Verlagslink: https://arxiv.org/abs/2109.08783
Verlagslink DOI: 10.1109/TNSM.2022.3195406
Titel: From the beginning: key transitions in the first 15 years of DNSSEC
Sprache: Englisch
Autorenschaft: Osterweil, Eric 
Tehrani, Pouyan Fotouhi 
Schmidt, Thomas C.  
Wählisch, Matthias 
Schlagwörter: Cryptography; DNSSEC; Domain Name System; Information security; Internet; Internet measurement; key rollover; Monitoring; PKI; Rollover; Sea measurements; Security; Servers
Erscheinungsdatum: 2022
Verlag: IEEE
Quellenangabe: Preprint: https://arxiv.org/abs/2109.08783. Verlagsversion: https://doi.org/10.1109/TNSM.2022.3195406.
Zeitschrift oder Schriftenreihe: IEEE transactions on network and service management 
Zeitschriftenband: 19
Zeitschriftenausgabe: 4
Anfangsseite: 5265
Endseite: 5283
Zusammenfassung: 
When the global rollout of the DNS Security Extensions (DNSSEC) began in 2005, it started a first-of-its-kind trial: increasing complexity of a core Internet protocol in favor of better security for the overall Internet. The necessary cryptographic key management is made particularly challenging by DNS' loosely-federated delegation substrate and unprecedented cryptographic scale. Though fundamental for current and future operational success, our community lacks a clear notion of how to empirically evaluate the process of securely changing (or transitioning) keys. In this paper, we propose two building blocks to fundamentally understand and assess key transitions. First, the anatomy of key transitions: measurable and well-defined properties of key changes; and second a novel classification model based on this anatomy to describe key transitions practices in abstract terms. Our anatomy enables the evaluation of cryptographic keys' life cycles in general, and comparison of operational practices with prescribed key management processes, e.g., RFC key rollover guidelines. The fine-grained transition anatomy is then abstracted through our classification model to characterize transitions in abstract terms which rather describe a transition's behavior than its specific features. The applicability and utility of our proposed transition anatomy and transition classes are exemplified for the global DNSSEC deployment. Specifically, we use measurements from the first 15 years of the DNSSEC rollout to detect and measure which key rollover/transitions have been used, to what degree, and what their rates of errors and warnings have been. Our results show measurable gaps between prescribed key management processes and key transitions in the wild. We also find evidence that such noncompliant transitions are inevitable in the wild.
URI: http://hdl.handle.net/20.500.12738/12389
ISSN: 1932-4537
Begutachtungsstatus: Diese Version hat ein Peer-Review-Verfahren durchlaufen (Peer Review)
Einrichtung: Department Informatik 
Fakultät Technik und Informatik 
Dokumenttyp: Zeitschriftenbeitrag
Enthalten in den Sammlungen:Publications without full text

Zur Langanzeige

Seitenansichten

186
checked on 27.12.2024

Google ScholarTM

Prüfe

HAW Katalog

Prüfe

Volltext ergänzen

Feedback zu diesem Datensatz


Diese Ressource wurde unter folgender Copyright-Bestimmung veröffentlicht: Lizenz von Creative Commons Creative Commons