• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>IEEE Transactions on Parallel and Distributed Systems >Verifying Keys through Publicity and Communities of Trust: Quantifying Off-Axis Corroboration
【24h】

Verifying Keys through Publicity and Communities of Trust: Quantifying Off-Axis Corroboration

机译:通过公开和信任社区验证密钥:量化轴外确证

获取原文
获取原文并翻译 | 示例
           
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

The DNS Security Extensions (DNSSEC) arguably make DNS the first core Internet system to be protected using public key cryptography. The success of DNSSEC not only protects the DNS, but has generated interest in using this secured global database for new services such as those proposed by the IETF DANE working group. However, continued success is only possible if several important operational issues can be addressed. For example, .gov and .arpa have already suffered misconfigurations where DNS continued to function properly, but DNSSEC failed (thus, orphaning their entire subtrees in DNSSEC). Internet-scale verification systems must tolerate this type of chaos, but what kind of verification can one derive for systems with dynamism like this? In this paper, we propose to achieve robust verification with a new theoretical model, called Public Data, which treats operational deployments as Communities of Trust (CoTs) and makes them the verification substrate. Using a realization of the above idea, called Vantages, we quantitatively show that using a reasonable DNSSEC deployment model and a typical choice of a CoT, an adversary would need to be able to have visibility into and perform on-path Man-in-the-Middle (MitM) attacks on arbitrary traffic into and out of up to 90 percent of the all of the Autonomous Systems (ASes) in the Internet before having even a 10 percent chance of spoofing a DNSKEY. Further, our limited deployment of Vantages has outperformed the verifiability of DNSSEC and has properly validated its data up to 99.5 percent of the time.
机译:DNS安全扩展(DNSSEC)可以说使DNS成为第一个使用公钥加密技术受到保护的核心Internet系统。 DNSSEC的成功不仅保护了DNS,而且引起了人们的兴趣,将这种安全的全球数据库用于新服务,例如IETF DANE工作组提出的服务。但是,只有解决了几个重要的操作问题,才能继续取得成功。例如,.gov和.arpa已经遭受了错误配置,其中DNS继续正常运行,但是DNSSEC失败(因此,在DNSSEC中孤立了它们的整个子树)。互联网规模的验证系统必须容忍这种混乱,但是对于具有这种动态性的系统,人们可以进行什么样的验证?在本文中,我们建议使用称为公共数据的新理论模型来实现强大的验证,该模型将运营部署视为信任社区(CoT),并使其成为验证的基础。使用上述称为Vantages的想法的实现,我们定量地表明,使用合理的DNSSEC部署模型和CoT的典型选择,对手将需要能够查看并执行在途人为干预。 -中间(MitM)攻击进出Internet中多达90%的自治系统(ASes)的任意流量,甚至有10%的机会欺骗DNSKEY。此外,我们对Vantages的有限部署已超过了DNSSEC的可验证性,并在多达99.5%的时间内正确验证了其数据。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号