djb_keynote_hack.in.pdf

Loading ...
Global Do...
News & Politics
DNSCurve
D. J. Bernstein
University of Illinois at Chicago
The Domain Name System
uma.es wants to see
http://www.iitk.ac.in.
'&
%$
 !
"#
Browser at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
OO
Now uma.es
retrieves web page from
IP address 203.200.95.142.
urve
Bernstein
sity of Illinois at Chicago
The Domain Name System
uma.es wants to see
http://www.iitk.ac.in.
'&
%$
 !
"#
Browser at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
OO
Now uma.es
retrieves web page from
IP address 203.200.95.142.
Same f  
uma.es     
someon
'&
 !
Mail   
'&
 !
Admin  
Now um
delivers  
IP addr 
nois at Chicago
The Domain Name System
uma.es wants to see
http://www.iitk.ac.in.
'&
%$
 !
"#
Browser at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
OO
Now uma.es
retrieves web page from
IP address 203.200.95.142.
Same for Internet 
uma.es has mail   
someone@iitk.a
'&
%$
 !
"#
Mail client at 
'&
%$
 !
"#
Administrator a 
“The mail  
iitk.a
has IP a
203.197.
OO
Now uma.es
delivers mail to
IP address 203.19
cago
The Domain Name System
uma.es wants to see
http://www.iitk.ac.in.
'&
%$
 !
"#
Browser at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
OO
Now uma.es
retrieves web page from
IP address 203.200.95.142.
Same for Internet mail.
uma.es has mail to deliver 
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Administrator at iitk.a
“The mail server for
iitk.ac.in
has IP address
203.197.196.9.”
OO
Now uma.es
delivers mail to
IP address 203.197.196.9.
The Domain Name System
uma.es wants to see
http://www.iitk.ac.in.
'&
%$
 !
"#
Browser at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
OO
Now uma.es
retrieves web page from
IP address 203.200.95.142.
Same for Internet mail.
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The mail server for
iitk.ac.in
has IP address
203.197.196.9.”
OO
Now uma.es
delivers mail to
IP address 203.197.196.9.
omain Name System
s wants to see
//www.iitk.ac.in.
%$
"#
owser at uma.es
%$
"#
nistrator at iitk.ac.in
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
OO
ma.es
es web page from
ress 203.200.95.142.
Same for Internet mail.
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The mail server for
iitk.ac.in
has IP address
203.197.196.9.”
OO
Now uma.es
delivers mail to
IP address 203.197.196.9.
Forging  
uma.es     
someon
'&
 !
Mail cl  
'&
 !
Attac   
“   
OO
Now um
delivers  
IP addr 
actually   
me System
o see
tk.ac.in.
uma.es
at iitk.ac.in
server
.ac.in
ddress
5.142.”
ge from
00.95.142.
Same for Internet mail.
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The mail server for
iitk.ac.in
has IP address
203.197.196.9.”
OO
Now uma.es
delivers mail to
IP address 203.197.196.9.
Forging DNS pac
uma.es has mail   
someone@iitk.a
'&
%$
 !
"#
Mail client at u
'&
%$
 !
"#
Attacker anyw  
“The mail se 
iitk.ac
has IP ad
157.22.245
OO
Now uma.es
delivers mail to
IP address 157.22
actually the attac 
m
.
ac.in
.
Same for Internet mail.
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The mail server for
iitk.ac.in
has IP address
203.197.196.9.”
OO
Now uma.es
delivers mail to
IP address 203.197.196.9.
Forging DNS packets
uma.es has mail to deliver 
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Attacker anywhere on n
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
OO
Now uma.es
delivers mail to
IP address 157.22.245.20,
actually the attacker’s mac
Same for Internet mail.
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Administrator at iitk.ac.in
“The mail server for
iitk.ac.in
has IP address
203.197.196.9.”
OO
Now uma.es
delivers mail to
IP address 203.197.196.9.
Forging DNS packets
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Attacker anywhere on network
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
OO
Now uma.es
delivers mail to
IP address 157.22.245.20,
actually the attacker’s machine.
for Internet mail.
s has mail to deliver to
ne@iitk.ac.in.
%$
"#
client at uma.es
%$
"#
nistrator at iitk.ac.in
“The mail server for
iitk.ac.in
has IP address
203.197.196.9.”
OO
ma.es
s mail to
ress 203.197.196.9.
Forging DNS packets
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Attacker anywhere on network
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
OO
Now uma.es
delivers mail to
IP address 157.22.245.20,
actually the attacker’s machine.
Actuall   
attacke   
some b   
t mail.
to deliver to
ac.in.
t uma.es
at iitk.ac.in
server for
ac.in
address
.196.9.”
97.196.9.
Forging DNS packets
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Attacker anywhere on network
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
OO
Now uma.es
delivers mail to
IP address 157.22.245.20,
actually the attacker’s machine.
Actually: Client s 
attacker has to re
some bits from th 
r to
ac.in
Forging DNS packets
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Attacker anywhere on network
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
OO
Now uma.es
delivers mail to
IP address 157.22.245.20,
actually the attacker’s machine.
Actually: Client sends quer
attacker has to repeat
some bits from the query.
Forging DNS packets
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Attacker anywhere on network
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
OO
Now uma.es
delivers mail to
IP address 157.22.245.20,
actually the attacker’s machine.
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Forging DNS packets
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Attacker anywhere on network
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
OO
Now uma.es
delivers mail to
IP address 157.22.245.20,
actually the attacker’s machine.
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Network probably has at least
one attacker-controlled machine.
That machine sniffs network,
trivially forges DNS packets.
Forging DNS packets
uma.es has mail to deliver to
someone@iitk.ac.in.
'&
%$
 !
"#
Mail client at uma.es
'&
%$
 !
"#
Attacker anywhere on network
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
OO
Now uma.es
delivers mail to
IP address 157.22.245.20,
actually the attacker’s machine.
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Network probably has at least
one attacker-controlled machine.
That machine sniffs network,
trivially forges DNS packets.
“No sniffers on my network!”
: : : so a blind attacker
guesses the bits to repeat,
eventually gets lucky.
After analysis, optimization:
blind forgery is about as easy
as downloading a movie.
g DNS packets
s has mail to deliver to
ne@iitk.ac.in.
%$
"#
lient at uma.es
%$
"#
cker anywhere on network
“The mail server for
iitk.ac.in
has IP address
157.22.245.20.”
ma.es
s mail to
ress 157.22.245.20,
y the attacker’s machine.
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Network probably has at least
one attacker-controlled machine.
That machine sniffs network,
trivially forges DNS packets.
“No sniffers on my network!”
: : : so a blind attacker
guesses the bits to repeat,
eventually gets lucky.
After analysis, optimization:
blind forgery is about as easy
as downloading a movie.
Some g 
Why do  
use cry
ckets
to deliver to
ac.in.
uma.es
where on network
erver for
c.in
ddress
5.20.”
2.245.20,
cker’s machine.
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Network probably has at least
one attacker-controlled machine.
That machine sniffs network,
trivially forges DNS packets.
“No sniffers on my network!”
: : : so a blind attacker
guesses the bits to repeat,
eventually gets lucky.
After analysis, optimization:
blind forgery is about as easy
as downloading a movie.
Some general que
Why doesn’t the 
use cryptography
r to
network
chine.
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Network probably has at least
one attacker-controlled machine.
That machine sniffs network,
trivially forges DNS packets.
“No sniffers on my network!”
: : : so a blind attacker
guesses the bits to repeat,
eventually gets lucky.
After analysis, optimization:
blind forgery is about as easy
as downloading a movie.
Some general questions
Why doesn’t the Internet
use cryptography?
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Network probably has at least
one attacker-controlled machine.
That machine sniffs network,
trivially forges DNS packets.
“No sniffers on my network!”
: : : so a blind attacker
guesses the bits to repeat,
eventually gets lucky.
After analysis, optimization:
blind forgery is about as easy
as downloading a movie.
Some general questions
Why doesn’t the Internet
use cryptography?
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Network probably has at least
one attacker-controlled machine.
That machine sniffs network,
trivially forges DNS packets.
“No sniffers on my network!”
: : : so a blind attacker
guesses the bits to repeat,
eventually gets lucky.
After analysis, optimization:
blind forgery is about as easy
as downloading a movie.
Some general questions
Why doesn’t the Internet
use cryptography?
“The Internet does
use cryptography! I just made
an SSL connection to my bank.”
Actually: Client sends query;
attacker has to repeat
some bits from the query.
Network probably has at least
one attacker-controlled machine.
That machine sniffs network,
trivially forges DNS packets.
“No sniffers on my network!”
: : : so a blind attacker
guesses the bits to repeat,
eventually gets lucky.
After analysis, optimization:
blind forgery is about as easy
as downloading a movie.
Some general questions
Why doesn’t the Internet
use cryptography?
“The Internet does
use cryptography! I just made
an SSL connection to my bank.”
Indeed, many connections
use SSL, Skype, etc.
But most connections don’t.
ly: Client sends query;
er has to repeat
bits from the query.
rk probably has at least
tacker-controlled machine.
machine sniffs network,
y forges DNS packets.
niffers on my network!”
a blind attacker
s the bits to repeat,
ally gets lucky.
analysis, optimization:
orgery is about as easy
wnloading a movie.
Some general questions
Why doesn’t the Internet
use cryptography?
“The Internet does
use cryptography! I just made
an SSL connection to my bank.”
Indeed, many connections
use SSL, Skype, etc.
But most connections don’t.
Why is    
Interne 
sends query;
epeat
he query.
y has at least
ntrolled machine.
niffs network,
NS packets.
my network!”
tacker
to repeat,
ucky.
ptimization:
bout as easy
a movie.
Some general questions
Why doesn’t the Internet
use cryptography?
“The Internet does
use cryptography! I just made
an SSL connection to my bank.”
Indeed, many connections
use SSL, Skype, etc.
But most connections don’t.
Why is there so m 
Internet commun
ry;
east
achine.
rk,
ts.
k!”
n:
asy
Some general questions
Why doesn’t the Internet
use cryptography?
“The Internet does
use cryptography! I just made
an SSL connection to my bank.”
Indeed, many connections
use SSL, Skype, etc.
But most connections don’t.
Why is there so much unpr
Internet communication?
Some general questions
Why doesn’t the Internet
use cryptography?
“The Internet does
use cryptography! I just made
an SSL connection to my bank.”
Indeed, many connections
use SSL, Skype, etc.
But most connections don’t.
Why is there so much unprotected
Internet communication?
Some general questions
Why doesn’t the Internet
use cryptography?
“The Internet does
use cryptography! I just made
an SSL connection to my bank.”
Indeed, many connections
use SSL, Skype, etc.
But most connections don’t.
Why is there so much unprotected
Internet communication?
“Because nobody cares.
Cryptography is pointless.
Attackers are exploiting
buffer overflows; they aren’t
intercepting or forging packets.”
Some general questions
Why doesn’t the Internet
use cryptography?
“The Internet does
use cryptography! I just made
an SSL connection to my bank.”
Indeed, many connections
use SSL, Skype, etc.
But most connections don’t.
Why is there so much unprotected
Internet communication?
“Because nobody cares.
Cryptography is pointless.
Attackers are exploiting
buffer overflows; they aren’t
intercepting or forging packets.”
In fact, attackers
are forging packets
and exploiting buffer overflows
and doing much more. Users
want all of these problems fixed.
general questions
oesn’t the Internet
yptography?
nternet does
yptography! I just made
L connection to my bank.”
, many connections
L, Skype, etc.
ost connections don’t.
Why is there so much unprotected
Internet communication?
“Because nobody cares.
Cryptography is pointless.
Attackers are exploiting
buffer overflows; they aren’t
intercepting or forging packets.”
In fact, attackers
are forging packets
and exploiting buffer overflows
and doing much more. Users
want all of these problems fixed.
Why ar   
unencry  
estions
Internet
y?
oes
y! I just made
on to my bank.”
nnections
etc.
ctions don’t.
Why is there so much unprotected
Internet communication?
“Because nobody cares.
Cryptography is pointless.
Attackers are exploiting
buffer overflows; they aren’t
intercepting or forging packets.”
In fact, attackers
are forging packets
and exploiting buffer overflows
and doing much more. Users
want all of these problems fixed.
Why are typical I 
unencrypted and 
made
bank.”
’t.
Why is there so much unprotected
Internet communication?
“Because nobody cares.
Cryptography is pointless.
Attackers are exploiting
buffer overflows; they aren’t
intercepting or forging packets.”
In fact, attackers
are forging packets
and exploiting buffer overflows
and doing much more. Users
want all of these problems fixed.
Why are typical Internet pa
unencrypted and unauthent
Why is there so much unprotected
Internet communication?
“Because nobody cares.
Cryptography is pointless.
Attackers are exploiting
buffer overflows; they aren’t
intercepting or forging packets.”
In fact, attackers
are forging packets
and exploiting buffer overflows
and doing much more. Users
want all of these problems fixed.
Why are typical Internet packets
unencrypted and unauthenticated?
Why is there so much unprotected
Internet communication?
“Because nobody cares.
Cryptography is pointless.
Attackers are exploiting
buffer overflows; they aren’t
intercepting or forging packets.”
In fact, attackers
are forging packets
and exploiting buffer overflows
and doing much more. Users
want all of these problems fixed.
Why are typical Internet packets
unencrypted and unauthenticated?
“It’s too easy to write Internet
software that exchanges data
without any cryptographic
protection. Most Internet clients
and servers don’t know how to
make cryptographic connections.”
Why is there so much unprotected
Internet communication?
“Because nobody cares.
Cryptography is pointless.
Attackers are exploiting
buffer overflows; they aren’t
intercepting or forging packets.”
In fact, attackers
are forging packets
and exploiting buffer overflows
and doing much more. Users
want all of these problems fixed.
Why are typical Internet packets
unencrypted and unauthenticated?
“It’s too easy to write Internet
software that exchanges data
without any cryptographic
protection. Most Internet clients
and servers don’t know how to
make cryptographic connections.”
True for most protocols.
But let’s focus on HTTP.
Most HTTP servers and browsers
(Apache, Internet Explorer,
Firefox, etc.) support SSL.
s there so much unprotected
et communication?
use nobody cares.
graphy is pointless.
ers are exploiting
overflows; they aren’t
pting or forging packets.”
, attackers
ging packets
ploiting buffer overflows
oing much more. Users
ll of these problems fixed.
Why are typical Internet packets
unencrypted and unauthenticated?
“It’s too easy to write Internet
software that exchanges data
without any cryptographic
protection. Most Internet clients
and servers don’t know how to
make cryptographic connections.”
True for most protocols.
But let’s focus on HTTP.
Most HTTP servers and browsers
(Apache, Internet Explorer,
Firefox, etc.) support SSL.
Why is      
fraction    
much unprotected
nication?
y cares.
pointless.
ploiting
they aren’t
orging packets.”
s
ets
uffer overflows
more. Users
e problems fixed.
Why are typical Internet packets
unencrypted and unauthenticated?
“It’s too easy to write Internet
software that exchanges data
without any cryptographic
protection. Most Internet clients
and servers don’t know how to
make cryptographic connections.”
True for most protocols.
But let’s focus on HTTP.
Most HTTP servers and browsers
(Apache, Internet Explorer,
Firefox, etc.) support SSL.
Why is SSL used    
fraction of all HT 
rotected
’t
kets.”
lows
ers
fixed.
Why are typical Internet packets
unencrypted and unauthenticated?
“It’s too easy to write Internet
software that exchanges data
without any cryptographic
protection. Most Internet clients
and servers don’t know how to
make cryptographic connections.”
True for most protocols.
But let’s focus on HTTP.
Most HTTP servers and browsers
(Apache, Internet Explorer,
Firefox, etc.) support SSL.
Why is SSL used for only a 
fraction of all HTTP conne
Why are typical Internet packets
unencrypted and unauthenticated?
“It’s too easy to write Internet
software that exchanges data
without any cryptographic
protection. Most Internet clients
and servers don’t know how to
make cryptographic connections.”
True for most protocols.
But let’s focus on HTTP.
Most HTTP servers and browsers
(Apache, Internet Explorer,
Firefox, etc.) support SSL.
Why is SSL used for only a tiny
fraction of all HTTP connections?
Why are typical Internet packets
unencrypted and unauthenticated?
“It’s too easy to write Internet
software that exchanges data
without any cryptographic
protection. Most Internet clients
and servers don’t know how to
make cryptographic connections.”
True for most protocols.
But let’s focus on HTTP.
Most HTTP servers and browsers
(Apache, Internet Explorer,
Firefox, etc.) support SSL.
Why is SSL used for only a tiny
fraction of all HTTP connections?
“Have you ever tried to set
up SSL? Do you want to go
through all these extra Apache
configuration steps? Do you
want to pay for a certificate?
Do you want to annoy your
web-site visitors with self-signed
certificates?”
Why are typical Internet packets
unencrypted and unauthenticated?
“It’s too easy to write Internet
software that exchanges data
without any cryptographic
protection. Most Internet clients
and servers don’t know how to
make cryptographic connections.”
True for most protocols.
But let’s focus on HTTP.
Most HTTP servers and browsers
(Apache, Internet Explorer,
Firefox, etc.) support SSL.
Why is SSL used for only a tiny
fraction of all HTTP connections?
“Have you ever tried to set
up SSL? Do you want to go
through all these extra Apache
configuration steps? Do you
want to pay for a certificate?
Do you want to annoy your
web-site visitors with self-signed
certificates?”
Indeed, usability is a major issue.
Only 1% of the Apache servers
on the Internet have SSL enabled.
re typical Internet packets
ypted and unauthenticated?
oo easy to write Internet
re that exchanges data
t any cryptographic
tion. Most Internet clients
rvers don’t know how to
cryptographic connections.”
or most protocols.
t’s focus on HTTP.
HTTP servers and browsers
he, Internet Explorer,
, etc.) support SSL.
Why is SSL used for only a tiny
fraction of all HTTP connections?
“Have you ever tried to set
up SSL? Do you want to go
through all these extra Apache
configuration steps? Do you
want to pay for a certificate?
Do you want to annoy your
web-site visitors with self-signed
certificates?”
Indeed, usability is a major issue.
Only 1% of the Apache servers
on the Internet have SSL enabled.
But let   
Google  
paid fo  
Google   
https:
Internet packets
unauthenticated?
write Internet
changes data
ptographic
t Internet clients
t know how to
hic connections.”
otocols.
n HTTP.
vers and browsers
t Explorer,
pport SSL.
Why is SSL used for only a tiny
fraction of all HTTP connections?
“Have you ever tried to set
up SSL? Do you want to go
through all these extra Apache
configuration steps? Do you
want to pay for a certificate?
Do you want to annoy your
web-site visitors with self-signed
certificates?”
Indeed, usability is a major issue.
Only 1% of the Apache servers
on the Internet have SSL enabled.
But let’s focus on 
Google has alread
paid for a certific
Google uses SSL 
https://mail.g
ackets
ticated?
rnet
ata
clients
w to
ctions.”
rowsers
,
Why is SSL used for only a tiny
fraction of all HTTP connections?
“Have you ever tried to set
up SSL? Do you want to go
through all these extra Apache
configuration steps? Do you
want to pay for a certificate?
Do you want to annoy your
web-site visitors with self-signed
certificates?”
Indeed, usability is a major issue.
Only 1% of the Apache servers
on the Internet have SSL enabled.
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.co
Why is SSL used for only a tiny
fraction of all HTTP connections?
“Have you ever tried to set
up SSL? Do you want to go
through all these extra Apache
configuration steps? Do you
want to pay for a certificate?
Do you want to annoy your
web-site visitors with self-signed
certificates?”
Indeed, usability is a major issue.
Only 1% of the Apache servers
on the Internet have SSL enabled.
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.com.
Why is SSL used for only a tiny
fraction of all HTTP connections?
“Have you ever tried to set
up SSL? Do you want to go
through all these extra Apache
configuration steps? Do you
want to pay for a certificate?
Do you want to annoy your
web-site visitors with self-signed
certificates?”
Indeed, usability is a major issue.
Only 1% of the Apache servers
on the Internet have SSL enabled.
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.com.
If you connect to
https://www.google.com,
Google redirects your browser to
http://www.google.com.
s SSL used for only a tiny
n of all HTTP connections?
you ever tried to set
L? Do you want to go
h all these extra Apache
uration steps? Do you
o pay for a certificate?
u want to annoy your
te visitors with self-signed
ates?”
, usability is a major issue.
1% of the Apache servers
Internet have SSL enabled.
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.com.
If you connect to
https://www.google.com,
Google redirects your browser to
http://www.google.com.
Why do  
turn off  
d for only a tiny
TTP connections?
tried to set
want to go
e extra Apache
ps? Do you
a certificate?
annoy your
with self-signed
is a major issue.
e Apache servers
have SSL enabled.
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.com.
If you connect to
https://www.google.com,
Google redirects your browser to
http://www.google.com.
Why does Google 
turn off cryptogr 
a tiny
ections?
t
go
ache
ou
te?
r
igned
r issue.
servers
enabled.
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.com.
If you connect to
https://www.google.com,
Google redirects your browser to
http://www.google.com.
Why does Google actively
turn off cryptographic prot
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.com.
If you connect to
https://www.google.com,
Google redirects your browser to
http://www.google.com.
Why does Google actively
turn off cryptographic protection?
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.com.
If you connect to
https://www.google.com,
Google redirects your browser to
http://www.google.com.
Why does Google actively
turn off cryptographic protection?
“Enabling SSL
for more than a small fraction
of Google connections would
overload the Google servers.
Google doesn’t want to pay for
a bunch of extra computers.
Too slow ) unusable.”
But let’s focus on Google.
Google has already
paid for a certificate.
Google uses SSL for
https://mail.google.com.
If you connect to
https://www.google.com,
Google redirects your browser to
http://www.google.com.
Why does Google actively
turn off cryptographic protection?
“Enabling SSL
for more than a small fraction
of Google connections would
overload the Google servers.
Google doesn’t want to pay for
a bunch of extra computers.
Too slow ) unusable.”
Many companies sell
SSL-acceleration hardware,
but that costs money too.
t’s focus on Google.
e has already
or a certificate.
e uses SSL for
://mail.google.com.
connect to
://www.google.com,
e redirects your browser to
//www.google.com.
Why does Google actively
turn off cryptographic protection?
“Enabling SSL
for more than a small fraction
of Google connections would
overload the Google servers.
Google doesn’t want to pay for
a bunch of extra computers.
Too slow ) unusable.”
Many companies sell
SSL-acceleration hardware,
but that costs money too.
Why ar 
comput  
Can cry  
without    
Can cry   
to solid   
Google 
Can cry   
to prot   
Can un   
n Google.
dy
cate.
for
google.com.
o
oogle.com,
your browser to
ogle.com.
Why does Google actively
turn off cryptographic protection?
“Enabling SSL
for more than a small fraction
of Google connections would
overload the Google servers.
Google doesn’t want to pay for
a bunch of extra computers.
Too slow ) unusable.”
Many companies sell
SSL-acceleration hardware,
but that costs money too.
Why are cryptogr
computations so 
Can crypto be fa
without being ea  
Can crypto be fa 
to solidly protect  
Google’s commun
Can crypto be fa 
to protect every I 
Can universal cry  
om.
m,
wser to
.
Why does Google actively
turn off cryptographic protection?
“Enabling SSL
for more than a small fraction
of Google connections would
overload the Google servers.
Google doesn’t want to pay for
a bunch of extra computers.
Too slow ) unusable.”
Many companies sell
SSL-acceleration hardware,
but that costs money too.
Why are cryptographic
computations so expensive?
Can crypto be faster,
without being easy to break
Can crypto be fast enough
to solidly protect all of
Google’s communications?
Can crypto be fast enough
to protect every Internet pa
Can universal crypto be usa
Why does Google actively
turn off cryptographic protection?
“Enabling SSL
for more than a small fraction
of Google connections would
overload the Google servers.
Google doesn’t want to pay for
a bunch of extra computers.
Too slow ) unusable.”
Many companies sell
SSL-acceleration hardware,
but that costs money too.
Why are cryptographic
computations so expensive?
Can crypto be faster,
without being easy to break?
Can crypto be fast enough
to solidly protect all of
Google’s communications?
Can crypto be fast enough
to protect every Internet packet?
Can universal crypto be usable?
oes Google actively
f cryptographic protection?
ing SSL
re than a small fraction
gle connections would
ad the Google servers.
e doesn’t want to pay for
h of extra computers.
ow ) unusable.”
companies sell
cceleration hardware,
at costs money too.
Why are cryptographic
computations so expensive?
Can crypto be faster,
without being easy to break?
Can crypto be fast enough
to solidly protect all of
Google’s communications?
Can crypto be fast enough
to protect every Internet packet?
Can universal crypto be usable?
What c  
Cryptog 
stop sn 
by scra  
Cryptog   
as prot 
attacke  
the scra 
Can als  
attacke   
a prope  
e actively
raphic protection?
small fraction
ctions would
ogle servers.
want to pay for
computers.
sable.”
sell
hardware,
oney too.
Why are cryptographic
computations so expensive?
Can crypto be faster,
without being easy to break?
Can crypto be fast enough
to solidly protect all of
Google’s communications?
Can crypto be fast enough
to protect every Internet packet?
Can universal crypto be usable?
What cryptograp  
Cryptography can
stop sniffing atta
by scrambling leg 
Cryptography is o 
as protecting con
attackers can’t u
the scrambled pa
Can also protect 
attackers can’t fi 
a properly scramb 
tection?
tion
uld
s.
y for
s.
,
Why are cryptographic
computations so expensive?
Can crypto be faster,
without being easy to break?
Can crypto be fast enough
to solidly protect all of
Google’s communications?
Can crypto be fast enough
to protect every Internet packet?
Can universal crypto be usable?
What cryptography can do
Cryptography can
stop sniffing attackers
by scrambling legitimate pa
Cryptography is often desc
as protecting confidentiality
attackers can’t understand
the scrambled packets.
Can also protect integrity:
attackers can’t figure out
a properly scrambled forger
Why are cryptographic
computations so expensive?
Can crypto be faster,
without being easy to break?
Can crypto be fast enough
to solidly protect all of
Google’s communications?
Can crypto be fast enough
to protect every Internet packet?
Can universal crypto be usable?
What cryptography can do
Cryptography can
stop sniffing attackers
by scrambling legitimate packets.
Cryptography is often described
as protecting confidentiality:
attackers can’t understand
the scrambled packets.
Can also protect integrity:
attackers can’t figure out
a properly scrambled forgery.
re cryptographic
tations so expensive?
ypto be faster,
t being easy to break?
ypto be fast enough
dly protect all of
e’s communications?
ypto be fast enough
tect every Internet packet?
niversal crypto be usable?
What cryptography can do
Cryptography can
stop sniffing attackers
by scrambling legitimate packets.
Cryptography is often described
as protecting confidentiality:
attackers can’t understand
the scrambled packets.
Can also protect integrity:
attackers can’t figure out
a properly scrambled forgery.
Traditio  
each le  
to shar   
Public- 
has mu  
(1976 D
many s 
Each p    
Two pa  
securely    
the oth   
1993: I  
project   
signatu  
raphic
expensive?
aster,
asy to break?
ast enough
t all of
nications?
ast enough
Internet packet?
ypto be usable?
What cryptography can do
Cryptography can
stop sniffing attackers
by scrambling legitimate packets.
Cryptography is often described
as protecting confidentiality:
attackers can’t understand
the scrambled packets.
Can also protect integrity:
attackers can’t figure out
a properly scrambled forgery.
Traditional crypto 
each legitimate c 
to share a secret 
Public-key crypto
has much lower r
(1976 Diffie–Hell
many subsequent 
Each party has o  
Two parties can 
securely if each p 
the other party’s  
1993: IETF begin 
project to add pu
signatures to DN
?
k?
acket?
able?
What cryptography can do
Cryptography can
stop sniffing attackers
by scrambling legitimate packets.
Cryptography is often described
as protecting confidentiality:
attackers can’t understand
the scrambled packets.
Can also protect integrity:
attackers can’t figure out
a properly scrambled forgery.
Traditional cryptography re
each legitimate client-serve 
to share a secret key.
Public-key cryptography
has much lower requiremen
(1976 Diffie–Hellman;
many subsequent refinemen
Each party has one public k
Two parties can communic
securely if each party know
the other party’s public key
1993: IETF begins “DNSS
project to add public-key
signatures to DNS.
What cryptography can do
Cryptography can
stop sniffing attackers
by scrambling legitimate packets.
Cryptography is often described
as protecting confidentiality:
attackers can’t understand
the scrambled packets.
Can also protect integrity:
attackers can’t figure out
a properly scrambled forgery.
Traditional cryptography requires
each legitimate client-server pair
to share a secret key.
Public-key cryptography
has much lower requirements.
(1976 Diffie–Hellman;
many subsequent refinements)
Each party has one public key.
Two parties can communicate
securely if each party knows
the other party’s public key.
1993: IETF begins “DNSSEC”
project to add public-key
signatures to DNS.
cryptography can do
graphy can
niffing attackers
ambling legitimate packets.
graphy is often described
tecting confidentiality:
ers can’t understand
ambled packets.
so protect integrity:
ers can’t figure out
erly scrambled forgery.
Traditional cryptography requires
each legitimate client-server pair
to share a secret key.
Public-key cryptography
has much lower requirements.
(1976 Diffie–Hellman;
many subsequent refinements)
Each party has one public key.
Two parties can communicate
securely if each party knows
the other party’s public key.
1993: IETF begins “DNSSEC”
project to add public-key
signatures to DNS.
After fi    
dollars    
(e.g., D   
NSF to    
Softwar 
how su  
The Int  
780000  
phy can do
n
ackers
gitimate packets.
often described
nfidentiality:
understand
ackets.
integrity:
igure out
bled forgery.
Traditional cryptography requires
each legitimate client-server pair
to share a secret key.
Public-key cryptography
has much lower requirements.
(1976 Diffie–Hellman;
many subsequent refinements)
Each party has one public key.
Two parties can communicate
securely if each party knows
the other party’s public key.
1993: IETF begins “DNSSEC”
project to add public-key
signatures to DNS.
After fifteen year   
dollars of U.S. go 
(e.g., DISA to BI 
NSF to UCLA; D  
Software Corpora
how successful is 
The Internet has 
78000000 *.com 
o
ackets.
cribed
y:
ry.
Traditional cryptography requires
each legitimate client-server pair
to share a secret key.
Public-key cryptography
has much lower requirements.
(1976 Diffie–Hellman;
many subsequent refinements)
Each party has one public key.
Two parties can communicate
securely if each party knows
the other party’s public key.
1993: IETF begins “DNSSEC”
project to add public-key
signatures to DNS.
After fifteen years and milli 
dollars of U.S. government 
(e.g., DISA to BIND comp
NSF to UCLA; DHS to Sec
Software Corporation),
how successful is DNSSEC?
The Internet has about
78000000 *.com names.
Traditional cryptography requires
each legitimate client-server pair
to share a secret key.
Public-key cryptography
has much lower requirements.
(1976 Diffie–Hellman;
many subsequent refinements)
Each party has one public key.
Two parties can communicate
securely if each party knows
the other party’s public key.
1993: IETF begins “DNSSEC”
project to add public-key
signatures to DNS.
After fifteen years and millions of
dollars of U.S. government grants
(e.g., DISA to BIND company;
NSF to UCLA; DHS to Secure64
Software Corporation),
how successful is DNSSEC?
The Internet has about
78000000 *.com names.
Traditional cryptography requires
each legitimate client-server pair
to share a secret key.
Public-key cryptography
has much lower requirements.
(1976 Diffie–Hellman;
many subsequent refinements)
Each party has one public key.
Two parties can communicate
securely if each party knows
the other party’s public key.
1993: IETF begins “DNSSEC”
project to add public-key
signatures to DNS.
After fifteen years and millions of
dollars of U.S. government grants
(e.g., DISA to BIND company;
NSF to UCLA; DHS to Secure64
Software Corporation),
how successful is DNSSEC?
The Internet has about
78000000 *.com names.
Surveys by DNSSEC developers,
last updated 2009.03.12,
have found 253 *.com
names with DNSSEC signatures.
116 on 2008.08.20; 253 > 116.
onal cryptography requires
egitimate client-server pair
re a secret key.
-key cryptography
uch lower requirements.
Diffie–Hellman;
subsequent refinements)
party has one public key.
arties can communicate
y if each party knows
her party’s public key.
IETF begins “DNSSEC”
to add public-key
ures to DNS.
After fifteen years and millions of
dollars of U.S. government grants
(e.g., DISA to BIND company;
NSF to UCLA; DHS to Secure64
Software Corporation),
how successful is DNSSEC?
The Internet has about
78000000 *.com names.
Surveys by DNSSEC developers,
last updated 2009.03.12,
have found 253 *.com
names with DNSSEC signatures.
116 on 2008.08.20; 253 > 116.
Why is   
Some o   
servers    
the roo    
the goo 
DNSSE   
server-s   
signatu   
Signatu   
saved;    
Hopefu    
to sign    
ography requires
client-server pair
key.
ography
requirements.
lman;
t refinements)
one public key.
communicate
party knows
public key.
ns “DNSSEC”
ublic-key
NS.
After fifteen years and millions of
dollars of U.S. government grants
(e.g., DISA to BIND company;
NSF to UCLA; DHS to Secure64
Software Corporation),
how successful is DNSSEC?
The Internet has about
78000000 *.com names.
Surveys by DNSSEC developers,
last updated 2009.03.12,
have found 253 *.com
names with DNSSEC signatures.
116 on 2008.08.20; 253 > 116.
Why is nobody u 
Some of the Inte 
servers are extrem  
the root servers,   
the google.com 
DNSSEC tries to 
server-side costs  
signatures of DN 
Signature is comp 
saved; sent to ma 
Hopefully the ser  
to sign each DNS  
equires
er pair
nts.
nts)
key.
cate
ws
y.
SEC”
After fifteen years and millions of
dollars of U.S. government grants
(e.g., DISA to BIND company;
NSF to UCLA; DHS to Secure64
Software Corporation),
how successful is DNSSEC?
The Internet has about
78000000 *.com names.
Surveys by DNSSEC developers,
last updated 2009.03.12,
have found 253 *.com
names with DNSSEC signatures.
116 on 2008.08.20; 253 > 116.
Why is nobody using DNSS
Some of the Internet’s DNS
servers are extremely busy: 
the root servers, the .com 
the google.com servers.
DNSSEC tries to minimize
server-side costs by precom
signatures of DNS records.
Signature is computed once
saved; sent to many clients
Hopefully the server can af
to sign each DNS record on
After fifteen years and millions of
dollars of U.S. government grants
(e.g., DISA to BIND company;
NSF to UCLA; DHS to Secure64
Software Corporation),
how successful is DNSSEC?
The Internet has about
78000000 *.com names.
Surveys by DNSSEC developers,
last updated 2009.03.12,
have found 253 *.com
names with DNSSEC signatures.
116 on 2008.08.20; 253 > 116.
Why is nobody using DNSSEC?
Some of the Internet’s DNS
servers are extremely busy: e.g.,
the root servers, the .com servers,
the google.com servers.
DNSSEC tries to minimize
server-side costs by precomputing
signatures of DNS records.
Signature is computed once;
saved; sent to many clients.
Hopefully the server can afford
to sign each DNS record once.
ifteen years and millions of
of U.S. government grants
DISA to BIND company;
o UCLA; DHS to Secure64
re Corporation),
uccessful is DNSSEC?
ternet has about
000 *.com names.
s by DNSSEC developers,
dated 2009.03.12,
ound 253 *.com
with DNSSEC signatures.
2008.08.20; 253 > 116.
Why is nobody using DNSSEC?
Some of the Internet’s DNS
servers are extremely busy: e.g.,
the root servers, the .com servers,
the google.com servers.
DNSSEC tries to minimize
server-side costs by precomputing
signatures of DNS records.
Signature is computed once;
saved; sent to many clients.
Hopefully the server can afford
to sign each DNS record once.
Clients    
of verif  
DNSSE   
client-s  
choice   
DNSSE 
say DS      
slow fo   
recomm   
preferre   
suggest   
of only  
for “lea    
rs and millions of
overnment grants
IND company;
DHS to Secure64
ation),
s DNSSEC?
about
names.
SEC developers,
09.03.12,
*.com
SSEC signatures.
20; 253 > 116.
Why is nobody using DNSSEC?
Some of the Internet’s DNS
servers are extremely busy: e.g.,
the root servers, the .com servers,
the google.com servers.
DNSSEC tries to minimize
server-side costs by precomputing
signatures of DNS records.
Signature is computed once;
saved; sent to many clients.
Hopefully the server can afford
to sign each DNS record once.
Clients don’t sha  
of verifying a sig
DNSSEC tries to 
client-side costs t
choice of crypto 
DNSSEC RFCs
say DSA is “10 t   
slow for verificati  
recommend RSA  
preferred algorith  
suggest RSA key 
of only 1024 bits
for “leaf nodes in  
ions of
t grants
pany;
cure64
?
opers,
atures.
116.
Why is nobody using DNSSEC?
Some of the Internet’s DNS
servers are extremely busy: e.g.,
the root servers, the .com servers,
the google.com servers.
DNSSEC tries to minimize
server-side costs by precomputing
signatures of DNS records.
Signature is computed once;
saved; sent to many clients.
Hopefully the server can afford
to sign each DNS record once.
Clients don’t share the wor
of verifying a signature.
DNSSEC tries to reduce
client-side costs through
choice of crypto primitive.
DNSSEC RFCs
say DSA is “10 to 40 times 
slow for verification” as RS
recommend RSA “as the
preferred algorithm” for DN
suggest RSA key size
of only 1024 bits
for “leaf nodes in the DNS
Why is nobody using DNSSEC?
Some of the Internet’s DNS
servers are extremely busy: e.g.,
the root servers, the .com servers,
the google.com servers.
DNSSEC tries to minimize
server-side costs by precomputing
signatures of DNS records.
Signature is computed once;
saved; sent to many clients.
Hopefully the server can afford
to sign each DNS record once.
Clients don’t share the work
of verifying a signature.
DNSSEC tries to reduce
client-side costs through
choice of crypto primitive.
DNSSEC RFCs
say DSA is “10 to 40 times as
slow for verification” as RSA;
recommend RSA “as the
preferred algorithm” for DNSSEC;
suggest RSA key size
of only 1024 bits
for “leaf nodes in the DNS.”
s nobody using DNSSEC?
of the Internet’s DNS
are extremely busy: e.g.,
ot servers, the .com servers,
ogle.com servers.
EC tries to minimize
side costs by precomputing
ures of DNS records.
ure is computed once;
sent to many clients.
ully the server can afford
each DNS record once.
Clients don’t share the work
of verifying a signature.
DNSSEC tries to reduce
client-side costs through
choice of crypto primitive.
DNSSEC RFCs
say DSA is “10 to 40 times as
slow for verification” as RSA;
recommend RSA “as the
preferred algorithm” for DNSSEC;
suggest RSA key size
of only 1024 bits
for “leaf nodes in the DNS.”
I say:
1024-bi   
2003: S  
conclud   
was alr  
large co  
2003: R 
recomm   
2048-bi    
of this   
made t  
using DNSSEC?
ernet’s DNS
mely busy: e.g.,
the .com servers,
servers.
o minimize
by precomputing
NS records.
puted once;
any clients.
rver can afford
S record once.
Clients don’t share the work
of verifying a signature.
DNSSEC tries to reduce
client-side costs through
choice of crypto primitive.
DNSSEC RFCs
say DSA is “10 to 40 times as
slow for verification” as RSA;
recommend RSA “as the
preferred algorithm” for DNSSEC;
suggest RSA key size
of only 1024 bits
for “leaf nodes in the DNS.”
I say:
1024-bit RSA is i
2003: Shamir–Tr  
concluded that 1 
was already break 
large companies a 
2003: RSA Labo
recommended a t 
2048-bit keys “ov  
of this decade.”  
made the same re
SEC?
S
: e.g.,
servers,
mputing
.
e;
s.
fford
nce.
Clients don’t share the work
of verifying a signature.
DNSSEC tries to reduce
client-side costs through
choice of crypto primitive.
DNSSEC RFCs
say DSA is “10 to 40 times as
slow for verification” as RSA;
recommend RSA “as the
preferred algorithm” for DNSSEC;
suggest RSA key size
of only 1024 bits
for “leaf nodes in the DNS.”
I say:
1024-bit RSA is irresponsib
2003: Shamir–Tromer et a
concluded that 1024-bit RS
was already breakable by
large companies and botne
2003: RSA Laboratories
recommended a transition 
2048-bit keys “over the rem
of this decade.” 2007: NIS
made the same recommend
Clients don’t share the work
of verifying a signature.
DNSSEC tries to reduce
client-side costs through
choice of crypto primitive.
DNSSEC RFCs
say DSA is “10 to 40 times as
slow for verification” as RSA;
recommend RSA “as the
preferred algorithm” for DNSSEC;
suggest RSA key size
of only 1024 bits
for “leaf nodes in the DNS.”
I say:
1024-bit RSA is irresponsible.
2003: Shamir–Tromer et al.
concluded that 1024-bit RSA
was already breakable by
large companies and botnets.
2003: RSA Laboratories
recommended a transition to
2048-bit keys “over the remainder
of this decade.” 2007: NIST
made the same recommendation.
Clients don’t share the work
of verifying a signature.
DNSSEC tries to reduce
client-side costs through
choice of crypto primitive.
DNSSEC RFCs
say DSA is “10 to 40 times as
slow for verification” as RSA;
recommend RSA “as the
preferred algorithm” for DNSSEC;
suggest RSA key size
of only 1024 bits
for “leaf nodes in the DNS.”
I say:
1024-bit RSA is irresponsible.
2003: Shamir–Tromer et al.
concluded that 1024-bit RSA
was already breakable by
large companies and botnets.
2003: RSA Laboratories
recommended a transition to
2048-bit keys “over the remainder
of this decade.” 2007: NIST
made the same recommendation.
But most users don’t know this.
Why aren’t they using DNSSEC?
don’t share the work
fying a signature.
EC tries to reduce
side costs through
of crypto primitive.
EC RFCs
SA is “10 to 40 times as
or verification” as RSA;
mend RSA “as the
ed algorithm” for DNSSEC;
t RSA key size
1024 bits
af nodes in the DNS.”
I say:
1024-bit RSA is irresponsible.
2003: Shamir–Tromer et al.
concluded that 1024-bit RSA
was already breakable by
large companies and botnets.
2003: RSA Laboratories
recommended a transition to
2048-bit keys “over the remainder
of this decade.” 2007: NIST
made the same recommendation.
But most users don’t know this.
Why aren’t they using DNSSEC?
DNS ar
Browse   
DNS ca  
Bro
DNS 
WV
PQ
Admin
?>
89
Cache p  
adminis  
doesn’t    
are the work
gnature.
o reduce
through
primitive.
to 40 times as
ion” as RSA;
“as the
hm” for DNSSEC;
size
s
n the DNS.”
I say:
1024-bit RSA is irresponsible.
2003: Shamir–Tromer et al.
concluded that 1024-bit RSA
was already breakable by
large companies and botnets.
2003: RSA Laboratories
recommended a transition to
2048-bit keys “over the remainder
of this decade.” 2007: NIST
made the same recommendation.
But most users don’t know this.
Why aren’t they using DNSSEC?
DNS architecture
Browser pulls dat 
DNS cache at um
Browser
DNS cache
WV
UT
PQ
RS
OO
Administrator
?>
=<
89
:;
OO
ck
Cache pulls data 
administrator if it
doesn’t already h  
rk
s as
SA;
NSSEC;
S.”
I say:
1024-bit RSA is irresponsible.
2003: Shamir–Tromer et al.
concluded that 1024-bit RSA
was already breakable by
large companies and botnets.
2003: RSA Laboratories
recommended a transition to
2048-bit keys “over the remainder
of this decade.” 2007: NIST
made the same recommendation.
But most users don’t know this.
Why aren’t they using DNSSEC?
DNS architecture
Browser pulls data from
DNS cache at uma.es:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
Administrator
at iitk.
?>
=<
89
:;
OO
“The w 
www.iit
has IP 
203.200
ck
Cache pulls data from
administrator if it
doesn’t already have the da
I say:
1024-bit RSA is irresponsible.
2003: Shamir–Tromer et al.
concluded that 1024-bit RSA
was already breakable by
large companies and botnets.
2003: RSA Laboratories
recommended a transition to
2048-bit keys “over the remainder
of this decade.” 2007: NIST
made the same recommendation.
But most users don’t know this.
Why aren’t they using DNSSEC?
DNS architecture
Browser pulls data from
DNS cache at uma.es:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
Administrator
at iitk.ac.in
?>
=<
89
:;
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
ck
Cache pulls data from
administrator if it
doesn’t already have the data.
it RSA is irresponsible.
Shamir–Tromer et al.
ded that 1024-bit RSA
ready breakable by
ompanies and botnets.
RSA Laboratories
mended a transition to
it keys “over the remainder
decade.” 2007: NIST
the same recommendation.
ost users don’t know this.
ren’t they using DNSSEC?
DNS architecture
Browser pulls data from
DNS cache at uma.es:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
Administrator
at iitk.ac.in
?>
=<
89
:;
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
ck
Cache pulls data from
administrator if it
doesn’t already have the data.
Admini  
through   
.iitk.  
Bro
DNS 
WV
PQ
.iitk
DNS 
.iitk
dat
Admin
WV
PQ

irresponsible.
romer et al.
1024-bit RSA
kable by
and botnets.
oratories
transition to
ver the remainder
2007: NIST
ecommendation.
don’t know this.
using DNSSEC?
DNS architecture
Browser pulls data from
DNS cache at uma.es:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
Administrator
at iitk.ac.in
?>
=<
89
:;
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
ck
Cache pulls data from
administrator if it
doesn’t already have the data.
Administrator pu 
through local dat 
.iitk.ac.in DN 
Browser
DNS cache
WV
UT
PQ
RS
OO
.iitk.ac.in
DNS server
OO
.iitk.ac.in
database
OO
Administrator
WV
UT
PQ
RS
OO
_g
ble.
al.
SA
ets.
to
mainder
ST
dation.
w this.
SSEC?
DNS architecture
Browser pulls data from
DNS cache at uma.es:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
Administrator
at iitk.ac.in
?>
=<
89
:;
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
ck
Cache pulls data from
administrator if it
doesn’t already have the data.
Administrator pushes data
through local database into
.iitk.ac.in DNS server:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
.iitk.ac.in
DNS server
OO
.iitk.ac.in
database
OO
Administrator
at iitk.
WV
UT
PQ
RS
OO
“The w 
www.iit
has IP 
203.200
_g
DNS architecture
Browser pulls data from
DNS cache at uma.es:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
Administrator
at iitk.ac.in
?>
=<
89
:;
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
ck
Cache pulls data from
administrator if it
doesn’t already have the data.
Administrator pushes data
through local database into
.iitk.ac.in DNS server:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
.iitk.ac.in
DNS server
OO
.iitk.ac.in
database
OO
Administrator
at iitk.ac.in
WV
UT
PQ
RS
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
_g
rchitecture
er pulls data from
ache at uma.es:
owser
at uma.es
S cache
UT
RS
OO
nistrator
at iitk.ac.in
=<
:;
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
ck
pulls data from
strator if it
t already have the data.
Administrator pushes data
through local database into
.iitk.ac.in DNS server:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
.iitk.ac.in
DNS server
OO
.iitk.ac.in
database
OO
Administrator
at iitk.ac.in
WV
UT
PQ
RS
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
_g
DNS ca   
.iitk.   
.in DN 
at ii 
“The D 
for .iit
is 
with IP 
202.3.

e
ta from
ma.es:
at uma.es
at iitk.ac.in
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
from
t
have the data.
Administrator pushes data
through local database into
.iitk.ac.in DNS server:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
.iitk.ac.in
DNS server
OO
.iitk.ac.in
database
OO
Administrator
at iitk.ac.in
WV
UT
PQ
RS
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
_g
DNS cache learns  
.iitk.ac.in DN  
.in DNS server:
at uma.e  
at iitk.ac.in 
“The DNS server
for .iitk.ac.in
is ns2
with IP address
202.3.77.23.”

s
.ac.in
web server
tk.ac.in
address
0.95.142.”
ata.
Administrator pushes data
through local database into
.iitk.ac.in DNS server:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
.iitk.ac.in
DNS server
OO
.iitk.ac.in
database
OO
Administrator
at iitk.ac.in
WV
UT
PQ
RS
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
_g
DNS cache learns location 
.iitk.ac.in DNS server 
.in DNS server:
at uma.es DNS 
'&
 !
.i
DNS 
.i
data
WV
PQ
at iitk.ac.in Admin
'&
 !
“The DNS server
for .iitk.ac.in
is ns2
with IP address
202.3.77.23.”
5=
Administrator pushes data
through local database into
.iitk.ac.in DNS server:
Browser
at uma.es
DNS cache
WV
UT
PQ
RS
OO
.iitk.ac.in
DNS server
OO
.iitk.ac.in
database
OO
Administrator
at iitk.ac.in
WV
UT
PQ
RS
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
_g
DNS cache learns location of
.iitk.ac.in DNS server from
.in DNS server:
at uma.es DNS cache
'&
%$
 !
"#
.in
DNS server
OO
.in
database
WV
UT
PQ
RS
OO
at iitk.ac.in Administrator
'&
%$
 !
"#
OO
“The DNS server
for .iitk.ac.in
is ns2
with IP address
202.3.77.23.”
5=
istrator pushes data
h local database into
.ac.in DNS server:
owser
at uma.es
S cache
UT
RS
OO
k.ac.in
S server
OO
k.ac.in
tabase
OO
nistrator
at iitk.ac.in
UT
RS
OO
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
_g
DNS cache learns location of
.iitk.ac.in DNS server from
.in DNS server:
at uma.es DNS cache
'&
%$
 !
"#
.in
DNS server
OO
.in
database
WV
UT
PQ
RS
OO
at iitk.ac.in Administrator
'&
%$
 !
"#
OO
“The DNS server
for .iitk.ac.in
is ns2
with IP address
202.3.77.23.”
5=
Ganes
WV
PQ
Roo
DNS
serve
.in
DNS
serve
.in
data
at Inte
Central 
b
OO

ushes data
tabase into
NS server:
at uma.es
at iitk.ac.in
“The web server
www.iitk.ac.in
has IP address
203.200.95.142.”
DNS cache learns location of
.iitk.ac.in DNS server from
.in DNS server:
at uma.es DNS cache
'&
%$
 !
"#
.in
DNS server
OO
.in
database
WV
UT
PQ
RS
OO
at iitk.ac.in Administrator
'&
%$
 !
"#
OO
“The DNS server
for .iitk.ac.in
is ns2
with IP address
202.3.77.23.”
5=
Ganesha
WV
UT
PQ
RS
N
N
N
N
N
N
N
N
N
Root
DNS
server
.in
DNS
server
u
u
u
u
u
u
u
u
u
.
.in
data
at Internet
Central HQ
base
OO
.
at 
A
WV
PQ
hhPPPPPP

o
s
.ac.in
web server
tk.ac.in
P address
0.95.142.”
DNS cache learns location of
.iitk.ac.in DNS server from
.in DNS server:
at uma.es DNS cache
'&
%$
 !
"#
.in
DNS server
OO
.in
database
WV
UT
PQ
RS
OO
at iitk.ac.in Administrator
'&
%$
 !
"#
OO
“The DNS server
for .iitk.ac.in
is ns2
with IP address
202.3.77.23.”
5=
Ganesha
WV
UT
PQ
RS
&&N
N
N
N
N
N
N
N
N
N
N
Browser
Root
DNS
server
// DNS
cache
WV U
PQ R
OO
.in
DNS
server
::u
u
u
u
u
u
u
u
u
u
u
.iitk.ac.
DNS
server
OO
.in
data
at Internet
Central HQ
base
OO
.iitk.ac.
database
OO
at iitk.ac.
Administra
WV
PQ
OO
hhPPPPPPPP
\d
6>
DNS cache learns location of
.iitk.ac.in DNS server from
.in DNS server:
at uma.es DNS cache
'&
%$
 !
"#
.in
DNS server
OO
.in
database
WV
UT
PQ
RS
OO
at iitk.ac.in Administrator
'&
%$
 !
"#
OO
“The DNS server
for .iitk.ac.in
is ns2
with IP address
202.3.77.23.”
5=
Ganesha
WV
UT
PQ
RS
&&N
N
N
N
N
N
N
N
N
N
N
Browser
Root
DNS
server
// DNS
cache
WV UT
PQ RS
OO
.in
DNS
server
::u
u
u
u
u
u
u
u
u
u
u
.iitk.ac.in
DNS
server
OO
.in
data
at Internet
Central HQ
base
OO
.iitk.ac.in
database
OO
at iitk.ac.in
Administrator
WV
UT
PQ
RS
OO
hhPPPPPPPP
\d
6>
ache learns location of
.ac.in DNS server from
NS server:
at uma.es DNS cache
'&
%$
 !
"#
.in
DNS server
OO
.in
database
WV
UT
PQ
RS
OO
itk.ac.in Administrator
'&
%$
 !
"#
OO
DNS server
tk.ac.in
ns2
P address
.77.23.”
5=
Ganesha
WV
UT
PQ
RS
&&N
N
N
N
N
N
N
N
N
N
N
Browser
Root
DNS
server
// DNS
cache
WV UT
PQ RS
OO
.in
DNS
server
::u
u
u
u
u
u
u
u
u
u
u
.iitk.ac.in
DNS
server
OO
.in
data
at Internet
Central HQ
base
OO
.iitk.ac.in
database
OO
at iitk.ac.in
Administrator
WV
UT
PQ
RS
OO
hhPPPPPPPP
\d
6>
DNS se   
Wikipe  
DNS, d  
DNS P  
MaraD  
Secure6 
DNS da
tools lis   
BPP, D  
gencid  
NSC, n 
update  
webdns    
homegr   
DNS re 
s location of
NS server from
es DNS cache
'&
%$
 !
"#
.in
DNS server
OO
.in
database
WV
UT
PQ
RS
OO
n Administrator
'&
%$
 !
"#
OO
5=
Ganesha
WV
UT
PQ
RS
&&N
N
N
N
N
N
N
N
N
N
N
Browser
Root
DNS
server
// DNS
cache
WV UT
PQ RS
OO
.in
DNS
server
::u
u
u
u
u
u
u
u
u
u
u
.iitk.ac.in
DNS
server
OO
.in
data
at Internet
Central HQ
base
OO
.iitk.ac.in
database
OO
at iitk.ac.in
Administrator
WV
UT
PQ
RS
OO
hhPPPPPPPP
\d
6>
DNS server softw  
Wikipedia: BIND 
DNS, djbdns, Dn 
DNS Plus, NSD, 
MaraDNS, ANS, 
Secure64 DNS.
DNS database-m
tools listed by 20 
BPP, DNS Boss, 
gencidrzone, h2 
NSC, nsupdate, 
updatehosts, U 
webdns, zsu. Plu  
homegrown tools  
DNS registrars et
of
from
cache
%$
"#
in
server
OO
in
abase
UT
RS
OO
nistrator
%$
"#
OO
Ganesha
WV
UT
PQ
RS
&&N
N
N
N
N
N
N
N
N
N
N
Browser
Root
DNS
server
// DNS
cache
WV UT
PQ RS
OO
.in
DNS
server
::u
u
u
u
u
u
u
u
u
u
u
.iitk.ac.in
DNS
server
OO
.in
data
at Internet
Central HQ
base
OO
.iitk.ac.in
database
OO
at iitk.ac.in
Administrator
WV
UT
PQ
RS
OO
hhPPPPPPPP
\d
6>
DNS server software listed 
Wikipedia: BIND, Microso
DNS, djbdns, Dnsmasq, Sim
DNS Plus, NSD, PowerDN
MaraDNS, ANS, Posadis,
Secure64 DNS.
DNS database-managemen
tools listed by 2008 Salomo
BPP, DNS Boss, DNStool,
gencidrzone, h2n, makez
NSC, nsupdate, SENDS,
updatehosts, Utah Tools,
webdns, zsu. Plus hundred 
homegrown tools written b
DNS registrars etc.
Ganesha
WV
UT
PQ
RS
&&N
N
N
N
N
N
N
N
N
N
N
Browser
Root
DNS
server
// DNS
cache
WV UT
PQ RS
OO
.in
DNS
server
::u
u
u
u
u
u
u
u
u
u
u
.iitk.ac.in
DNS
server
OO
.in
data
at Internet
Central HQ
base
OO
.iitk.ac.in
database
OO
at iitk.ac.in
Administrator
WV
UT
PQ
RS
OO
hhPPPPPPPP
\d
6>
DNS server software listed in
Wikipedia: BIND, Microsoft
DNS, djbdns, Dnsmasq, Simple
DNS Plus, NSD, PowerDNS,
MaraDNS, ANS, Posadis,
Secure64 DNS.
DNS database-management
tools listed by 2008 Salomon:
BPP, DNS Boss, DNStool,
gencidrzone, h2n, makezones,
NSC, nsupdate, SENDS,
updatehosts, Utah Tools,
webdns, zsu. Plus hundreds of
homegrown tools written by
DNS registrars etc.
sha
UT
RS
&&N
N
N
N
N
N
N
N
N
N
N
Browser
ot
S
er
// DNS
cache
WV UT
PQ RS
OO
n
S
er
::u
u
u
u
u
u
u
u
u
u
u
.iitk.ac.in
DNS
server
OO
n
ernet
l HQ
base
.iitk.ac.in
database
OO
at iitk.ac.in
Administrator
WV
UT
PQ
RS
OO
hhPPPPPPPP
\d
6>
DNS server software listed in
Wikipedia: BIND, Microsoft
DNS, djbdns, Dnsmasq, Simple
DNS Plus, NSD, PowerDNS,
MaraDNS, ANS, Posadis,
Secure64 DNS.
DNS database-management
tools listed by 2008 Salomon:
BPP, DNS Boss, DNStool,
gencidrzone, h2n, makezones,
NSC, nsupdate, SENDS,
updatehosts, Utah Tools,
webdns, zsu. Plus hundreds of
homegrown tools written by
DNS registrars etc.
DNSSE    
every D 
Whene     
a DNS    
precom    
signatu    
Often c 
for the  
Exampl   
can pro  
(2005 N 
Tool re   
probabl