[Busec] Help with a practice talk?
goldbe at cs.bu.edu
Thu Feb 5 16:27:06 EST 2015
*NSEC5: Provably Preventing DNSSEC Zone Enumeration *
*Abstract: * DNSSEC is designed to prevent network attackers from
tampering with domain name system (DNS) messages. The cryptographic
machinery used in DNSSEC, however, also creates a new vulnerability, zone
enumeration, enabling an adversary to use a small number of online DNSSEC
queries combined with offline dictionary attacks to learn which domain
names are present or absent in a DNS zone. We start by proving that the
design underlying current DNSSEC standard, with NSEC and NSEC3 records,
inherently suffers from zone enumeration: specifically, we show that
security against network attackers and privacy against zone enumeration
cannot be satisfied simultaneously unless the DNSSEC server performs online
public-key cryptographic operations. We then move on to proposing NSEC5, a
new cryptographic construction that solves the problem of DNSSEC zone
enumeration while remaining faithful to the operational realities of
On Thu, Feb 5, 2015 at 4:18 PM, Dimitris Papadopoulos <dipapado at bu.edu>
> Hi all,
> If you are available tomorrow at 1pm, would you mind attending a practice
> talk for our paper (for NDSS'15 next week)?
> My co-author Asaf Ziv who is visiting from Israel will be giving the talk
> and your help will be much appreciated!
> Location: MCS 148
> Busec mailing list
> Busec at cs.bu.edu
Computer Science, Boston University
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Busec