One Key To Sign Them All Considered Vulnerable: Evaluation Of Dnssec In The Internet - Citegraph

Paper Info

Title
One Key To Sign Them All Considered Vulnerable: Evaluation Of Dnssec In The Internet

Abstract
We perform the first Internet study of the cryptographic security of DNSSEC-signed domains. To that end, we collected 2.1M DNSSEC keys for popular signed domains out of these 1.9M are RSA keys. We analyse the RSA keys and show that a large fraction of signed domains are using vulnerable keys: 35% are signed with RSA keys that share their moduli with some other domain and 66% use keys that are too short (1024 bit or less) or keys which modulus has a GCD > 1 with the modulus of some other domain. As we show, to a large extent the vulnerabilities are due to poor key generation practices, but also due to potential faulty hardware or software bugs.The DNSSEC keys collection and analysis is performed on a daily basis with the DNSSEC Keys Validation Engine which we developed. The statistics as well as the DNSSEC Keys Validation Engine are made available online, as a service for Internet users.

Year	Venue	Field
2017	PROCEEDINGS OF NSDI '17: 14TH USENIX SYMPOSIUM ON NETWORKED SYSTEMS DESIGN AND IMPLEMENTATION	Internet privacy,Computer security,Computer science,The Internet
DocType	Citations	PageRank
Conference	3	0.43
References	Authors
0	2

Authors (2 rows)

Cited by (3 rows)

References (0 rows)

Name	Order	Citations	PageRank
Haya Shulman	1	293	37.26
Michael Waidner	2	3877	395.65

1