S. Jeff Cold, Associate Professor, Principal Investigator, Utah Valley University
Dr. Ed Kinley, Adviser, Indiana State University
A ONE-WAY ANALYSIS OF VARIANCE (ANOVA) TO TEST THE INFLUENCE OF THE NETWORK TIME PROTOCOL (NTP) ON THE DOMAIN NAME SERVICE SECURITY EXTENSION (DNSSEC) PROTOCOL
Context of the Problem
Traditional Domain Name Services (DNS) has been part of the Internet infrastructure since the beginning of the Internet. Every time email is sent, a web page is retrieved, or a file is downloaded, a DNS server is queried by an Internet client to resolve the Internet Protocol (IP) address of the host. Unfortunately, there is no security built into DNS. DNS is vulnerable to cache poisoning, man-in-the-middle attacks, IP-spoofing for Dynamic DNS, and Distributed Denial-of-Service (DDOS) attacks, among others.
Securing the infrastructure is so important that in December 2006, the National Institute for Standards and Technology (NIST) issued publication 800-53r1: Recommended Security Controls for Federal Information Systems. This publication mandates the installation of a secure version of DNS called the DNS Security Extensions (DNSSEC) protocol in moderate and high impact federal government Information Technology (IT) systems within one year.
The primary purpose for DNSSEC is to provide authentication and integrity for query responses received from the world-wide DNS database. Authentication and integrity is provided through public-key cryptography. Keys in public-key cryptography are used to generate signed certificates from the DNS servers providing responses to queries from Internet clients or other DNS servers.
The way in which signed certificates are evaluated for acceptance between DNSSEC servers and the Internet clients they serve, is based on a relative time stamp: the current time relative from the UNIX epoch: January 1, 1970. DNSSEC does not have an internal time clock built into its protocol. Incorrect time stamps can cause a vulnerability known as a replay attack. A replay attack is a type of a man-in-the-middle attack where a certificate is captured, forged, and then replayed. This means that although DNSSEC is a promising solution to the problems suffered by legacy DNS, its certificates providing authenticity and integrity can be forged.
The Network Time Protocol
(NTP) is a free and open source software (FOSS) time-keeping solution that
provides an absolute time reference to a
computer network. NTP has a network hierarchy
similar to DNS and can be run jointly with DNSSEC to provide an absolute time
stamp to the signature and inception fields of the Resource Record Signature
(RRSIG) of DNSSEC.
The purpose of this proposed research is to evaluate the
significance of using NTP to nullify a replay attack on DNSSEC certificate
authentication and verification through the use of an absolute time stamp.
Methodology Sampling Size and Variables