Technical Report 1110001

Title: Verifying Keys through Publicity and Communities of Trust: Quantifying Off-Axis Corroboration
Version (s): < 1 >
Obsoleted by published work
Authors: Eric Osterweil
Dan Massey
Lixia Zhang
Date: 2011-01-26
Paper: Download here
Abstract: The DNS Security Extensions (DNSSEC) arguably make DNS the first core Internet system to be protected using public key cryptography. The success of DNSSEC not only protects the DNS, but has generated interest in using this secured global database for new services such as those proposed by the IETF DANE working group. However, continued success is only possible if several important operational issues can be addressed. For ex- ample, .gov and .fr have already suffered misconfigurations where DNS continued to function properly, but DNSSEC failed (thus orphaning their entire subtrees in DNSSEC). Internet-scale verification systems must tolerate this type of chaos, but what kind of verification can one derive from dynamism like this? In this paper, we propose to achieve robust verification with a new theoretical model, called Public Data, which treats operational deployments as Communities of Trust (CoTs) and makes them the verification substrate. Using a realization of the above idea, called Vantages, we quantitatively show that using a reasonable DNSSEC deployment model and a typical choice of a CoT, an adversary would need to “purchase up to 90% of the Internet” before having even a 10% chance of spoofing a DNSKEY. Further, our limited deployment of Vantages has outperformed the verifiability of DNSSEC and has properly validated its data up to 99.5% of the time.
                author = {Eric Osterweil and Dan Massey and Lixia Zhang},
                title = {Verifying Keys through Publicity and Communities of Trust: Quantifying Off-Axis Corroboration},
                booktitle = {Verisign Labs Technical Reports},
                number = {1110001 version 1},
                year = {2011},