2

I wondered if DNSSEC would be vulnerable to (remote) timing attacks, unlike TLS, signatures don't have to be recalculated each time. So how would you be able to exploit timing information in the first place?

Also see this quote:

Can’t DNSSEC support Elliptic Curve as well as RSA?

The NIST P- curves are most probably not backdoored, despite their reliance on a magic number generated at NSA. But their curve structure is old and error-prone. They are difficult to implement in “constant time”, to stop attackers from measuring the time operations take to learn secret keys.

Source: https://sockpuppet.org/stuff/dnssec-qa.html

Yustack
  • 141
  • 2

1 Answers1

2

I agree with your argumentation, i.e. I don't think that DNSSec is vulnerable to timing attacks in most cases (see edit below for when it might be vulnerable). Cryptographic operations are only done when records get modified, added or removed or if the keys get changed but not when answering a DNS query. Since the attacker can only control the DNS query but not the change of records or change of keys he can not observe the timing of the cryptographic operations and thus cannot use timing attacks against these.

EDIT: Habbie@ correctly pointed out that some providers like Cloudflare use online signing and that thus the attacker might actually trigger a signing operation (see comments for details). In this case a timing attack might maybe possible in theory. I don't know how well this would work in practice, i.e. how sensitive the timing need to be and how many signature operations need to be triggered. crypto.stackexchange.com might help with more details here.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • Several big deployments, including CloudFlare's, will in fact sign something related to the query to generate a fresh dynamic denial of existence. – Habbie May 30 '17 at 16:40
  • @Habbie: Can you please give details (and preferable source) for this claim? – Steffen Ullrich May 30 '17 at 16:41
  • Refs: https://blog.cloudflare.com/black-lies/, https://tools.ietf.org/html/rfc4470, https://tools.ietf.org/html/rfc7129 appendix A and B, http://powerdns.13854.n7.nabble.com/NSEC3-Narrow-Mode-td309.html – Habbie May 30 '17 at 16:48
  • @Habbie: thanks for the input. I've updated the answer. – Steffen Ullrich May 30 '17 at 17:40
  • @Habbie Cloudflare describes their cryptographic implementation as "constant-time and side-channel protected": https://blog.cloudflare.com/go-crypto-bridging-the-performance-gap/ If that would be true, it would be invulnerable. – Yustack Jun 03 '17 at 03:33
  • @Yustack they tend to know what they are doing, but they were just an example. Other implementations may not do so well. – Habbie Jun 13 '17 at 11:33