On the unpredictability of DNS
Ben Laurie
ben at links.org
Sun Aug 3 07:44:04 EDT 2008
William Allen Simpson wrote:
> I've changed the subject. Some of my own rants are about mathematical
> cryptographers that are looking for the "perfect" solution, instead of
> practical security solution. Always think about the threat first!
>
> In this threat environment, the attacker is unlikely to have perfect
> knowledge of the sequence. Shared resolvers are the most critical
> vulnerability, but the attacker isn't necessarily in the packet path, and
> cannot discern more than a few scattered numbers in the sequence. The
> more sharing (and greater impact), the more sparse the information.
>
> In any case, the only "perfect" solution is DNS-security. Over many
> years, I've given *many* lectures to local university, network, and
> commercial institutions about the need to upgrade and secure our zones.
> But the standards kept changing, and the roots and TLDs were not secured.
>
> Now, the lack of collective attention to known security problems has
> bitten us collectively.
>
> Never-the-less, with rephrasing, Ben has some good points....
I don't see any actual rephrasing below, unless you are suggesting I
should have said "unpredictable" instead of "random". I think that's a
perfectly fine substitution to make.
> Ben Laurie wrote:
>> But just how GREAT is that, really? Well, we don't know. Why? Because
>> there isn't actually a way test for randomness. ...
>
> While randomness is sufficient for "perfect" unpredictability, it isn't
> necessary in this threat environment.
I agree, but my point is unaltered if you switch "randomness" to
"unpredictability".
> Keep in mind that the likely unpredictability is about 2**24. In many
> or most cases, that will be implementation limited to 2**18 or less.
Why?
>> Your DNS resolver could be using some easily predicted random number
>> generator like, say, a linear congruential one, as is common in the
>> rand() library function, but DNS-OARC would still say it was GREAT.
>
> In this threat environment, a better test would be for determination of a
> possible seed for any of several common PRNG. Or lack of PRNG.
I don't see why. A perfectly reasonable threat is that the attacker
reverse engineers the PRNG (or just checks out the source). It doesn't
need to be common to be predictable.
>> Oh, and I should say that number of ports and standard deviation are
>> not a GREAT way to test for "randomness". For example, the sequence
>> 1000, 2000, ..., 27000 has 27 ports and a standard deviation of over
>> 7500, which looks pretty GREAT to me. But not very "random".
>>
> Again, the question is not randomness, but unpredictability.
Again, changing the words does not alter my point in any way, though I
do agree that unpredictable is a better word.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list