Using Secure DNS to Associate Certificates with Domain Names for S/MIME

Schlyter, Jakob; Hoffman, Paul

doi:10.17487/rfc8162

Cited by 7 publications

(5 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, the most popular approach is the use of additional third-parties to extend or replace the rigid CA trust model. In this approach, users can select one or more third-parties to confirm the authenticity of a certificate in order to improve the chances of detecting a MITM attack [19]. However, this approach has several shortcomings such as significant deployment and operational costs (e.g., additional infrastructure with high availability requirements), more complex trust model for users, privacy concerns and more complex revocation procedures.…”

Section: B Tls Mitm Attacks and Countermeasuresmentioning

confidence: 99%

An Efficient Web Authentication Mechanism Preventing Man-In-The-Middle Attacks in Industry 4.0 Supply Chain

et al. 2019

View full text Add to dashboard Cite

The fourth industrial revolution (Industry 4.0) is transforming the next generation of the supply chain by making it more agile and efficient compared with the traditional supply chain. However, data communication across the partners in the Industry 4.0 supply chain can be the target of a wide spectrum of attackers exploiting security breaches in the internal/external environment of the partners due to its heterogeneous and dynamic nature as well as the fact that the non-professional users in security issues usually operate their information systems. Attackers can compromise the data communication between legitimate parties in the Industry 4.0 Supply Chain, and thus, jeopardizing the delivery of services across the partners as well as the continuity of the service provision. Consequently, secure data communications across the partners in the Industry 4.0 Supply Chain are of utmost importance. Toward this direction, TLS protocol, which is the de facto standard for secure Internet communications, is employed to ensure secure communication between a user's web browser and a remote web server located in the premises of the same or another partner. However, over the last few years, there have been several serious attacks on TLS, including man-in-the-middle attacks in web applications using TLS to secure HTTP communication. Therefore, in this paper, we propose an efficient TLS-based authentication mechanism, which is resistant against MITM in web applications.

show abstract

Section: B Tls Mitm Attacks and Countermeasuresmentioning

confidence: 99%

An Efficient Web Authentication Mechanism Preventing Man-In-The-Middle Attacks in Industry 4.0 Supply Chain

et al. 2019

View full text Add to dashboard Cite

show abstract

“…In this case the CA needs a secure way to look up the public key of the domain owner, who is not necessarily identical with the applicant. There are experimental DNS-based approaches to achieve this objective for both, S/MIME [24] and OpenPGP [41].…”

Section: E Email-based Validationmentioning

confidence: 99%

Domain Impersonation is Feasible: A Study of CA Domain Validation Vulnerabilities

Schwittmann

Wander

Weis

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Web security relies on the assumption that certificate authorities (CAs) issue certificates to rightful domain owners only. However, we show that CAs expose vulnerabilities which allow an attacker to obtain certificates from major CAs for domains he does not own. We present a measurement method that allows us to check CAs for a list of technical weaknesses during their domain validation procedures. Our results show that all tested CAs are vulnerable in one or even multiple ways, because they rely on a combination of insecure protocols like DNS and HTTP and do not implement existing secure alternatives like DNSSEC and TLS. We have validated our methodology experimentally and disclosed these vulnerabilities to CAs. Based upon our findings we provide recommendations to domain owners and CAs to close this fundamental weakness in web security.

show abstract

“…Traditionally, this was done using dedicated key/certificate servers, LDAP servers, etc., but these methods are not always easy to deploy and standardize for every enterprise. �ese certificates can be published through the DNS by a different implementation of the DANE mechanism for S/MIME [RFC8162] and OpenPGP [RFC7929]. S/MIME and OpenPGP, with their strengthening by DANE authentication are discussed below.…”

Section: End-to-end Authentication Using S/mime Digital Signaturesmentioning

confidence: 99%

“…�e usual case is for the receiver to authenticate the supplied certificate using PKIX back to the Certificate Authority. Users who want more assurance that the key supplied is bound to the sender's domain can deploy the SMIMEA mechanism [RFC8162] in which the certificate and key can be independently retrieved from the DNS and authenticated per the DANE mechanism, similar to that described in Subsection 5.2.5, above. �e user who wants to encrypt a message retrieves the receiver's public key: which may have been sent on a prior signed message 23 .…”

Section: S/mime and Smimeamentioning

confidence: 99%

Trustworthy email

Rose¹,

Nightingale²,

Garfinkel³

et al. 2019

View full text Add to dashboard Cite

Authority �is publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. �is guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. �is publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

show abstract

Using Secure DNS to Associate Certificates with Domain Names for S/MIME

Abstract: This document describes how to use secure DNS to associate an S/MIME user's certificate with the intended domain name, similar to the way that DNS-Based Authentication of Named Entities (DANE), RFC 6698, does for TLS.

Cited by 7 publications

References 14 publications

An Efficient Web Authentication Mechanism Preventing Man-In-The-Middle Attacks in Industry 4.0 Supply Chain

An Efficient Web Authentication Mechanism Preventing Man-In-The-Middle Attacks in Industry 4.0 Supply Chain

Domain Impersonation is Feasible: A Study of CA Domain Validation Vulnerabilities

Trustworthy email

Contact Info

Product

Resources

About