DANE - Migration of the X.509 Public Key Infrastructure towards DNS

ASSIGNMENT
This master's thesis should examine the concept of building a X.509 Public Key Infrastructure on top of DNS and DNSSEC. Deliverables are:
• A demonstration installation showing how TLS and SSL based applications can use this new concept. If necessary the project should develop its own support tools for key generation and validation, plug-in to web browsers, etc.
• An evaluation of the concept and proposals for future developments needed to support this business and security model.

BACKGROUND
X.509 is a ITU standard for a public key infrastructure (PKI) which specifies, among other things, formats for public key certificates, certificate requests, certificate revocation lists and certification path validation algorithm. The X.509 standard was primarily designed to support the X.500 structure. However, today’s use cases centre mostly on the Internet.

IETF’s Public-Key Infrastructure (X.509) working group (PKIX WG) has adapted the standard to the requirements and structure of the Internet. RFC 5280 specifies the PKIX Certificate and CRL Profile of the X.509v3 certificate standard.

Fundamentally, PKIX certificates are used for validating the identity or identities of the communicating parties, and optionally establishing secure keying material for protection of a message or a communications channel. Authentication and establishment of a secure communications channel on top of TCP with the Transport Layer Security protocol (TLS, RFC 5247) or the Secure Sockets Layer protocol (SSL) is probably the most common application of PKIX on the Internet. HTTP is the most prominent communications protocols taking advantage TLS/SSL. Other commonly used protocols are SMTP, IMAP, XMPP and SIP. X.509 Certificates is also used at other layers in the OSI model, e.g. IPSEC and for other purposes, e.g. Code signing.

Using DANE (DNS-based Authentication of Named Entities) to Associate Certificates with Domain Names
Since the assertion embodied in the PKIX certification boils down to control over the domain name, and with the advent of DNSSEC, validation can be directly tied into DNS instead of a Certification Authority. This has a number of advantages; as opposed to using the long-lived assertions of a CA, the assertion published in DNS would be momentary, mitigating the certificate status checking vulnerabilities and increasing the service’s responsiveness. Tying the validation into DNS can also preclude validation paths to the client’s pre-installed database of CA’s, in which all CA’s may not be fully trusted.

This move from using a local database of supposedly trusted third parties, into validating the service’s certificate directly in the DNS, calls for a number of changes in how certificates are enrolled and validated.

CANDIDATE PROFILE
You need a good knowledge of/interest in; DNS and the Internet, IT security, Programming, Unix.

EXTENT
This work is suitable for one or two students over one semester (30 hp).