Off-Path Attacks Against PKI

The presentation discusses DNS cache poisoning and IP fragmentation attacks as methods of injecting spoofed values into DNS resolvers and IP defragmentation caches, respectively. The speaker explains how these attacks can be used to intercept validation codes during the process of obtaining a certificate from a certificate authority. The presentation also touches on potential mitigation mechanisms for these attacks.

• DNS cache poisoning and IP fragmentation attacks can be used to inject spoofed values into DNS resolvers and IP defragmentation caches, respectively
• These attacks can be used to intercept validation codes during the process of obtaining a certificate from a certificate authority
• Mitigation mechanisms for these attacks include IP fragmentation attacks and the challenge response mechanism built into DNS
• Multiple vantage points for DNS queries may increase security

The speaker explains how DNS cache poisoning works by injecting spoofed values into the DNS resolver's cache, and how this can be prevented through the challenge response mechanism built into DNS. They then go on to describe IP fragmentation attacks, which involve injecting spoofed values into the IP defragmentation cache of the target receiver. The speaker illustrates this point by describing how a malicious actor could use this attack to intercept validation codes during the process of obtaining a certificate from a certificate authority.

The security of Internet-based applications fundamentally relies on the trustwortiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a very weak attacker, namely, an off-path attacker, can effectively subvert the trustworthiness of popular commercially used CAs. Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificates market. The attack exploits DNS Cache Poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own -- namely certificates binding the attacker's public key to a victim domain.We discuss short and long term defences, but argue that they fall short of securing DV. To mitigate the threats we propose Domain Validation++ (DV++). DV++ replaces the need in cryptography through assumptions in distributed systems. While retaining the benefits of DV (automation, efficiency and low costs) DV++ is secure even against Man-in-the-Middle (MitM) attackers. Deployment of DV++ is simple and does not require changing the existing infrastructure nor systems of the CAs. We demonstrate security of DV++ under realistic assumptions and provide open source access to our DV++ implementation.