INTERNET-DRAFT X. Wang, Y. Huang, D Rine (GMU) <draft-whr-dnsext-secure-online-update-00.txt> June 2000 Updates: RFC 2136 Replaces: RFC 2137 Secure Online Domain Name System (DNS) Dynamic Update Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Comments should be sent to the authors or the DNSIND WG mailing list namedroppers@internic.net. This draft expires on December 9, 2000. Copyright Notice Copyright (C) The Internet Society (2000). All rights reserved. Abstract This document proposes an alternate architecture to enable secure online Domain Name System (DNS) dynamic updates. It is intended Expires December 2000 [Page 1] INTERNET-DRAFT Secure Online DNS Dynamic Update June 2000 to enable a DNS zone to provide online dynamic update and at the same time, maintain the zone's security including role separation and intrusion tolerance against insider and outsider attacks. Threshold digital signature is used to implement the proposed architecture. 1 - Introduction This document proposes an alternate architecture to allow a DNS zone to provide secure online dynamic update. In contrast to existing dynamic update scheme, the proposed architecture distinguishes itself in that it provides high security for a zone when allowing it support online dynamic update. Familiarity with the DNS system [RFC1034, RFC1035], DNS Security Extension [RFC2535], dynamic update [RFC2136] and secure dynamic update [RFC2137] is helpful and is assumed by this document. This document obsoletes RFC 2137, an alternate proposal for secure dynamic update, due to implementation experience. 1.1 - Overview of DNS Security Extension DNS Security Extension (DNSSEC) is proposed in [RFC2535]. The DNSSEC provides RR authentication by the use of digital signatures. In DNSSEC, each zone is equipped with a public/private key pair. The private key is used to digitally sign all the RRs in that zone. The response to a DNS query will also include the requested RRs and a SIG RR (signature RR), which contains the digital signature of the requested RRs. The zone public key, used to verify signatures, is disseminated by means of KEY RRs. A major security principle of the DNSSEC is the role separation: it differentiates the roles of the DNS server administrator from the DNS zone manager. One advantage of the role separation is that it helps to prevent power abuses [SBM99]. In DNSSEC, it is the DNS zone manager, not the DNS server administrator, who is responsible for the security of a zone. A DNS server is just a place to publish the digitally signed DNS data of the zone. Thus, compromise of a secondary server or, if the zone private key is kept off line, even the primary server for a zone, will not necessarily affect the degree of assurance that a DNS client receives [RFC2535]. When zone data is updated, the zone manager will sign the new zone data off-line. 1.2 - Overview of DNS Dynamic Update and DNS Secure Dynamic Update The idea of keeping zone private key off-line and computing the signatures of RRs off-line is based on the assumption that RRs in a DNS zone are relatively static. Indeed, in normal situations we can expect that bindings between domain names and IP addresses do not change frequently. However, it has been pointed out that DNS dynamic updates, which enable real-time changes (that is, add, delete, or update) in name/address bindings, are useful under many circumstances [Liu99,RFC2136]. (For example, such an update allows a Wang, Huang & Rine [Page 2] INTERNET-DRAFT June 2000 corporation to switch to a new domain name without waiting for the slow, manual processing of the name change request by a domain name registrar.) For a dynamic RR update to take effect immediately and securely, the signature of the updated RR must be computed online. It is worthwhile to note that although a DNS dynamic update requestor is communicating with a name server, the name server itself has no rights to update the zone data. Instead, it is the zone private key, instead of the name server's private key, that is needed in the dynamic update. In [RFC2137], two modes are defined to achieve the above goal. In mode A, the zone private key is kept off-line and any dynamic requests will be authorized by a dynamic update key that is kept online. However, in this mode, since the zone private key is not kept online, zone transfer security is not automatically provided for dynamically added RRs, where they could be omitted, and authorization is not provided for the server denial of the existence of a dynamically added type [RFC2137]. In this sense, this mode is not a genuine DNS dynamic update. In mode B, on the other hand, the zone private key is kept online at the zone primary name server; thus, any legitimate DNS dynamic updates can be in effect immediately. 1.3 - The existing drawbacks Both of the above modes above require that a zone security related private key be kept on line at the primary name server. This practice raises security concerns [RFC2137]. First, it makes the primary name server a single point of attack to an outside attacker. Should the primary server be compromised, the on¡line private key will be exposed, rendering dynamic RRs insecure in mode A or, even worse, all RRs in the entire zone insecure in mode B. Second, as an insider, the name server administrator has access of this private key, compromising the role separation principle and making it possible for the name server administrator to abuse his/her power. (The importance of fending off insider attacks has been emphasized by the security community [RFC2196].) 2 - The Secure On-line DNS Dynamic Update Architecture 2.1 - Background: Threshold Cryptography Threshold cryptography is a branch of cryptography that enables a group of n members, 1,2, ..., n, to act as a single communication party, using one pair of public and private keys [Des87,Des94,Des97]. Similar to the traditional public key cryptography, the public key is known to the public. Unlike the traditional public key cryptography, the private key of the group, K_private, does not exist as a whole. Rather, each member i, 1 <= i <= n, will be assigned a number of key shares of the private key. (For each public key cryptography algorithm, Wang, Huang & Rine [Page 3] INTERNET-DRAFT June 2000 a corresponding key sharing mechanism must be devised.) To perform a cryptographic computation (such as decryption, signing, identification, etc.) on message m with key K_private, b, b <= n , group members will be required. Each member will compute a partial result. Subsequently, the partial results are combined to produce the final result. The combiner is not necessarily to be trusted. Note that during this whole process the shared private key, K_private, is never reconstructed. Further, threshold cryptography requires that the shared private key cannot be reconstructed from any t < b group members. Practical threshold cryptography for RSA and DSS have been designed. A practical threshold RSA is given by [DDB94] where b = t+1 and a practical threshold DSS is given by [GJKR96b] where t < n/2 and b = 2t+1. 2.2 - Introduction +------------------------+ +---------+ #####| zone-security server 1 | +---------+ | DNS | # +------------------------+ |DNS | DNS query | | # | Inquirer|---------> | | # +---------+ | Primary | # +------------------------+ | |#########| zone-security server 2 | | Name | # +------------------------+ | | # | | # . . . +------+ | Server | # . . . |DNS | DNS Dynamic | | # . . . | User |=============> | | # +--------------------------+ +------+ Update request| | #####| zone-security server n-1 | | | +--------------------------+ +---------+ | | zone transfer \|/ +-----------------+ | DNS Secondary | | Name Server | +-----------------+ In the above proposed architecture, we assume that there exist (n-1), n >= 2, machines in a given DNS zone that are under the control of the zone manager, but not under the control of the name server administrators. These machines are called the zone-security servers. Using a threshold cryptography scheme with n > t >= 1, the zone private key is shared among the (n-1) zone-security servers and the primary name server. To update zone's data dynamically, some of the servers will be needed. Let b > t be the number of zone private key shares needed in the computation of the signature of an RR. Since b >= 2, any change to the zone data will need the cooperation of at least one zone-security server; Wang, Huang & Rine [Page 4] INTERNET-DRAFT June 2000 the name server administrator will have no way to modify the digitally signed zone data. Thus, the role separation principle holds. Moreover, the above architecture enhances intrusion tolerance of DNS. A DNS system is said to be k-intrusion-tolerant against an entity, E, if breaking into k servers (including the zone-security servers and the DNS name servers, if applicable) that are outside E's control will not help E gain any knowledge of the zone private key. A DNS system is said to be intrusion tolerant against an outsider (insider) if it is at least 1-intrusion-tolerant against the outsider (insider). The architecture proposed in this document can be configured to be intrusion tolerant against outside and inside attackers. Intrusion tolerance against outsider attacks. In the architecture, the zone private key cannot be recovered from any single location, thus, making the system intrusion tolerant against an outside attacker. That is, even when an outside attacker manages to corrupt l, l <= t, of relevant servers (including the name servers and the zone-security servers), secrecy of the zone private key is still maintained. Intrusion tolerance against insider attacks. The presence of zone security servers and the necessity of their involvement in signature computations constitute a defense line against insider attacks, in particular, attacks from name server administrators. Clearly, a hostile name server administrator must break into at least t zone security servers (to get access to the respective key shares) in order to perform unauthorized RR signature computations. 3 - Implementation Details [RFC2535] defines two types of SIG records, the DSA SIG and the RSA/MD5 SIG. The important configuration and implementation aspects of our proposed architecture with respect to these two types of SIGs are given next. In the following statement, the primary name server will be referred to as server 0 and the (n-1) zone-security servers will be referred to as servers 1, 2, ... , (n-1). 3.1 - Example Configurations The following table gives some representative configurations, in terms of t and n, to achieve the above security levels in different application cases. Wang, Huang & Rine [Page 5] INTERNET-DRAFT June 2000 +----------------------------+----------------------------+ | | RSA/MD5 SIG | DSA SIG | | SECURITY LEVEL +-------------+--------------+ | | 1-2 | 2-4 | 1-3 | 2-5 | +----------------------------+-----+-------+-------+------+ |Intrusion tolerant against | | | | | | outsider attackers (Y/N) | Y | Y | Y | Y | +----------------------------+-----+-------+-------+------+ |Intrusion tolerant against | | | | | | insider attackers (Y/N) | N | Y | N | Y | +----------------------------+-----+-------+-------+------+ 3.2 - The RSA/MD5 SIG Assume that, in RSA, the zone's private key is d and its public key is (e, N). Phi(N) is the Euler function of N, i.e., phi(N) = (p-1)(q-1) where N = p * q. We use the threshold digital signature scheme given in [DDB94] and now give how the zone private key is shared and how to generate a RSA/MD5 SIG RR online. The 1-2 case. In this case, the zone manager generates a random, d1, 1 < d1 < phi(N), and compute d2, d2 = d - d1 mod phi(N). Values d1 and d2 are sent securely to the primary name server and the zone-security server respectively. To generate a RSA/MD5 SIG of m, where m is the MD5 digest of an RR, the two servers will compute m^d1 mod N and m^d2 mod N respectively. Then any one of them can combine the partial results as m^d1 * m^d2 mod N = m^d mod N, the digital signature of m by the zone private key. The 2-4 case. To generate key shares, the zone manager generates 4 random numbers, d1, d2, d3, d4, where 1 < di < phi(N) for 1 <= i <= 4. He/she will also compute two numbers, d5 = d - d1 - d2 mod phi(N) and d6 = d - d3 - d4 mod phi(N). Subsequently, d1 and d6 are sent to the primary name server, d2 and d6 are sent to server 1, d3 and d5 are sent to server 2, d4 and d5 are sent to server 3, as shown in the following table. +---------------------+----------+----------+----------+---------+ | | SERVER 0 | SERVER 1 | SERVER 2 | SERVER 3| +---------------------+----------+----------+----------+---------+ | KEYS ASSIGNED | d1, d6 | d2, d6 | d3, d5 | d4, d5 | +-------------+-------+----------+----------+----------+---------+ |PARTICIPATING|(0,1,2)| d1 | d2 | d5 | | | +-------+----------+----------+----------+---------+ | |(0,1,3)| d1 | d2 | | d5 | | +-------+----------+----------+----------+---------+ | |(0,2,3)| d6 | | d3 | d4 | | SERVERS +-------+----------+----------+----------+---------+ | |(1,2,3)| | d6 | d3 | d4 | +-------------+-------+----------+----------+----------+---------+ Wang, Huang & Rine [Page 6] INTERNET-DRAFT June 2000 To generate a RSA/MD5 SIG, any 3 of the 4 servers will be needed. For example, if the primary name server and the zone-security servers 1 and 2 are present (the (0,1,2) case in the above table), the three servers will compute m^d1 mod N, m^d2 mod N, and m^d3 mod N respectively. After that any one of them can combine the partial results to produce m^d1 * m^d2 * m^d3 mod N = m^d mod N, the digital signature of m by the zone private key. Other possibilities of computing the signature of m are summarized in the above table. 3.3 - The DSA SIG In this case, for a t-n configuration (such as the 1-3 and 2-5 configurations), the zone manager will generate n shares of the zone private key and distribute them to the n servers using a (t,n) Shamir secret sharing scheme [Sha79]. When the zone data needs updating, (2t+1) servers are required to jointly compute the DSA SIG RR [GJKR96b]. 5 - Security considerations This document proposes an architecture to allow a DNS zone to provide secure online DNS dynamic update. It uses threshold digital signature to maintain the role separation principle and can also provide intrusion tolerance against both outside attackers and inside attackers. It should be noted that the authentication a DNS dynamic update requestor and authorization of a update request, which is handled elsewhere such as [RFC2535], is not dealt in this document, 6 - Acknowledgements The authors wish to thank for many helpful discussions on the DNSSEC mailing list and would like to give special thanks to Yvo Desmedt. 7 - References [DDB94] Y. Desmedt, G. Di Crescenzo, and M. Burmester. ``Multiplicative nonabelian sharing schemes and their application to threshold cryptography''. In J. Pieprzyk and R. SafaviNaini, editors, Advances in Cryptology - Asiacrypt '94, volume 917 of Lecture Notes in Computer Science, pages 21--32, Wollongong, Australia, November/December 1994. Springer-Verlag. [Des87] Y. Desmedt. ``Society and group oriented cryptography: a new concept''. In C. Pomerance, editor, Advances in Cryptology, Proc. of Crypto '87, volume 293 of Lecture Notes in Computer Science, pages 120--127, Santa Barbara, California, U.S.A., August 16--20, 1988. Springer-Verlag. Wang, Huang & Rine [Page 7] INTERNET-DRAFT June 2000 [Des94] Y. Desmedt. ``Threshold cryptography''. European Trans. on Telecommunications, 5(4):449--457, July-August 1994. [Des97] Y. Desmedt. ``Some recent research aspects of threshold cryptography''. In E. Okamoto, G. Davida, and M. Mambo, editors, Information Security, volume 1396 of Lecture Notes in Computer Science, pages 158--173, Tatsunokuchi, Ishikawa, Japan, September 1997. Springer-Verlag. [DSA2] National Institute for Standards and Technology. ``Digital signature standard (DSS)'', February 2000. [GJKR96b] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. ``Robust threshold DSS signatures''. In U. Maurer, editor, Advances in Cryptology - Eurocrypt '96, volume 1070 of Lecture Notes in Computer Science, pages 354-371, Zaragoza, Spain, May 12--16 1996. Springer-Verlag. [GMP] T. Granlund. ``GNU MP''. Source code available from http://www.gnu.org/manual/gmp/index.html. [Liu99] C. Liu. ``Securing an Internet name server''. Presentation, 1999. Available at http://www.acmebw.com/papers/securing.pdf. [RFC1034] P. Mockapetris, ``Domain Names - Concepts and Facilities,'' RFC 1034, ISI, November 1987. [RFC1035] P. Mockapetris, ``Domain Names - Implementation and Specification,'' RFC 1035, ISI, November 1987. [RFC2136] P. Vixie (Ed.), S. Thomson, Y. Rekhter, J. Bound ``Dynamic Updates in the Domain Name System,'' RFC 2136, ISC & Bellcore & Cisco & DEC, April 1997. [RFC2137] D. Eastlake ``Secure Domain Name System Dynamic Update,'' RFC 2137, CyberCash, April 1997. [RFC2196] B. Fraser. ``Site Security Handbook,'' RFC2196, September 1997. [RFC2535] D. Eastlake, ``Domain Name System Security Extensions,'' RFC 2535, IBM, March 1999. [SBM99] R. Sandhu, V. Bhamidipati, and Q. Munawer. ``The ARBAC97 model for role-based administration of roles''. ACM Transactions on Information System Security, 2(1):105- 135, February 1999. [Sha79] A. Shamir. ``How to share a secret''. Commun. ACM, 22:612-613, November 1979. Wang, Huang & Rine [Page 8] INTERNET-DRAFT June 2000 8 - Author's Address A postscript of this document is available from http://www.cs.gmu.edu/~xwang4/dnssecureonline.ps Send all comments to xwang4@cs.gmu.edu Xunhua Wang Department of Computer Science George Mason University Fairfax, VA 22030-4444 USA Phone: +1-703-993-1536 Fax: +1-703-993-1710 EMail: xwang4@cs.gmu.edu Yih Huang Department of Computer Science George Mason University Fairfax, VA 22030-4444 USA Phone: +1-703-993-1540 Fax: +1-703-993-1710 EMail: hyangyih@cs.gmu.edu David Rine Department of Computer Science George Mason University Fairfax, VA 22030-4444 USA Phone: +1-703-993-1546 Fax: +1-703-993-1710 EMail: drine@cs.gmu.edu 9 - Full Copyright Statement Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Wang, Huang & Rine [Page 9] INTERNET-DRAFT June 2000 Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Expires December 2000 [Page 10] INTERNET-DRAFT Secure Online DNS Dynamic Update June 2000