International Journal of Computer Applications (0975 – 8887)

Volume 120 – No.17, June 2015

Security System for DNS using Cryptography

Naveen Kumar Tiwari Sanjay Khakhil

M.Tech. (C.S.E) Assistant Professor
Galgotia College Of engineering & Technology, Galgotia College Of engineering
Greater Noida & Technology, Greater Noida

ABSTRACT 1.2 Elliptic Curve Discrete Logarithm

DNS, Domain Name System is a protocol that resolves Problem (ECDLP)
hostnames to IP Addresses over the Internet. DNS, being an The ECDLP is the basis for the security[3]. Given a point R =
open source, it is less secure and it has no means of k*P, where R and P are known, then there is no way to find
determining whether domain name data comes from an out what the value of ‘k‘is. Since, there is no point subtraction
authorised domain owner. So, these vulnerabilities lead to a or point division, to resolve k = R/P. Also, computing k
number of attacks, such as, cache poisoning, cache spoofing requires roughly 2n/2 operations. If the key size is 192 bits,
etc. Hence, there is a need of securing DNS. Digital then 296 operations are to be done which would take millions
Signatures are a good way of authyenticating the domain of years. This thing where the multiplicand can’t be found
owners. The paper presents the Domain Name System even when the original and destination points are known is the
security concept,. Digital Signature algorithms helps in whole basis of the security behind the ECDSA algorithm, and
providing good level of security to DNS. Software like the principle is called a trap door function or ECDLP.
OpenDNSSEC, BIND, Secure64 etc. It involves the signing
of DNS using cryptographical algorithms (e.g., RSA, DSA 2. DNS BACKGROUND
etc.). Further, ECDSA is one way that provides same level of The DNS system consists of following main components:
security, as security provided by RSA for low power and
portable devices. So, here we proposing a new ECDSA  Domain Name Space and resource records (RRs)
implementation that can be used to secure DNS. which are used to identify hosts and extract its
properties.
General Terms  Name servers having information on a subset of the
Elliptic curve cryptography, Digital Signature Generation domain tree.
Algorithm  Resolvers or programs able to extract information
from a name server after a client request and follow
Keywords query referrals from one DNS server to another.
DNS, RSA, ECDSA, ECDLP,DNSSEC, DSA and ECC.
 Zones are certain portions of the DNS namespace.
1. INTRODUCTION This portion is what for which the server is
The Domain Name System is a protocol for locating domain authoritative. An authority for server can be
names and mapping them to IP addresses. DNS is a possible for one or more zones.
hierarchical, distributed database, which provides mapping  Zone files are files that contain resource records
between easy to remember hostnames, such as about zones for which the server is authoritative.
www.uptu.ac.in, and IPv4 or IPv6 network addresses, for Zones are mostly implemented as text files in DNS
example, 117.211.115.134. In DNS tree, each node represents implementations
a DNS name. A DNS domain is a branch under the node.
When a hostname is translated into its numeric representation,
this allows the network to trace a path from a user to a
particular server. Correct and timely DNS translations are
vital for networks such as the Internet and thus are an
interesting target for attackers. As originally designed, DNS
has no means of determining whether the domain name data
comes from the authorized domain owner or it has been
forged. This weakness in security leaves the system to be
vulnerable to a number of attacks, like DNS cache poisoning,
DNS spoofing etc.

1.1 Elliptic Curve Cryptography Fig . 1: DNS Working

Elliptic Curve Cryptography (ECC) is a kind of public key
cryptography, based on the concept of elliptic curves. Elliptic Each host is identified by the name and resource information
curves are basically cubic equations of two variables, with combined into RRs. RRs includes information such as owner
coefficients. ECC uses only those elliptic curves, wherein the of the domain, type of the database record and the Time to
variables and coefficients are restricted to elements of a finite Live (TTL) value. DNS also includes a feature for one host to
field. posses several names, this is done with help of a canonical
name (CNAME) RRs. DNS messages can be carried over
UDP or TCP. TCP version is mostly used for traversing
stateful firewalls. DNS is also capable of performing inverse

12
 International Journal of Computer Applications (0975 – 8887)
Volume 120 – No.17, June 2015

queries, which resolve an IP address into a DNS name, needed 3.2 Securing DNS with ECC
for some network-enabled applications. With the technology growing faster everyone accesses
Name servers store information about only a particular internet through mobile phones whether it is used to check E-
segment or zone of the DNS database. When a name server Mails or visiting any secure sites, ECC (Elliptic Curve
answers a query, it can use either a local database or reply Cryptography) can be implemented. ECC provides same level
with a referral to another server. DNS server containing all of Security as RSA[5] with benefits of small key sizes, faster
information about a zone is called an authoritative server for computation, and memory and energy savings[6].
that zone. It is recommended that data on authoritative servers  Small Key Size and Faster Computation: The
is replicated to secondary servers to ensure availability. The security level of 160-bit ECC and 1024- bit RSA is
name server can also contain cached data from other DNS same. RSA operations are based on modular
servers for records requested by the local resolver. exponentiations of large integers and security is
Resolver is an interface for programs to communicate with based on factoring these large integers. On the
DNS servers. Resolver transforms subroutine calls into DNS other hand, ECC operations are based on groups of
requests and queries various DNS servers. Resolvers can points over elliptic curves and security is based on
reside either on a local PC or a DNS server. The latter option discrete logarithm problem (ECDLP). This allows
is called a stub resolver. ECC to have the same level of security with
smaller key sizes and higher computational
3. DNS SECURITY efficiency.
3.1 Security Need  Memory and Energy savings: ECC requires less
As originally designed, DNS has no means of determining power for its functioning so it is more suitable for
whether the domain name data comes from the authorized low power applications such as handheld and
domain owner or it has been forged. This weakness in security mobile devices. On small processors, multiple-
leaves the system to be vulnerable to a number of attacks, like precision multiplication of large integers (done in
DNS cache poisoning, DNS spoofing etc. Due to weak RSA) not only involves arithmetic operations, but
authentication between DNS servers exchanging updates an also a significant amount of data transport to and
attacker may predict a DNS message ID and manage to reply from memory due to limited registers space. While
before the legitimate DNS server, thus inserting a malicious in ECC, the scalar multiplications involve
record into DNS database. The exploit forces a compromised additions with no intermediate results to be stored,
DNS server to send a request to an attacker's DNS server, thereby requiring less use of registers. So, ECC
which will supply the wrong host to IP mapping. provides less memory space and also energy
DNS Security Extensions (DNSSEC) is a set of IETF required to perform additions is much less than
(Internet Engineering Task Force) standards which have been performing multiplications, done in RSA.
created to address the vulnerabilities in the DNS and to
Table 1. ECDSA vs RSA
protect from online threats. The main purpose of DNSSEC is
to basically increase the Internet security as a whole by PARAMETERS RSA ECDSA
addressing and resolving DNS security
weaknesses. Essentially, DNSSEC adds authentication feature Key Size 1024 bit length 192 bit length
to DNS that make the system more secure Smaller
DNSSEC core elements were specified in following three Encryption Fast Slow
IETF Requests for Comments which have been published in
March 2005: Decryption Slow Fast
 RFC 4033 - DNS Security Introduction and
Requirements Key Exchange Fast Slow

 RFC 4034 - Resource Records for the DNS Security Signature Slow Fast
Extensions Generation
Signature Fast Slow
 RFC 4035 - Protocol Modifications for the DNS
Verification
Security Extensions
Existing proposals for securing DNS are mainly based on
public-key cryptography. The public key algorithms used for
authentication in DNSSEC are MD5/RSA (Rivest Shamir 4. ECDSA IMPLEMENTATION
Adleman Algorithm) and DSA (Digital Signature Algorithm). The key parameters are taken as same as recommended by
Digital signatures generated with public key algorithms have NIST but we are introducing a change in signing and
the advantage that anyone having the public key can verify verification process.
them.
A. Key Parameters
The Idea behind it is that every node in Domain Name Space Some predefined parameters for the ECDSA implementation,
has a Public Key and each message from DNS Servers is used, as follows:
signed using Private Key. Since DNS is Public, Authenticated
DNS root Public Keys are known to all, which are used to 1. Select a prime number (p) of large size.
generate Certificates/Signatures to combine the identity 2. Choose constants (a and b) such that (4a3+27b2) modulo
information of Top Level Domain. So, in Domain Name p is not equal to 0.
Space each parent signs the Public Keys of all its Children in
the DNS tree.

13
 International Journal of Computer Applications (0975 – 8887)
Volume 120 – No.17, June 2015

3. Generate elliptic curve points Ep (a, b), where Ep (a, b) Table 2 Algorithm Complexity Comparison
is a generalized term for elliptic curve points (x, y).
4. Choose generator point (G) of order n,where order is
number of points in the elliptic curve.
5. Select d such that 1 < d < n-1. This is used as private
key.These parameters are recommended by NIST for
federal government use and includes elliptic curves of
various bit lengths (e.g., 192, 224, 256, 384, 521 etc.)[8].
6. Generate public key Q such that Q = d.G, where ‘.’ Is
point multiplication for ECDSA and is represented as
G+G+G……d times which can be calculated using
elliptic curve arithmetic.

B. Signature Generation
1. Select a random number k to be used only once, that is,
for every new signature generation of a message, a new k 5. CONCLUSION
is selected, such that 1 < k < n-1.
The purpose of this work is to show the simulation of how
2. Generate (r, s) component of signature such that these software system works, but with ECDSA algorithm
implemented in it. ECDSA being fast at verifying the
a. k.G = (x, y) signatures and uses small key size as compared to RSA and
r = x modulo n also, provides same level of security as given by RSA. ECC is
a growing field of future..
if r = 0 then repeat 2 again
So, this work involves DNS security using ECC. ECC being
b. Calculate hash of message (M) whose signature is to very secure, smaller key sizes, less in power and memory
be generated, i.e., e = h (M). consumption gives better security to portable small devices.
c. s = d(r*k – e)-1modulo n // (modified) 6. ACKNOWLEDGEMENTS
I am extremely indebted to my guide Asst. Prof. Sanjay
C. Signature Verification Kumar, Department of Information Technology, Galgotias
College of Engineering & Technology, Greater Noida. I am
1. Calculate u1 = e*r-1 modulo n // (modified)
very grateful to him for continual encouragement, motivation
2. Calculate u2 = (r*s)-1 modulo n // (modified) for literature, and continuous hours of sitting together and
discussing the problems, which helped me to understand the
3. Calculate T = u1.G + u2.Q = (x1, y1), where ‘.’ Is point subject and methodology to complete my Dissertation.
multiplication and ‘+’ is point addition and can be
calculated using elliptic curve arithmetic. I would like to express me deep and sincere gratitude to Head
of Department, Prof. (Dr.) Bhawna Mallick, Computer
4. Calculate v = x1 modulo n Science & Engineering, Galgotias College of Engineering &
5. If v = r, signature is valid. Technology, for her consultation, encouragement and personal
guidance, which has provided me a good foundation for under
The above proposed algorithm is a variant of the algorithms as taking to complete the Dissertation.
described in [1], providing less complexity in signing.
7. REFERENCES
4.2 Comparison of Algorithms [1] Hu Junru, “The Improved Elliptic Curve Digital
The complexity comparison of four ECDSAs is shown in Signature Algorithm”, International Conference on
table 2[1]. The four ECDSA are:- Electronic & Mechanical Engineering and Information
1. Original ECDSA Technology, IEEE, 2011
2. ECDSA proposed by Hu Junru[1] (E-1) [2] Casey Deccio, Jeff Sedayao and Krishna Kant, Prasant
3. ECDSA proposed by Hu Junru[1] (E-2) Mohapatra, ”Quantifying and Improving DNSSEC
Availability’, IEEE, 2011.
4. ECDSA proposed implementation
[3] Ghanmy Nabil, Khlif Naziha, “Hardware
5. EXPERIMENTAL OUTCOMES implementation of Elliptic Curve Digital Signature
Here the experimental outcomes are listed in form of detailed Algorithm (ECDSA) on Koblitz Curves” 8th IEEE, IET
table corresponding to traditional ECDSA algorithms and its International Symposium on Communication Systems,
operations. Networks and Digital Signal Processing, IEEE, 2012.
[4] A.Sakthivel, R. Nedunchezhian, “ Improved The
n
Execution Speed Of Ecdsa Over Gf(2 ) Algorithm For
Concurrent Computation” Journal of Theoretical and
Applied Information Technology, 10th April 2013.
[5] Aqeel Khalique, Kuldip Singh, Sandeep Sood,
“Implementation of Elliptic Curve Digital Signature

14
 International Journal of Computer Applications (0975 – 8887)
Volume 120 – No.17, June 2015

Algorithm”, International Journal of Computer [14] M. Janagan, M. Devanathan, “Area Compactness

Applications (0975 – 8887) Volume 2 – No.2, May 2010 Architecture for Elliptic Curve Cryptography”,
International Conference on Pattern Recognition,
[6] Vivek Kapoor, Vivek Sonny Abraham, Ramesh Singh, Informatics and Medical Engineering, March 21-23,
Elliptic Curve Cryptography, May 20-26, 2008. ACM IEEE, 2012.
Ubiquity, Volume 9, Issue 20.
[15] Zhang Youqiao ,Zhou Wuneng, “An ECDSA Signature
[7] Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Scheme Designs for PBOC 2.0 Specifications”, 9th
Schwabe, and Bo-Yin Yang, “High-speed high-security International Conference on Fuzzy Systems and
signatures”, 2011. Knowledge Discovery (FSKD 2012), IEEE, 2012.
[8] HONG Jingxin, “A New Forward-Secure Digital [16] Ravi Kishore Kodali, “Implementation of ECDSA in
Signature Scheme”, IEEE, 2007. WSN”, International Conference on Control
[9] El hadj youssef wajih, Machhout Mohsen, “A Secure Communication and Computing (ICCC), IEEE, 2013.
Elliptic Curve Digital Signature Scheme for Embedded [17] Nabil GHANMY, Lamia CHAARI FOURA TI, Lotfi
Devices”, International Conference on Signals, Circuits KAMOUN, “Enhancement security level and hardware
and Systems, IEEE, 2008. implementation of ECDSA”, IEEE, 2013.
[10] Xue Sun, Mingping Xia, “An Improved Proxy Signature [18] Soumya Basu, M.Pushpalatha, “Analysis of Energy
Scheme Based on Elliptic Curve Cryptography”, Efficient ECC and TinySec Based Security Schemes in
International Conference on Computer and Wireless Sensor Networks”, IEEE, 2013.
Communications Security, IEEE, 2009.
[19] Shweta Lamba, Monika Sharma, “An Efficient Elliptic
[11] Jonathan Petit, “Analysis of ECDSA Authentication Curve Digital Signature Algorithm (ECDSA)”,
Processing in VANETs”, IEEE, 2009. International Conference on Machine Intelligence
[12] Qingkuan Dong, Guozhen Xiao, “A Subliminal-Free Research and Advancement, IEEE, 2013.
Variant of ECDSA Using Interactive Protocol”, IEEE, [20] Noura Ben Hadjy Youssef, Wajih El Hadi Youssef ,
2010. Mohsen Machhout, Rached Tourki, “A Low-Resource
[13] Jalel Ben-othman, Yesica Imelda Saavedra Benitez, “A 32-bit Datapath ECDSA Design for Embedded
light weight security scheme for HWMP protocol using Applications”, IEEE, 2014.
Elliptic Curve Technique”, 11th IEEE International
Workshop on Wireless Local Networks, IEEE, 2011.

IJCATM : www.ijcaonline.org
15