act as a single
      communication party, using one pair of public and private keys
      [Des87,Des94,Des97]. Similar to the traditional public key
      cryptography, the public key is known to the public. Unlike
      the traditional public key cryptography, the private key of
      the group, K_private, does not exist as a whole. Rather, each
      member i, 1 <= i <= n, will be assigned a number of key shares
      of the private key. (For each public key cryptography algorithm,


Wang, Huang & Rine	                                   [Page 3]

INTERNET-DRAFT    					  June 2000


      a corresponding key sharing mechanism must be devised.) To
      perform a cryptographic computation (such as decryption, signing,
      identification, etc.) on message m with key K_private, b,
      b <= n , group members will be required. Each member will compute
      a partial result. Subsequently, the partial results are combined
      to produce the final result. The combiner is not necessarily to
      be trusted. Note that during this whole process the shared
      private key, K_private, is never reconstructed.  Further,
      threshold cryptography requires that the shared private key
      cannot be reconstructed from any t < b group members.

      Practical threshold cryptography for RSA and DSS have been
      designed. A practical threshold RSA is given by [DDB94] where
      b = t+1 and a practical threshold DSS is given by  [GJKR96b] where
      t < n/2 and b = 2t+1.

   2.2 - Introduction
					   +------------------------+
		       +---------+    #####| zone-security server 1 |
+---------+            | DNS     |    #    +------------------------+
|DNS      | DNS query  |         |    #
| Inquirer|--------->  |         |    #
+---------+            | Primary |    #    +------------------------+
		       |         |#########| zone-security server 2 |
		       | Name    |    #    +------------------------+
		       |         |    #
		       |         |    #         .         .       .
+------+               | Server  |    #         .         .       .
|DNS   | DNS Dynamic   |         |    #         .         .       .
| User |=============> |         |    #    +--------------------------+
+------+ Update request|         |    #####| zone-security server n-1 |
		       |         |         +--------------------------+
		       +---------+
			  |
			  | zone transfer
			 \|/
		  +-----------------+
		  | DNS Secondary   |
		  |   Name Server   |
		  +-----------------+

      In the above proposed architecture, we assume that there exist
      (n-1), n >= 2, machines in a given DNS zone that are under the
      control of the zone manager, but not under the control of the
      name server administrators. These machines are called the
      zone-security servers.

      Using a threshold cryptography scheme with n > t >= 1, the
      zone private key is shared among the (n-1) zone-security servers
      and the primary name server.  To update zone's data dynamically,
      some of the servers will be needed. Let b > t be the number of
      zone private key shares needed in the computation of the
      signature of an RR. Since b >= 2, any change to the zone data
      will need the cooperation of at least one zone-security server;


Wang, Huang & Rine	                                   [Page 4]

INTERNET-DRAFT    					  June 2000


      the name server administrator will have no way to modify the
      digitally signed zone data. Thus, the role separation principle
      holds. Moreover, the above architecture enhances intrusion
      tolerance of DNS.

      A DNS system is said to be k-intrusion-tolerant against an
      entity, E, if breaking into k servers (including the
      zone-security servers and the DNS name servers, if applicable)
      that are outside E's control will not help E gain any knowledge
      of the zone private key. A DNS system is said to be intrusion
      tolerant against an outsider (insider) if it is at least
      1-intrusion-tolerant against the outsider (insider). The
      architecture proposed in this document can be configured to be
      intrusion tolerant against outside and inside attackers.

	 Intrusion tolerance against outsider attacks. In the
	    architecture, the zone private key cannot be recovered from
	    any single location, thus, making the system intrusion
	    tolerant against an outside attacker. That is, even when an
	    outside attacker manages to corrupt l, l <= t, of relevant
	    servers (including the name servers and the zone-security
	    servers), secrecy of the zone private key is still
	    maintained.

	 Intrusion tolerance against insider attacks.  The presence of
	    zone security servers and the necessity of their involvement
	    in signature computations constitute a defense line
	    against insider attacks, in particular, attacks from name
	    server administrators. Clearly, a hostile name server
	    administrator must break into at least t zone security
	    servers (to get access to the respective key shares) in
	    order to perform unauthorized RR signature computations.

3 - Implementation Details

   [RFC2535] defines two types of SIG records, the DSA SIG and
   the RSA/MD5 SIG. The important configuration and implementation
   aspects of our proposed architecture with respect to these two types
   of SIGs are given next.  In the following statement,
   the primary name server will be referred to as server 0 and the
   (n-1) zone-security servers will be referred to as servers
   1, 2, ... , (n-1).

   3.1 - Example Configurations

      The following table gives some representative configurations, in
      terms of t and n, to achieve the above security levels in
      different application cases.


Wang, Huang & Rine	                                   [Page 5]

INTERNET-DRAFT    					  June 2000


      +----------------------------+----------------------------+
      |                            | RSA/MD5 SIG |  DSA SIG     |
      |   SECURITY LEVEL           +-------------+--------------+
      |                            | 1-2 |  2-4  |  1-3  | 2-5  |
      +----------------------------+-----+-------+-------+------+
      |Intrusion tolerant against  |     |       |       |      |
      | outsider attackers (Y/N)   |  Y  |   Y   |   Y   |  Y   |
      +----------------------------+-----+-------+-------+------+
      |Intrusion tolerant against  |     |       |       |      |
      | insider attackers (Y/N)    |  N  |   Y   |   N   |  Y   |
      +----------------------------+-----+-------+-------+------+

   3.2 - The RSA/MD5 SIG

      Assume that, in RSA, the zone's private key is d and its
      public key is (e, N). Phi(N) is the Euler function of N, i.e.,
      phi(N) = (p-1)(q-1) where N = p * q. We use the threshold
      digital signature scheme given in [DDB94] and now give
      how the zone private key is shared and how to generate a
      RSA/MD5 SIG RR online.

      The 1-2 case. In this case, the zone manager generates a random,
	 d1, 1 < d1 < phi(N), and compute d2, d2 = d - d1 mod phi(N).
	 Values d1 and d2 are sent securely to the primary name server
	 and the zone-security server respectively.

	 To generate a RSA/MD5 SIG of m, where m is the MD5 digest of
	 an RR, the two servers will compute m^d1 mod N and m^d2 mod N
	 respectively. Then any one of them can combine the partial
	 results as m^d1 * m^d2 mod N = m^d mod N, the digital signature
	 of m by the zone private key.

      The 2-4 case. To generate key shares, the zone manager generates
	 4 random numbers, d1, d2, d3, d4, where 1 < di < phi(N)
	 for 1 <= i <= 4.  He/she will also compute two numbers,
	 d5 = d - d1 - d2 mod phi(N) and d6 = d - d3 - d4 mod phi(N).
	 Subsequently, d1 and d6 are sent to the primary name server,
	 d2 and d6 are sent to server 1, d3 and d5 are sent to server 2,
	 d4 and d5 are sent to server 3, as shown in the following table.

      +---------------------+----------+----------+----------+---------+
      |                     | SERVER 0 | SERVER 1 | SERVER 2 | SERVER 3|
      +---------------------+----------+----------+----------+---------+
      |  KEYS ASSIGNED      | d1, d6   | d2, d6   | d3, d5   |  d4, d5 |
      +-------------+-------+----------+----------+----------+---------+
      |PARTICIPATING|(0,1,2)|   d1     |   d2     |    d5    |         |
      |             +-------+----------+----------+----------+---------+
      |             |(0,1,3)|   d1     |   d2     |          |    d5   |
      |             +-------+----------+----------+----------+---------+
      |             |(0,2,3)|   d6     |          |    d3    |    d4   |
      | SERVERS     +-------+----------+----------+----------+---------+
      |             |(1,2,3)|          |   d6     |    d3    |    d4   |
      +-------------+-------+----------+----------+----------+---------+


Wang, Huang & Rine	                                   [Page 6]

INTERNET-DRAFT    					  June 2000


	 To generate a RSA/MD5 SIG, any 3 of the 4 servers will be
	 needed. For example, if the primary name server and the
	 zone-security servers 1 and 2 are present (the (0,1,2) case in
	 the above table), the three servers will compute m^d1 mod N,
	 m^d2 mod N, and m^d3 mod N respectively. After that any one of
	 them can combine the partial results to produce
	 m^d1 * m^d2 * m^d3 mod N = m^d mod N, the digital signature of
	 m by the zone private key.  Other possibilities of computing
	 the signature of m are summarized in the above table.

   3.3 - The DSA SIG

      In this case, for a t-n configuration (such as the 1-3 and 2-5
      configurations), the zone manager will generate n shares of the
      zone private key and distribute them to the n servers
      using a (t,n) Shamir secret sharing scheme [Sha79]. When the
      zone data needs updating, (2t+1) servers are required to jointly
      compute the DSA SIG RR [GJKR96b].

5 - Security considerations

   This document proposes an architecture to allow a DNS zone to
   provide secure online DNS dynamic update. It uses threshold
   digital signature to maintain the role separation principle and can
   also provide intrusion tolerance against both outside attackers
   and inside attackers.

   It should be noted that the authentication a DNS dynamic update
   requestor and authorization of a update request, which is handled
   elsewhere such as [RFC2535], is not dealt in this document,

6 - Acknowledgements

   The authors wish to thank for many helpful discussions on the
   DNSSEC mailing list and would like to give special thanks to
   Yvo Desmedt.

7 - References

   [DDB94]   Y. Desmedt, G. Di Crescenzo, and M. Burmester.
	     ``Multiplicative nonabelian sharing schemes and their
	     application to threshold cryptography''. In J. Pieprzyk
	     and R. SafaviNaini, editors, Advances in Cryptology -
	     Asiacrypt '94, volume 917 of Lecture Notes in Computer
	     Science, pages 21--32, Wollongong, Australia,
	     November/December 1994. Springer-Verlag.

   [Des87]   Y. Desmedt. ``Society and group oriented cryptography:
	     a new concept''. In C. Pomerance, editor, Advances in
	     Cryptology, Proc. of Crypto '87, volume 293 of Lecture
	     Notes in Computer Science, pages 120--127, Santa Barbara,
	     California, U.S.A., August 16--20, 1988. Springer-Verlag.


Wang, Huang & Rine	                                   [Page 7]

INTERNET-DRAFT    					  June 2000


   [Des94]   Y. Desmedt. ``Threshold cryptography''. European Trans.
             on Telecommunications, 5(4):449--457, July-August 1994.

   [Des97]   Y. Desmedt. ``Some recent research aspects of threshold
	     cryptography''. In E. Okamoto, G. Davida, and M. Mambo,
	     editors, Information Security, volume 1396 of Lecture
	     Notes in Computer Science, pages 158--173, Tatsunokuchi,
	     Ishikawa, Japan, September 1997. Springer-Verlag.

   [DSA2]    National Institute for Standards and Technology.
             ``Digital signature standard (DSS)'', February 2000.

   [GJKR96b] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin.
             ``Robust threshold DSS signatures''. In U. Maurer,
             editor, Advances in Cryptology - Eurocrypt '96,
             volume 1070 of Lecture Notes in Computer Science,
             pages 354-371, Zaragoza, Spain, May 12--16 1996.
             Springer-Verlag.

   [GMP]     T. Granlund. ``GNU MP''. Source code available from
	     http://www.gnu.org/manual/gmp/index.html.

   [Liu99]   C. Liu. ``Securing an Internet name server''.
             Presentation, 1999. Available at
	     http://www.acmebw.com/papers/securing.pdf.

   [RFC1034]  P. Mockapetris, ``Domain Names - Concepts and
	      Facilities,'' RFC 1034, ISI, November 1987.

   [RFC1035]  P. Mockapetris, ``Domain Names - Implementation and
	   Specification,'' RFC 1035, ISI, November 1987.

   [RFC2136]  P. Vixie (Ed.), S. Thomson, Y. Rekhter, J. Bound ``Dynamic
	      Updates in the Domain Name System,'' RFC 2136, ISC &
	      Bellcore & Cisco & DEC, April 1997.

   [RFC2137]  D. Eastlake ``Secure Domain Name System Dynamic Update,''
	      RFC 2137, CyberCash, April 1997.

   [RFC2196] B. Fraser. ``Site Security Handbook,'' RFC2196, September
	     1997.

   [RFC2535]  D. Eastlake, ``Domain Name System Security Extensions,''
	      RFC 2535, IBM, March 1999.

   [SBM99]   R. Sandhu, V. Bhamidipati, and Q. Munawer. ``The ARBAC97
	     model for role-based administration of roles''. ACM
	     Transactions on Information System Security, 2(1):105-
	     135, February 1999.

   [Sha79]   A. Shamir. ``How to share a secret''. Commun. ACM,
             22:612-613, November 1979.


Wang, Huang & Rine	                                   [Page 8]

INTERNET-DRAFT    					  June 2000


8 - Author's Address

   A postscript of this document is available from
	http://www.cs.gmu.edu/~xwang4/dnssecureonline.ps

   Send all comments to xwang4@cs.gmu.edu

   Xunhua Wang
       Department of Computer Science
       George Mason University
       Fairfax, VA 22030-4444
       USA

       Phone: +1-703-993-1536
       Fax:   +1-703-993-1710
       EMail: xwang4@cs.gmu.edu

   Yih Huang
       Department of Computer Science
       George Mason University
       Fairfax, VA 22030-4444
       USA

       Phone: +1-703-993-1540
       Fax:   +1-703-993-1710
       EMail: hyangyih@cs.gmu.edu

   David Rine
       Department of Computer Science
       George Mason University
       Fairfax, VA 22030-4444
       USA

       Phone: +1-703-993-1546
       Fax:   +1-703-993-1710
       EMail: drine@cs.gmu.edu


9 - Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain
   it or assist in its implementation may be prepared, copied,
   published and distributed, in whole or in part, without restriction
   of any kind, provided that the above copyright notice and this
   paragraph are included on all such copies and derivative works.
   However, this document itself may not be modified in any way,
   such as by removing the copyright notice or references to the


Wang, Huang & Rine	                                   [Page 9]

INTERNET-DRAFT    					  June 2000


   Internet Society or other Internet organizations, except as needed
   for the purpose of developing Internet standards in which case
   the procedures for copyrights defined in the Internet Standards
   process must be followed, or as required to translate it into
   languages other than English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on
   an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."































Expires December 2000                                        [Page 10]

INTERNET-DRAFT    Secure Online DNS Dynamic Update            June 2000