DANE

DANE (DNS-based Authentication of Named Entities) is an authentication technique for digital certificates using the DNS architecture.

Context

On 15 March 2011, Comodo a leading supplier on the X.509 certificates market discovered that one of its affiliates was compromised by an attacker who created an user account with them . By using this account, the attacker created a "Certificate Signing Request (CSR)" to several of the most important website such as login.live.com, mail.google.com, login.yahoo.com etc.


While many thought that the attack was an isolated case, four months later another CA, DigiNotar was attacked. The attacker who compromised Comodo in March claimed the attack on DigiNotar. Although there is no evidence that both the attacks were done by the same person, the fact any attacker who was able to find a way into any of the CA or its affiliates were capable of compromising all the clients.


These incidents have accelerated the call to reassess PKIX either by reinforcing the existing  CA infrastructure or identifying a different mechanism. It is in this context that AFNIC has started working on DANE

Work descriptionDANE (DNS-based Authentication of Named Entities) is an authentication technique for digital certificates using the DNS architecture.


The main objective of the DANE project at Afnic was to:

  • Establish a "Proof of Concept" which demonstrates the use of DANE protocol via a web browser.

  • Post a reference material in the form of tutorial that could help understanding the DANE protocol by a wider audience;

  • Improve the know-how internally at AFNIC in the Internet infrastructure security domain.


We analyzed existing proposals to strengthen the PKIX architecture and concluded that DANE is the best of them in terms of implementation considerations. We have set up a platform to implement the DANE components on the server side. Since current browsers do not support natively DANE, we had to make minor changes to Chrome and Firefox to test DANE client side. Once the installation was done, we tested the DANE mechanism from start to finish in Firefox and Chrome.

Publications


Lire cette ressource en français Top of the page