Title :
GPU-Based NSEC3 Hash Breaking
Author :
Wander, Matthaus ; Schwittmann, Lorenz ; Boelmann, Christopher ; Weis, Torben
Author_Institution :
Univ. of Duisburg-Essen, Duisburg, Germany
Abstract :
When a client queries for a non-existent name in the Domain Name System (DNS), the server responds with a negative answer. With the DNS Security Extensions (DNSSEC), the server can either use NSEC or NSEC3 for authenticated negative answers. NSEC3 claims to protect DNSSEC servers against domain enumeration, but incurs significant CPU and bandwidth overhead. Thus, DNSSEC server admins must choose between more efficiency (NSEC) or privacy (NSEC3). We present a GPU-based attack on NSEC3 that revealed 64% of all DNSSEC names in the com domain in 4.5 days. This attack shows that the NSEC3 privacy promises are weak and thus DNSSEC server admins must carefully decide whether the limited privacy is worth the overhead. Furthermore, we show that an increase of the cryptographic strength of NSEC3 puts attackers at an advantage, since the cost of an attack does not rise faster than the costs incurred on the DNSSEC server.
Keywords :
cryptography; data privacy; graphics processing units; query processing; CPU overhead; DNS security extensions; DNSSEC server admins; GPU-based NSEC3 hash breaking; NSEC3 privacy promises; authenticated negative answers; bandwidth overhead; client queries; cryptographic strength; domain enumeration; domain name system; nonexistent name; Databases; Dictionaries; Graphics processing units; Markov processes; Privacy; Security; Servers;
Conference_Titel :
Network Computing and Applications (NCA), 2014 IEEE 13th International Symposium on
Conference_Location :
Cambridge, MA
Print_ISBN :
978-1-4799-5392-9
DOI :
10.1109/NCA.2014.27
