[dns-operations] [DNSOP] DNSSEC threshold signatures idea
Hugo Salgado-Hernández
hsalgado at nic.cl
Thu Sep 6 19:22:09 UTC 2018
On 15:08 06/09, Steve Crocker wrote:
> How do you prevent compromise of the central service?
>
For the initial setup a physical ceremony is necessary,
to check there's no extra subkeys and for secure transmision
of them. But afterwards there's no need. Each node can check
the final signature validates with the public key (just like
a normal signature), and the plain data should be public
(DNSKEY rrset).
In this same first ceremony you can also share simmetric
keys for the secure transmission of data and signature
pieces.
The system is fault-tolerant as a subset of nodes can fail
and the signing process can be completed, and you can
detect faked sub-signatures.
Hugo
> Steve
>
>
> On Thu, Sep 6, 2018 at 3:02 PM, Hugo Salgado-Hernández <hsalgado at nic.cl>
> wrote:
>
> > On 23:19 06/09, Mukund Sivaraman wrote:
> > > On Thu, Sep 06, 2018 at 02:34:12PM -0300, Hugo Salgado-Hernández wrote:
> > > > Hi Mukund.
> > > > I talked about this to Davey in Montreal. There's an implementation
> > > > in github[1] and presentations in OARC[2] and ICANN[3].
> > >
> > > Aha so you're the original source :)
> > >
> > > > I'm not sure if its being used right now in a live zone, but certainly
> > > > in labs and testing. There's been some interests with academic
> > > > institutions, but don't think they're ready yet.
> > > >
> > > > We've been trying to focus this technology as a "poor-man" HSM, as
> > > > having similar security features without buying an expensive HW.
> > > > But I think the root and similar high-value zones will benefit for
> > > > having an split of the private key AND the fact of not needing a
> > > > "root key ceremony" to sign, because you can sign remotely with
> > > > each piece of the private key, and transmit the "signature pieces"
> > > > to a central place.
> > > >
> > > > Hugo
> > > >
> > > > [1] https://github.com/niclabs/docker/tree/master/tchsm
> > > > [2] <https://indico.dns-oarc.net/getFile.py/access?contribId=
> > 22&sessionId=3&resId=1&materialId=slides&confId=20>
> > > > [3] <http://buenosaires48.icann.org/en/schedule/wed-dnssec/
> > presentation-dnssec-cryptographic-20nov13-en>
> > >
> > > So this's implemented as a PKCS 11 provider.. interesting. In my mind I
> > > was thinking along the lines of updates to dnssec-keygen +
> > > dnssec-signzone + intermediate RRSIG representation using new RR type +
> > > zone transfers to share intermediate effects.
> >
> > In our implementation you'll need a central "orchestrator" who
> > creates the first key and split the private pieces to each
> > signing node. This same orchestrator later send signature
> > requests to each node, collect the signature pieces and
> > defines the "consensus" of M/N. Finally, there's an PKCS11
> > interface between this orchestrator and the zone signing
> > policy machinery (OpenDNSSEC in our setup).
> >
> > Hugo
> >
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP at ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
> >
> _______________________________________________
> DNSOP mailing list
> DNSOP at ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180906/919ab63c/attachment.sig>
More information about the dns-operations
mailing list