by Simon Josefsson, initiated June 2000.
A major problem for a distributed security system is the management of cryptographic keys. Public key techniques are often used to overcome many of the problems. However, successful use of public key techniques in large systems such as the Internet requires a certificate directory, that is, a mechanism to locate and retrieve the public keys. In this thesis we explore how a common name lookup mechanism, the Domain Name System (DNS), can be used to provide this functionality. We show how the idea can be implemented in a secure mail application together with S/MIME. We compare the DNS lookup mechanism with traditional Directory Access Protocol based systems and identify weaknesses and strenghts. We also discuss and suggest a solution to privacy threats that arise because of recent security additions to the DNS, namely Secure DNS.
The report in various formats:
Presentation in various formats:
Raw network dumps as referenced in the report (for Ethereal):
av Simon Josefsson, p�b�rjat Juni 2000.
Vid design av s�kra distribuerade system �r hanteringen av kryptografiska nycklar ett grundl�ggande problem. Publik-nyckel (PK) teknologi anv�nds ofta f�r att l�sa m�nga av dessa problem. F�r att PK-teknik ska vara praktiskt till�mpbart i stora system som t.ex. Internet kr�vs en certifikatsbibliotekstj�nst som anv�nds f�r att lokalisera och h�mta publika nycklar. Den h�r rapporten beskriver hur den vanliga namnuppslagningstj�nsten, Dom�nnamnssystemet (DNS), kan anv�ndas f�r att l�sa det problemet. Vi visar hur DNS kan anv�ndas f�r att �stadkomma s�ker epost tillsammans med S/MIME. Vi j�mf�r DNS med den traditionella bibliotekstj�nsten som �r baserad p� Directory Access Protocol och identifierar f�rdelar och nackdelar. Avslutningsvis diskuterar vi, och f�resl�r en l�sning p�, hot mot personlig integritet; hot som �r en f�ljd av en nyligen f�rslagen s�kerhetsut�kning till DNS (som kallas Secure DNS).