Quantcast
Channel: Johannes Weber – Weberblog.net
Viewing all articles
Browse latest Browse all 311

How to use DANE/TLSA

$
0
0
DANE featured image

DNS-based Authentication of Named Entities (DANE) is a great feature that uses the advantages of a DNSSEC signed zone in order to tell the client which TLS certificate he has to expect when connecting to a secure destination over HTTPS or SMTPS. Via a secure channel (DNSSEC) the client can request the public key of the server. This means, that a Man-in-the-Middle attack (MITM) with a spoofed certificate would be exposed directly, i.e., is not possible anymore. Furthermore, the trust to certificate authorities (CAs) is not needed anymore.

In this blog post I will show how to use DANE and its DNS records within an authoritative DNS server to provide enhanced security features for the public.

In my last posts I covered a secure installation of BIND as an authoritative DNS server, as well as the implementation of DNSSEC. This is really mandatory because without a signed DNS zone DANE would be useless. Though I am using BIND for the examples below, DANE can be used with any other DNS server, too.

What’s DANE?

The abstract of RFC 6698 “The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA”, in which DANE is proposed, describes pretty good what DANE is: “Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain’s TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software.”

Today, a browser establishes a secure TLS connection to a known server (DNS name) with an “unkown” certificate (not proved by the end user). We are relying to certificate authorities (CAs), which once verified the certificate to be owned by the server operator. Unluckily, any (!) CA is able to sign every (!) certificate in the world, even if a certificate is NOT owned by the server itself, but by a malicious third party that wants to intercept the secure communication via a man-in-the-middle (MITM) attack.

With the new DNS resource record “TLSA”, the hashed public key is publicized within the DNS server of the same authority/entity that owns the TLS server, e.g., an HTTPS server or an SMTPS mail gateway. Now, an end user client can really validate that the server TLS certificate is owned by the same organization which owns the DNSSEC server. Hence, MITM attacks with spoofed certificates are not possible anymore.

For more information about DANE, refer to the RFCs: 6698, 7218, 7671, and 7672.

Generate TLSA Records

No changes must be made by the TLS servers. The only thing to do is to place the hashed public key into the DNS zone. For the most common scenarios, the fields within the TLSA record are the following (refer to RFC 7671, section 5.1):

  • Usage: 3 – DANE-EE: Domain Issued Certificate
  • Selector: 1 – SPKI: Use subject public key
  • Matching-Type: 1 – SHA-256

For an on-site generation of TLSA records the tool “tlsa” out of the “hash-slinger” toolkit can be used. On a Ubuntu server this works as follows:

weberjoh@jw-nb12-lx:~$ sudo apt-get install hash-slinger
weberjoh@jw-nb12-lx:~$ tlsa --create --selector 1 --certificate host-dane.weberdns.de.crt host-dane.weberdns.de
_443._tcp.host-dane.weberdns.de. IN TLSA 3 1 1 0d6fce3320315023ff499a3f3de1c362c88f8380311ac8c036890dab13243aa7

An easy to use online tool by Shumon Huque is here: Generate TLSA Record. Copy and paste your certificate, etc., and choose the selector field of “0 – Cert”:

Generate TLSA Records 01 Generate TLSA Records 02

In any way, the TLSA resource record for my test domain “host-dane.weberdns.de” is this:

_443._tcp.host-dane.weberdns.de. IN TLSA 3 1 1 0d6fce3320315023ff499a3f3de1c362c88f8380311ac8c036890dab13243aa7

This string must be placed into the appropriate zone file on the DNSSEC signing server, in my case “weberdns.de”. After then, I can manually test/request the TLSA record

_443._tcp. ...
  via DNS and can see that it is there authentic (AD flag):
weberjoh@jw-nb12-lx:~$ dig _443._tcp.host-dane.weberdns.de tlsa +dnssec +multi

; <<>> DiG 9.10.3-P4-Ubuntu <<>> _443._tcp.host-dane.weberdns.de tlsa +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59953
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_443._tcp.host-dane.weberdns.de. IN TLSA

;; ANSWER SECTION:
_443._tcp.host-dane.weberdns.de. 3066 IN TLSA 3 1 1 (
                                0D6FCE3320315023FF499A3F3DE1C362C88F8380311A
                                C8C036890DAB13243AA7 )
_443._tcp.host-dane.weberdns.de. 3066 IN RRSIG TLSA 8 5 3600 (
                                20160929094014 20160830084014 57909 weberdns.de.
                                aZgVX1C6uxACoNnPo4m36CRzMjfe2Gk7pciV2knGrb5P
                                Hbq1UV/u2EdFJD6v5Dhd4JAquuM7OW9CQVfE1f0g380/
                                HsUMzg6eZeOr3sMR2ERZXv4hut4sikdtjGhVmA6jSbfg
                                EQFM0BELYz/+Xzh9uJYoqzkbJ54uKCpapaWgELs= )

;; Query time: 1 msec
;; SERVER: 192.168.120.22#53(192.168.120.22)
;; WHEN: Tue Aug 30 11:50:16 CEST 2016
;; MSG SIZE  rcvd: 278

 

Examples

I generated three different TLSA records for my test domains (IPv6-only):

  • host-dane.weberdns.de <- with a trusted CA signed certificate
  • host-dane-self.weberdns.de <- with a self-signed (!) certificate
  • mail.weberdns.de <- with a CA signed certificate whose FQDN is NOT mail.weberdns.de

The appropriate TLSA records are the following. Note that I have some different usage and matching type fields, e.g., SHA256 and SHA512:

_443._tcp.host-dane.weberdns.de.        IN TLSA 3 1 1 0d6fce3320315023ff499a3f3de1c362c88f8380311ac8c036890dab13243aa7
_443._tcp.host-dane-self.weberdns.de.   IN TLSA 3 1 1 97b57e11a9f07976ae0a44b3d68179e61637f3ca43b719a149f8d524c0dc2405
_443._tcp.host-dane-self.weberdns.de.   IN TLSA 3 1 2 bab6316ace46fdce7028ea0100c4c0c364dc2f092258f8958b9ab1bde89c73ade3bd37aebf54245268128b039114e760b6a0d79e366c8c0b396884ab4287a05a
_25._tcp.mail.weberdns.de.              IN TLSA 3 0 1 ae822a14fd5e56c213eeeb5d6755556980caf4c3f2531c1ec8eca3076f9b7e68

Note that in all three cases a TLSA check is valid though only the first TLS certificate is correctly signed by a trusted CA with its correct common name! This is the main advantage of DANE, that self-signed certificates can be used, even with incorrect names, as long as the certificate itself is the correct one published in the DNS.

Online Tools

There are great online tools for checking TLSA records either for HTTPS or for SMTPS:

Here a two sample screenshots out of the tools for my test domains. The “host-dane-self” domain is valid though self-signed, while the “mail.weberdns.de” is valid, too, though not congruent with the name of the certificate:

host-dane-self 03 Verification mail.weberdns.de DANE Validation

A more detailed view is the text output from Shumon’s SMTPS test with STARTTLS. It greatly shows the connection (via IPv4 and IPv6), the common name of the cert, as well as the matching TLSA record:

TLSA records found: 1
TLSA: 3 0 1 ae822a14fd5e56c213eeeb5d6755556980caf4c3f2531c1ec8eca3076f9b7e68

Connecting to IPv6 address: 2003:51:6012:110::15 port 25
recv: 220 mail.webertest.net ESMTP
send: EHLO cheetara.huque.com
recv: 250-mail.webertest.net
recv: 250-8BITMIME
recv: 250-SIZE 10485760
recv: 250 STARTTLS
send: STARTTLS
recv: 220 Go ahead with TLS
TLSv1.2 handshake succeeded.
Cipher: SSLv3 DHE-RSA-AES256-SHA
Peer Certificate chain:
 0 Subject CN: mail.webertest.net
   Issuer  CN: StartCom Class 2 IV Server CA
 1 Subject CN: StartCom Class 2 IV Server CA
   Issuer  CN: StartCom Certification Authority
 SAN dNSName: mail.webertest.net
DANE TLSA 3 0 1 [ae822a14fd5e...] matched EE certificate at depth 0
Validated Certificate chain:
 0 Subject CN: mail.webertest.net
   Issuer  CN: StartCom Class 2 IV Server CA
 SAN dNSName: mail.webertest.net

Connecting to IPv4 address: 80.154.108.237 port 25
recv: 220 mail.webertest.net ESMTP
send: EHLO cheetara.huque.com
recv: 250-mail.webertest.net
recv: 250-8BITMIME
recv: 250-SIZE 10485760
recv: 250 STARTTLS
send: STARTTLS
recv: 220 Go ahead with TLS
TLSv1.2 handshake succeeded.
Cipher: SSLv3 DHE-RSA-AES256-SHA
Peer Certificate chain:
 0 Subject CN: mail.webertest.net
   Issuer  CN: StartCom Class 2 IV Server CA
 1 Subject CN: StartCom Class 2 IV Server CA
   Issuer  CN: StartCom Certification Authority
 SAN dNSName: mail.webertest.net
DANE TLSA 3 0 1 [ae822a14fd5e...] matched EE certificate at depth 0
Validated Certificate chain:
 0 Subject CN: mail.webertest.net
   Issuer  CN: StartCom Class 2 IV Server CA
 SAN dNSName: mail.webertest.net

And by the way, for more information about DANE, have a look at the resources from “sys4”. They offer a DANE mailing list as well as a common mistakes help page.

Browser Add-On: DNSSEC/TLSA Validator

The only good browser plugin for checking DNSSEC and DANE records is the “DNSSEC/TLSA Validator“. Unluckily it is not updated since almost two years (as of October 2016) and I ran into some Firefox errors while this plugin was enabled.

However, for some tests it shows the status of the DNS name (first green icon) as well as the DANE/TLSA status (second green icon):

host-dane-self 04 DNSSEC Validator host-dane-self 05 DANE Validator

Problem: SSL Interception

One problem will arise if browsers do their own DANE check (which is unluckily not happening today) while organizations are using SSL/TLS interception at their firewalls/proxies. In these cases, the SSL man-in-the-middle “attack” will spoof the certificate to an own created one which is signed by the organizations CA. Though this CA is installed in the browsers, the TLSA check will fail. To my mind, the only way to accomplish this (while not stopping the MITM) is the creation of an “Island of Trust” for DNSSEC with real-time TLSA record spoofing. (Any other ideas?)

Conclusion

That was easy! With only some little DNS resource records, much more security, i.e., authentication, can be achieved. Browsers can access self-signed websites without relying on (malicious) CAs, and MTAs (mail transfer agents) can send mails with the usage of TLS directly to the correct (authentic) destinations.

Today (2016), we are still stuck in the chicken-or-egg problem: Only some sites have DNSSEC signed TLSA records while only some end systems (browsers, MTAs) can validate them. To overcome this problem: Start signing you DNS zones now and insert as many TLSA records as you can. 😉


Viewing all articles
Browse latest Browse all 311

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>