toplogo
Anmelden

Double-Signed Fragmented DNSSEC: Enhancing Security During the Transition to Post-Quantum Cryptography


Kernkonzepte
This paper proposes and evaluates a double-signed, fragmented DNSSEC approach using both pre-quantum and post-quantum digital signatures to enhance security during the transition to a post-quantum world, addressing the vulnerabilities of traditional DNSSEC to quantum computing attacks while accounting for the limitations of current post-quantum cryptography candidates.
Zusammenfassung

Bibliographic Information:

Shah, S. W., Pan, L., Nguyen, D. D. N., Doss, R., Armstrong, W., & Gauravaram, P. (2024). Double-Signed Fragmented DNSSEC for Countering Quantum Threat. In Proceedings of Conference (C’24). ACM, New York, NY, USA, 13 pages. https://doi.org/XXXXXXX.XXXXXXX

Research Objective:

This research paper aims to address the security vulnerabilities of the Domain Name System Security Extensions (DNSSEC) in the face of emerging quantum computing threats and explores the feasibility of a double-signed, fragmented DNSSEC approach as a solution.

Methodology:

The researchers developed a Docker-based DNSSEC testbed using BIND9 software, incorporating both pre-quantum and post-quantum digital signatures. They modified the BIND9 resolver to enable verification of both signature types and implemented a fragmentation strategy to handle the increased message size due to double signatures. The performance of this approach was then evaluated through empirical analysis.

Key Findings:

The study found that double-signed DNSSEC, combining pre-quantum and post-quantum signatures, can be successfully implemented and has a negligible impact on DNS resolution time compared to using only post-quantum signatures. The fragmentation strategy effectively manages the increased message size, ensuring efficient and reliable DNSSEC operations.

Main Conclusions:

The authors conclude that the double-signed, fragmented DNSSEC approach is a viable solution for enhancing DNSSEC security during the transition to a post-quantum era. This approach provides a robust defense against both classical and quantum computing attacks, ensuring the integrity and authenticity of DNS records.

Significance:

This research significantly contributes to the field of cybersecurity by addressing a critical vulnerability in DNSSEC posed by quantum computing. The proposed double-signed approach offers a practical and effective solution for securing DNS infrastructure during the transition to post-quantum cryptography, ensuring the continued reliability and trustworthiness of the internet.

Limitations and Future Research:

The study acknowledges the limitations of using a small-scale testbed and suggests further research on the performance of double-signed DNSSEC in large-scale, real-world deployments. Additionally, exploring the integration of other post-quantum cryptography candidates and evaluating their impact on DNSSEC performance is recommended.

edit_icon

Zusammenfassung anpassen

edit_icon

Mit KI umschreiben

edit_icon

Zitate generieren

translate_icon

Quelle übersetzen

visual_icon

Mindmap erstellen

visit_icon

Quelle besuchen

Statistiken
The maximum allowed size of DNSSEC responses is 1232B due to limitations enforced by the MTU of physical links. Shortlisted post-quantum signatures are 11× to 122× larger and public keys are 14× to 20× larger than their pre-quantum counterparts. Double-signed DNSSEC with ECDSA (64B signature) and FALCON512 (690B signature) results in an approximate response size of 2500B for a 'Type A' query. Combining SPHINCS+ with pre-quantum signatures does not add additional fragments compared to using SPHINCS+ alone. Resolution time for FALCON + ECDSA is 205.9ms, compared to 190.1ms for FALCON alone (an increase of approximately 8.3%).
Zitate
"Since these post-quantum digital signatures are still in their early stages of development, replacing pre-quantum digital signature schemes in DNSSEC with post-quantum candidates is risky until the post-quantum candidates have undergone a thorough security analysis." "Aligned with the aforementioned discussion and the recommendations from the European Union Agency For Cybersecurity (ENISA), we in this paper investigate the plausibility of Double-Signed DNSSEC by combining the pre-quantum and post-quantum digital signatures for the interim period." "Our experiments show that double signatures have a negligible impact on the average resolution time of DNSSEC compared to only post-quantum digital signatures."

Wichtige Erkenntnisse aus

by Syed W. Shah... um arxiv.org 11-13-2024

https://arxiv.org/pdf/2411.07535.pdf
Double-Signed Fragmented DNSSEC for Countering Quantum Threat

Tiefere Fragen

How will the increasing adoption of DNS over HTTPS (DoH) and DNS over TLS (DoT) impact the implementation and performance of double-signed DNSSEC?

The increasing adoption of DNS over HTTPS (DoH) and DNS over TLS (DoT) will have a significant impact on the implementation and performance of double-signed DNSSEC, primarily due to their encryption and encapsulation of DNS traffic within HTTPS and TLS protocols respectively. Here's a breakdown of the potential impacts: Implementation: Reduced Visibility: DoH and DoT encrypt DNS traffic, making it difficult for on-path devices, including middleboxes implementing fragmentation strategies like the one proposed in the paper, to inspect and manipulate DNS messages. This could hinder the application-layer fragmentation and reassembly process crucial for double-signed DNSSEC. Increased Complexity: Integrating double-signed DNSSEC with DoH and DoT would require modifications to existing implementations of these protocols to handle the larger message sizes and fragmentation/reassembly procedures. This adds complexity to both client and server implementations. Potential for Incompatibility: Existing DoH and DoT clients and servers might not be compatible with the modified DNS message formats required for double-signed fragmented DNSSEC. This could lead to interoperability issues and hinder widespread adoption. Performance: Increased Overhead: Double-signed DNSSEC inherently increases message sizes due to the inclusion of two digital signatures. Encapsulating these larger messages within DoH or DoT would further increase the overall packet size, potentially leading to higher bandwidth consumption and latency, especially for networks with smaller MTUs. Added Processing Time: Decrypting and reassembling fragmented DNSSEC messages within the DoH or DoT layer would require additional processing on both client and server sides. This could increase the overall DNS resolution time, potentially impacting the user experience. Mitigation Strategies: Standardization and Implementation Support: Standardizing the fragmentation and reassembly mechanisms for double-signed DNSSEC and ensuring support in popular DoH and DoT libraries and implementations would be crucial for seamless integration. Optimizations for Message Size: Exploring techniques to minimize the size overhead of double signatures, such as signature compression or aggregation, could help mitigate the performance impact. Adaptive Fragmentation: Implementing adaptive fragmentation strategies that consider the underlying network conditions and MTU sizes could optimize the trade-off between message size and fragmentation overhead.

Could the use of double signatures in DNSSEC create a false sense of security and potentially delay the full transition to post-quantum cryptography?

Yes, the use of double signatures in DNSSEC, while offering a temporary security enhancement, could potentially create a false sense of security and delay the full transition to post-quantum cryptography (PQC). Here's why: Reliance on Known Vulnerable Algorithms: Double signatures still rely on one known vulnerable algorithm (pre-quantum). If a breakthrough occurs in breaking these algorithms, even with classical computers, the entire system becomes vulnerable, regardless of the post-quantum signature. Reduced Incentive for Full Transition: The perceived security offered by double signatures might reduce the urgency and incentive for organizations to fully transition to PQC. This delay could leave systems vulnerable in the long run, especially as quantum computers advance. Complexity Leading to Complacency: The complexity of implementing and managing double-signed DNSSEC might lead to complacency in other areas of cybersecurity. Organizations might focus solely on this aspect while neglecting other crucial security measures. To avoid a false sense of security and ensure a timely transition to PQC: Clearly Communicate the Limitations: It's crucial to clearly communicate to stakeholders that double signatures are a temporary measure and not a replacement for full PQC adoption. Maintain Transition Roadmaps: Organizations should continue developing and executing their PQC transition roadmaps, prioritizing the complete replacement of pre-quantum algorithms. Promote PQC Research and Development: Continued investment in PQC research and development is essential to accelerate the standardization and deployment of robust and efficient post-quantum algorithms.

What are the ethical implications of transitioning to a significantly more complex cryptographic system for DNSSEC, considering potential accessibility issues for users in developing countries or with limited resources?

Transitioning to a significantly more complex cryptographic system for DNSSEC, like the double-signed approach, raises ethical concerns regarding accessibility, particularly for users in developing countries or with limited resources. Here's a breakdown of the potential ethical implications: Exacerbating the Digital Divide: Complex cryptographic systems often require more processing power and bandwidth, potentially making DNS resolution slower or inaccessible for users with older devices or limited internet connectivity. This could exacerbate the existing digital divide, disproportionately impacting marginalized communities. Unequal Security Posture: If the transition to more complex DNSSEC is not universally adopted due to resource constraints, users in developing countries might be left with weaker security guarantees, making them more vulnerable to attacks. This creates an unequal security posture across the globe. Hindering Access to Information: Slower or unreliable DNS resolution due to complex cryptography could hinder access to essential online services and information, particularly in regions with limited internet infrastructure. This could impact education, healthcare, and economic opportunities. To ensure an ethical and inclusive transition: Prioritize Lightweight Solutions: When designing and implementing complex cryptographic systems, prioritize lightweight solutions that minimize computational overhead and bandwidth consumption, ensuring accessibility for resource-constrained users. Provide Support and Resources: International organizations and technology providers should offer financial and technical support to developing countries to facilitate the adoption of secure DNSSEC implementations without compromising accessibility. Promote Open Standards and Interoperability: Encouraging open standards and interoperability in DNSSEC implementations can foster competition and drive down costs, making secure solutions more accessible globally. Raise Awareness and Education: Conducting awareness campaigns and educational programs about the importance of secure DNS and the potential impact of complex cryptography can empower users and policymakers to make informed decisions.
0
star