Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys

In my last article, I described efforts underway to standardize new cryptographic algorithms that are designed to be less vulnerable to potential future advances in quantum computing. I also reviewed operational challenges to be considered when adding new algorithms to the DNS Security Extensions (DNSSEC). In this post, I'll look at hash-based signatures, a family of post-quantum algorithms that could be a good match for DNSSEC from the perspective of infrastructure stability. more

Notorious Markets, Scams and Implications for Brands

On January 14, 2021, the Office of the United States Trade Representative (USTR) released its 2020 Review of Notorious Markets for Counterfeiting and Piracy (the Notorious Markets List, or NML). This publication enumerates online and physical markets that have been reported to engage in trademark, counterfeiting, and copyright infringement at scale. For the first time, the NML documents show how internet platforms play a part in bringing illicit goods into the US. more

Low-Earth Orbit (LEO) Satellite Internet Service Developments for 2020

I posted reviews of important LEO-satellite Internet service developments during 2017, 2018 and 2019. I've updated those posts during the years and have 18 new posts for 2020. In 2020 we saw increased effort from China, OneWeb's bankruptcy and restructuring with new ownership and prospects, Amazon investng in space-related infrastructure, Telesat making steady progress, SpaceX making rapid progress and satellite and debris tracking and collision-avoidsnce service startups. The following are brief summaries of and links to the 2020 posts. more

Reality Check on the 5G Security MAGAverse

As chance has it, the attempt by NTIA to create a fake Trump Open 5G Security Framework MAGAverse as they headed out the door on 15 January is being followed this week by the global meeting of 3GPP SA3 (Security) to advance the industry's real open 5G security Framework. Designated TSGS3-102e (the 102nd meeting, occurring electronically), it continues the practice of assembling companies, organisations, and agencies from around the world every 8 to 12 weeks to focus on 5G security for current and future releases of 5G infrastructure. more

Internet Governance and the Universal Declaration of Human Rights, Part 7: Articles 20-21

Internet Governance, like all governance, needs to be founded on guiding principles from which all policymaking is derived. There are no more fundamental principles to guide policymaking than the Universal Declaration of Human Rights (UDHR). This article, Part 7 of a series, looks at Articles 20 and 21 and explores how principles in the UDHR and lessons learned over the last half-century help define the rights and duties of one's engagement in the digital spaces of the Internet ecosystem. more

Securing the DNS in a Post-Quantum World: New DNSSEC Algorithms on the Horizon

One of the "key" questions cryptographers have been asking for the past decade or more is what to do about the potential future development of a large-scale quantum computer. If theory holds, a quantum computer could break established public-key algorithms including RSA and elliptic curve cryptography (ECC), building on Peter Shor's groundbreaking result from 1994. more

One More Trump 5G Minefield

As the saying goes, it's not over until it's over. So, it wasn't surprising that Trump's minions just got one last 5G minefield out the door. On 15 January, his followers at Dept. of Commerce's NTIA published the "National Strategy to Secure 5G Implementation Plan". The 40-page document consists of a fairly standard Washington policy playbook of 18 activities with six annexes that "details how the United States along with like-minded countries will lead global development, deployment, and... more

Verisign Outreach Program Remediates Billions of Name Collision Queries

A name collision occurs when a user attempts to resolve a domain in one namespace, but it unexpectedly resolves in a different namespace. Name collision issues in the public global Domain Name System (DNS) cause billions of unnecessary and potentially unsafe DNS queries every day. A targeted outreach program that Verisign started in March 2020 has remediated one billion queries per day to the A and J root name servers, via 46 collision strings. more

ICANN 2021 NomCom Will Fill 9 Positions

As every year, at the end of ICANN's Annual General Meeting (AGM), the new Nominating Committee (NomCom) comes together to start its work. Due to the Corona pandemic, the circumstances were slightly different; however, the 2021 NomCom kicked-off end of 2020. ICANN's Nominating Committee is charged with identifying, recruiting, and selecting nominees of the highest possible quality for key leadership positions at ICANN. more

Newer Cryptographic Advances for the Domain Name System: NSEC5 and Tokenized Queries

In my last post, I looked at what happens when a DNS query renders a "negative" response -- i.e., when a domain name doesn't exist. I then examined two cryptographic approaches to handling negative responses: NSEC and NSEC3. In this post, I will examine a third approach, NSEC5, and a related concept that protects client information, tokenized queries. The concepts I discuss below are topics we've studied in our long-term research program as we evaluate new technologies. more

Brand Protection Beyond the “Whack-a-Mole” Approach

I recently shared at a conference how a seasoned brand and fraud expert from one of the world's largest global financial institutions lamented a major attack where multiple fraudulent websites would pop up every single day. All attacks were launched from the same registrar and web hosting company, and no matter how much they reached out to these providers, they received the same reply: "we will pass on your request to the registrant or site owner," and then nothing happened. more

Cryptographic Tools for Non-Existence in the Domain Name System: NSEC and NSEC3

In my previous post, I described the first broad scale deployment of cryptography in the DNS, known as the Domain Name System Security Extensions (DNSSEC). I described how a name server can enable a requester to validate the correctness of a "positive" response to a query -- when a queried domain name exists -- by adding a digital signature to the DNS response returned. more

Can We Control the Digital Platforms?

The digital market has matured over the last 20 years, and it is no longer an excuse for governments to do nothing with the aim to let new markets and innovations emerge without immediate regulatory oversight. It has become clear this period is now well and truly over. The European Commission has already launched several lawsuits against the digital giants. Regulation, in general, is known as "ex-post" (after the deed has been done). This is set to change, as I will explain later. more

Are Big Tech CFOs (Inadvertently) Stealing From Shareholders?

When valuing a stock, analysts and shareholders evaluate always revenue and profit. Big tech COFs are sitting on assets worth tens of millions of dollars of annual profit (not just revenue, but true profit) in the form of unallocated IPv4 addresses. By not selling or leasing these out, they are incurring expenses to hold them and missing out on tremendous profits. At a 20X multiple (for context, Cisco is trading at nearly 18X earnings, Google at just over 33X earnings, Shopify at well over 700X earnings), big tech CFOs are actively preventing over $250 billion in market capitalization for their shareholders. more

The Domain Name System: A Cryptographer’s Perspective

As one of the earliest protocols in the internet, the DNS emerged in an era in which today's global network was still an experiment. Security was not a primary consideration then, and the design of the DNS, like other parts of the internet of the day, did not have cryptography built in. Today, cryptography is part of almost every protocol, including the DNS. And from a cryptographer's perspective, as I described in my talk at last year's International Cryptographic Module Conference (ICMC20), there's so much more to the story than just encryption. more