home · mobile · calendar · colloquia · 2008-2009 · 

Colloquium - Osterweil

Using the Public-Space for Key Verification
University of California, Los Angeles

A public key verification system for the global Internet has long been thought of as prerequisite for enhancing Internet security with cryptographic protections. However, after years of efforts by numerous groups, such a facility remains absent in the operational Internet. In this talk, we formally define a novel concept called the Public-Space, and through the design of a system called Vantages we describe how it can be leveraged to develop a public key verification system for the global Internet. More specifically, the Vantages system is a general platform whose first application is designed to solve the DNSSEC key learning problem. Currently, DNSSEC is in the verge of wide deployment and is in desperate need of an operationally realistic key learning system that allows DNS resolvers to obtain and verify public keys (known as DNSKEYs). We further demonstrate the improvement that Vantages provides over DNSSEC's native key verification by formally quantifying each of them and empirically measuring their effectiveness.

Eric Osterweil is a PhD candidate at UCLA. His research focuses on large-scale network measurement systems, network security, and distributed data verification. His thesis work focuses on a concept called the Public-Space. Unlike cryptographic approaches, the Public-Space uses distributed measurements and comparisons to perform data verification in large-scale systems such as the Internet's Domain Name System (DNS). Osterweil is also the developer of SecSpider, the premier site for monitoring the deployment and operational of DNS Security (DNSSEC). SecSpider provides both a platform to study DNSSEC and has also identified critical issues in DNSSEC deployment. For example, SecSpider has identified record sets that are vulnerable to replay due to signing practices, identified flaws in the operation of authentication chains, and revealed how path maximum transmission unit (PMTU) limitations interact unexpectedly with secure DNS queries and deny service to to some DNS resolvers.

Sponsored by the Interdisciplinary Telecommunications Program.

Department of Computer Science
University of Colorado Boulder
Boulder, CO 80309-0430 USA
May 5, 2012 (14:13)