Saved in:
Bibliographic Details
Main Authors: Pan, Syed W. Shah. Lei, Nguyen, Din Duc Nha, Doss, Robin, Armstrong, Warren, Gauravaram, Praveen
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2411.07535
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918180854693888
author Pan, Syed W. Shah. Lei
Nguyen, Din Duc Nha
Doss, Robin
Armstrong, Warren
Gauravaram, Praveen
author_facet Pan, Syed W. Shah. Lei
Nguyen, Din Duc Nha
Doss, Robin
Armstrong, Warren
Gauravaram, Praveen
contents DNSSEC, a DNS security extension, is essential to accurately translating domain names to IP addresses. Digital signatures provide the foundation for this reliable translation; however, the evolution of 'Quantum Computers' has made traditional digital signatures vulnerable. In light of this, NIST has recently selected potential post-quantum digital signatures that can operate on conventional computers and resist attacks made with Quantum Computers. Since these post-quantum digital signatures are still in their early stages of development, replacing pre-quantum digital signature schemes in DNSSEC with post-quantum candidates is risky until the post-quantum candidates have undergone a thorough security analysis. Given this, herein, we investigate the viability of employing 'Double-Signatures' in DNSSEC, combining a post-quantum digital signature and a classic one. The rationale is that double-signatures will offer protection against quantum threats on conventional signature schemes as well as unknown non-quantum attacks on post-quantum signature schemes, hence even if one fails, the other provides security guarantees. However, the inclusion of two signatures in the DNSSEC response message doesn't bode well with the maximum allowed size of DNSSEC responses (i.e., 1232B, a limitation enforced by the MTU of physical links). To counter this issue, we leverage a way to do application-layer fragmentation of DNSSEC responses with two signatures. We implement our solution on top of OQS-BIND and, through experiments, show that the addition of two signatures in DNSSEC and application-layer fragmentation of all relevant resource records and their reassembly does not have a substantial impact on the efficiency of the resolution process and thus is suitable for the interim period at least until the quantum computers are fully realized.
format Preprint
id arxiv_https___arxiv_org_abs_2411_07535
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Double-Signed Fragmented DNSSEC for Countering Quantum Threat
Pan, Syed W. Shah. Lei
Nguyen, Din Duc Nha
Doss, Robin
Armstrong, Warren
Gauravaram, Praveen
Cryptography and Security
DNSSEC, a DNS security extension, is essential to accurately translating domain names to IP addresses. Digital signatures provide the foundation for this reliable translation; however, the evolution of 'Quantum Computers' has made traditional digital signatures vulnerable. In light of this, NIST has recently selected potential post-quantum digital signatures that can operate on conventional computers and resist attacks made with Quantum Computers. Since these post-quantum digital signatures are still in their early stages of development, replacing pre-quantum digital signature schemes in DNSSEC with post-quantum candidates is risky until the post-quantum candidates have undergone a thorough security analysis. Given this, herein, we investigate the viability of employing 'Double-Signatures' in DNSSEC, combining a post-quantum digital signature and a classic one. The rationale is that double-signatures will offer protection against quantum threats on conventional signature schemes as well as unknown non-quantum attacks on post-quantum signature schemes, hence even if one fails, the other provides security guarantees. However, the inclusion of two signatures in the DNSSEC response message doesn't bode well with the maximum allowed size of DNSSEC responses (i.e., 1232B, a limitation enforced by the MTU of physical links). To counter this issue, we leverage a way to do application-layer fragmentation of DNSSEC responses with two signatures. We implement our solution on top of OQS-BIND and, through experiments, show that the addition of two signatures in DNSSEC and application-layer fragmentation of all relevant resource records and their reassembly does not have a substantial impact on the efficiency of the resolution process and thus is suitable for the interim period at least until the quantum computers are fully realized.
title Double-Signed Fragmented DNSSEC for Countering Quantum Threat
topic Cryptography and Security
url https://arxiv.org/abs/2411.07535