Fraunhofer-Gesellschaft

Publica

Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

One key to sign them all considered vulnerable: Evaluation of DNSSEC in the internet

 
: Shulman, Haya; Waidner, Michael

:
Volltext (PDF; )

USENIX Association:
14th USENIX Symposium on Networked Systems Design and Implementation 2017. Conference Proceedings : Boston, MA, USA, March 27-29, 2017
Berkeley, CA, USA: USENIX, 2017
ISBN: 978-1-931971-37-9
S.131-144
Symposium on Networked Systems Design and Implementation (NSDI) <14, 2017, Boston/Mass.>
Englisch
Konferenzbeitrag, Elektronische Publikation
Fraunhofer SIT ()

Abstract
We perform the first Internet study of the cryptographic security of DNSSEC-signed domains. To that end, we collected 2:1M DNSSEC keys for popular signed domains out of these 1:9M are RSA keys. We analyse the RSA keys and show that a large fraction of signed domains are using vulnerable keys: 35% are signed with RSA keys that share their moduli with some other domain and 66% use keys that are too short (1024 bit or less) or keys which modulus has a GCD > 1 with the modulus of some other domain. As we show, to a large extent the vulnerabilities are due to poor key generation practices, but also due to potential faulty hardware or software bugs. The DNSSEC keys collection and analysis is performed on a daily basis with the DNSSEC Keys Validation Engine which we developed. The statistics as well as the DNSSEC Keys Validation Engine are made available online, as a service for Internet users.

: http://publica.fraunhofer.de/dokumente/N-452606.html