Internet DRAFT - draft-hallambaker-certhash
draft-hallambaker-certhash
Internet Engineering Task Force P. Hallam-Baker
Internet-Draft Comodo Inc.
Intended status: Informational September 10, 2010
Expires: March 14, 2011
Use of DNS CERT Records for Key Assurance
draft-hallambaker-certhash-00
Abstract
Deployment of DNSSEC opens up the possibility of new mechanisms for
assuring application keys. This document extends the use of the DNS
CERT resource record and defines X.509v3 extensuions to support key
assurance mechanisms for use with TLS and other X.509 protocols and
provides a comprehensive assessment of the security thus achieved.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, except to format it
for publication as an RFC or to translate it into languages other
than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 14, 2011.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Hallam-Baker Expires March 14, 2011 [Page 1]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Requirements Language . . . . . . . . . . . . . . . . . . . . 4
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.2. DNS CERT Resource Record . . . . . . . . . . . . . . . 4
2.2. Public Key Infrastructure . . . . . . . . . . . . . . . . 4
2.2.1. Public Key Infrastructure X.509 . . . . . . . . . . . 4
2.3. Public Key Security Protocols . . . . . . . . . . . . . . 4
2.3.1. Transport Layer Security . . . . . . . . . . . . . . . 4
2.3.2. IP Security . . . . . . . . . . . . . . . . . . . . . 4
2.3.3. Use in Applications . . . . . . . . . . . . . . . . . 4
3. Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. CERT Resource Record Parameters . . . . . . . . . . . . . 4
3.1.1. DPKIX . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.2. DPTR . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. X.509v3 Extension . . . . . . . . . . . . . . . . . . . . 7
3.3. Processing Rules . . . . . . . . . . . . . . . . . . . . . 7
3.3.1. General . . . . . . . . . . . . . . . . . . . . . . . 7
3.3.2. Transport layer Security . . . . . . . . . . . . . . . 7
3.3.3. Service Discovery (SRV, NAPTR) . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
4.1. Trust Chain Assurance . . . . . . . . . . . . . . . . . . 8
4.1.1. Root of Trust . . . . . . . . . . . . . . . . . . . . 8
4.1.2. Non Repudiation . . . . . . . . . . . . . . . . . . . 8
4.1.3. Key Revocation . . . . . . . . . . . . . . . . . . . . 8
4.2. DNSSEC Operations . . . . . . . . . . . . . . . . . . . . 8
4.2.1. Signature Time To Live . . . . . . . . . . . . . . . . 8
4.2.2. Zone Signing Key Compromise . . . . . . . . . . . . . 8
4.2.3. Key Signing Key Compromise . . . . . . . . . . . . . . 8
4.3. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3.1. Suppressed DNSSEC records . . . . . . . . . . . . . . 8
4.3.2. Replay Attack of DNSSEC records . . . . . . . . . . . 8
4.3.3. Zone Hijack . . . . . . . . . . . . . . . . . . . . . 8
4.3.4. Disclosure of End Entity Key . . . . . . . . . . . . . 8
4.3.5. Disclosure of DNSSEC Key . . . . . . . . . . . . . . . 8
4.3.6. Malicious Domain Name Holder . . . . . . . . . . . . . 8
4.3.7. Protocol Substitution Attack . . . . . . . . . . . . . 9
4.3.8. Protocol Downgrade Attack . . . . . . . . . . . . . . 9
4.4. User Notification . . . . . . . . . . . . . . . . . . . . 9
4.4.1. Certificate Data . . . . . . . . . . . . . . . . . . . 9
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
Hallam-Baker Expires March 14, 2011 [Page 2]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . . 10
7.2. Non-Normative References . . . . . . . . . . . . . . . . . 10
Appendix A. Appendix - Design Choices . . . . . . . . . . . . . . 11
A.1. Key Digest . . . . . . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11
Hallam-Baker Expires March 14, 2011 [Page 3]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Introduction
The DNS CERT resource record defined in RFC 4398 [RFC4398] specifies
the use of the DNS for discovery of public keys associated with a
domain.
2.1. DNS
2.1.1. DNSSEC
2.1.2. DNS CERT Resource Record
2.2. Public Key Infrastructure
2.2.1. Public Key Infrastructure X.509
2.3. Public Key Security Protocols
2.3.1. Transport Layer Security
2.3.2. IP Security
2.3.3. Use in Applications
3. Mechanism
3.1. CERT Resource Record Parameters
Two new CERT certificate types are defined:
DPKIX
DPTR
The CERT resource record (RR) has the structure given below. Its RR
type code is 37.
Hallam-Baker Expires March 14, 2011 [Page 4]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| type | key tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| algorithm | /
+---------------+ certificate data /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
The type field is the certificate type as defined below.
The key tag field used for key selection as specified in RFC 4034
[RFC4034] Section 5.1.1.
The algorithm field is the algorithm code for the digest algorithm as
specified in the IANA registry Delegation Signer (DS) Resource Record
(RR) Type Digest Algorithms.
3.1.1. DPKIX
The DPKIX certificate type asserts a binding between the DNS domain
in which it is published and the subject key specified in a PKIX
certificate identified by means of a cryptographic digest function.
The assertion made by means of the DPKIX certificate type is only as
secure as the trust chain that authenticates it. Trust chain
processing rules are specified in Section XXX below.
In particular the presence of a DPKIX record in a DNS domain that is
not signed using DNSSEC or other security mechanism SHOULD NOT be
considered to provide any additional assurance that would not be
provided by the certificate on its own.
In the case that a DPKIX record exists and contains a digest value
that matches the digest value of the certificate and is signed by a
verified signature, a relying party MAY infer an assertion on the
part of the domain name holder that the specified key is bound to the
specified certificate subject key. No other properties of the
certificate may be considered to have been assured excepting those
that limit the use of the certificate which MUST be observed as with
any other PKIX certificate. Such properties include the notBefore
and notAfter fields, the key Usage bits and all X.509v3 extensions
for which the critical bit is set.
The CERT record field values are defined for DPKIX as follows:
Hallam-Baker Expires March 14, 2011 [Page 5]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
Type is set to the value (TBS IANA)
Key tag MUST be set to 1
Algorithm contains the algorithm code for the digest algorithm.
Certificate data contains the digest value of the certificate for
which a binding between the subject key and the domain name is
asserted
example.com CERT DPKIX 1 SHA256
KR1L0GbocaIOOim1+qdHtOSrDcOsGiI2NCcxuX2/Tqc
3.1.2. DPTR
The DPTR certificate type allows an unlimited number of certificates
to be bound to a single DNS domain name overcomming the limitations
that the DNS protocol imposes on the number of CERT records that can
be bound to a single DNS domain name in a practical deployment.
The CERT record field values are defined for DPTR as follows:
Type is set to the value (TBS IANA)
Key tag MUST be set to 1
Algorithm contains the algorithm code for the digest algorithm to
be used to calculate Cselector prefixes.
Certificate data contains the DNS name to be used as the root node
to which the calculated selectorn prefix is prepended.
The PKIX certificate for which the assurance is being saught is
processed using the specified digest algorithm to produce a digest
value which is converted to base 64 according to the mechanism
specified in [] and has an underscore character '_' prepended to form
a selector label as follows:
selector = "_" + base64 ( digest ( certificate))
The key selector label is prepended to the domain name specified to
form a DNS domain name on which a DNS query for a CERT resource
record is to be performed.
query_name = selector + "." + domain_name
The following example shows the use of the DPTR certificate type to
Hallam-Baker Expires March 14, 2011 [Page 6]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
provide an assurance for the same certificate specified earlier.
example.com CERT DPTR 1 SHA256 "cert.example.com"
_KR1L0GbocaIOOim1+qdHtOSrDcOsGiI2NCcxuX2/Tqc.cert.example.com DPKIX
1 SHA256 KR1L0GbocaIOOim1+qdHtOSrDcOsGiI2NCcxuX2/Tqc
The DPTR certificate type can only be resolved after the certificate
for which the assurance is required is known. It is thus not
possible to pre-fetch the certificate at the same time that A or AAAA
record is performed as is the case when the DPKIX certificate type is
populated at the domain name for which the assurance is being made.
3.2. X.509v3 Extension
The X.509v3 certificate extension 'DNS-CERT' MAY be included in an
X.509v3 certificate to notify relying parties that a DNS key
assurance MAY or MUST be employed.
If the DNS-CERT extension is present and the critical flag bit is not
set, it serves as a notice to a relying party applications that they
MAY attempt to use the key assurance mechanism specified in this
document.
If the DNS-CERT extension critical flag bit is set, a relying party
application MUST support the key assurance mechanism specified in
this document and MUST NOT consider the certificate valid unless the
outcome of the verification procedure is 'verified'.
Since applications MUST NOT make use of X.509v3 critical extensions
that are not understood, use of the critical flag bit value 'set' is
strongly discouraged. Certificate issuers SHOULD NOT set the
critical flag bit on a DNS-CERT unless this is the derisred behavior
3.3. Processing Rules
3.3.1. General
3.3.2. Transport layer Security
3.3.3. Service Discovery (SRV, NAPTR)
4. Security Considerations
Hallam-Baker Expires March 14, 2011 [Page 7]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
4.1. Trust Chain Assurance
4.1.1. Root of Trust
4.1.2. Non Repudiation
4.1.3. Key Revocation
4.2. DNSSEC Operations
4.2.1. Signature Time To Live
4.2.2. Zone Signing Key Compromise
4.2.3. Key Signing Key Compromise
4.3. Attacks
We have considered possible protocol attacks by identifying protocol
assets, the abstract risks to which such assets may be exposed and
how such risks may be manifest in concrete threats.
The assets considered are the DNSSEC private keys held by the domain
name holder, DNS zone in which the resorce records are presented and
the application public key pair.
The DNS is a large infrastructure and management of a specific DNS
zone is never within the unique control of one party. In addition to
considering means of preventing compromise we consider the steps
required to recover from a compromise.
4.3.1. Suppressed DNSSEC records
4.3.2. Replay Attack of DNSSEC records
4.3.3. Zone Hijack
4.3.4. Disclosure of End Entity Key
4.3.5. Disclosure of DNSSEC Key
4.3.6. Malicious Domain Name Holder
A signed CERT record only demonstrates that the party in control of
the authoritative DNS zerver for the specified zone has authorized
the use of a particular public key for authenticating communication
with the server.
Hallam-Baker Expires March 14, 2011 [Page 8]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
A signed CERT record does not and cannot express any assertion
concerning the existence, trustworthiness or accountability of either
the key holder or the domain name holder.
4.3.7. Protocol Substitution Attack
for the purposes of establishing a secure connection, an end entity
certificate assured by means of a signed CERT record MUST meet all
the requirements that any other end entity certificate is required to
meed for use with that protocol.
If protection against a protocol substitution attack is required, the
signer of the end entity certificate SHOULD ensure that the
appropriate X.509 Key Usage, Extended Key Usage and/or extensions are
appropriately configured.
4.3.8. Protocol Downgrade Attack
The CERT record only provides notice that a public key is associated
with a DNS domain name. The mere presence of a CERT record at a DNS
node does not imply that its use is supported in conjunction with a
specific protocol.
Accordingly, use of CERT records does not and cannot provide
protection against protocol downgrade attacks.
4.4. User Notification
Relying party applciations MAY notify the user that a cryptographic
security protocol is in use to protect the confidentiality and
integrity of communication with the domain name holder.
Key assurance by means of the CERT mechanism only extends to the
properties of the key itself and the security of the connection
established to the Internet service provided by the key holder. Key
Assurance by means of the CERT mechanism does not and cannot support
any assertion regarding the trustworthiness of either the key holder
or the domain name holder.
A secure connection to an endpoint identified by a domain name alone
does not imply a secure transaction. If provided, a user
notification MUST NOT imply that a user is 'safe' on the basis of
CERT key assurance alone.
4.4.1. Certificate Data
The only data inside a
Hallam-Baker Expires March 14, 2011 [Page 9]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
5. IANA Considerations
The IANA maintains theregistry for CERT RR: certificate types. The
following additional certificate types should be added to the
registry at the next available code point:
Decimal Type Meaning Reference
------- ---- ------- ---------
9 DPKIX Digest value of X.509 as per PKIX [This]
10 SIHLOK Indirection Pointer [This]
6. Acknowledgements
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC4398] Josefsson, S., "Storing Certificates in the Domain Name
System (DNS)", RFC 4398, March 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
7.2. Non-Normative References
[RFC4025] Richardson, M., "A Method for Storing IPsec Keying
Material in DNS", RFC 4025, March 2005.
[RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely
Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
Hallam-Baker Expires March 14, 2011 [Page 10]
�
Internet-Draft DNS CERT Records for Key Assurance September 2010
January 2006.
Appendix A. Appendix - Design Choices
This section provides rationales for design choices adopted in this
draft.
A.1. Key Digest
The use of CERT type for digests of keys as opposed to complete
certificates was considered and rejected.
Author's Address
Phillip Hallam-Baker
Comodo Inc.
Email: philliph@comodo.com
Hallam-Baker Expires March 14, 2011 [Page 11]
�
