Email security with DANE: Empirical Analysis of DANE for SMTP in the wild

next up uh we will probably move straight on where we've got less than two minutes uh until the scheduled time uh in fact we're definitely moving on it seems so hello uh aniketh how are you hi hi tom i'm boeing how are you yes very good thank you very good um so first b-sides or have you been to all of them so far this is my first besides excellent excellent and where where do you where do you come from at the moment what what what is it that you do so i'm from kerala the southern part of india and i just recently finished my bachelor's from amrita and i'm i'm going to do my phd in

india networks institute and the university of carlos ceremony in spain brilliant like i said yesterday all these young people who are just putting me to shame where i just i i you know partied my way through university and here you are doing presentations um you know presentations and doctorates and all that sort of thing so i'm i'm very impressed and slightly ashamed but there you go um annika what are you what are you uh talking about today so uh today i'll be speaking about email security and uh how uh there is a different protocol called day which has been recently deployed and standardized so how that comes into email security and how that active reverse and helps us to

improve our security scenario with email and as as that's said this is an academic research as well which has been published in uh using security so we also did a longitudinal uh analysis of how the daying for smpp is in the wild as well so i'll be sharing a few of the interesting results we we found from that excellent and a reminder for our viewers please don't uh hesitate to put questions in the comments field on your right uh we will answer the questions at the end so please don't feel annika that you need to check the question and answer sorry the question feed uh throughout so i will be checking out uh for questions

uh and if will you be around on slack afterwards if people want to yeah sure yeah fantastic so brilliant please uh bring up your uh presentation or here we go and uh yeah take it away annika thank you so uh let me just start the presentation and please let me know if uh it's not in the presentation mode and it's in the audience mode no it's it's not in presentation mode at the moment but now it is yeah and now it's not and now it is so everything's fine i guess fine you can crack on thank you so as as i said we'll be discussing about email security with today and moving on i'll explain what's actually

day in and day out and more about our analysis on how the train for smtp is in the wild before that let me introduce myself so uh i'm a first year psd student at indian network institute and university of carlos cary madrid in spain and my research interest falls into mobile and internet security and privacy in general and i have been now i have contributed a lot into open source softwares while my bachelors and because of that i was uh i was a google server of code twice and i was i was also a former association in iig tokyo so yeah that's about who i am and let's start into how the next 45 minutes is structured

for for the audience so i will be speaking a little i'll give a brief introduction of smtp transport how that works and especially on the security aspect uh and security extensions of smtp uh especially for day that is and then we will talk about the domain name systems uh security extension which is which is the dns and how that correlates with day here as well so what dane exactly is a dns based authentication of indentities again we will talk uh about in detail in the next few coming two slides then what is the tlsa record so basically when you deploy a game protocol it deploys something called a tls record similar to what an air record is in dns

which correlates to ipv4 addresses so again we'll go in then once we have an introduction of all these terms and all these protocols we'll start to look into the infor smtp and how both of them coexist in the ecosystem and how that improves the security of smtp then fine then moving on we'll i'll share a few results which we found on complete comprehensive uh analysis of email clients that are out there and our results on how how the deployment is and if there is anything this configuration and things like that and once we once i share the interesting reasons we can we'll be talking about what's broker that is the miss configurations in the wild and

things like that and further i will provide a bit overview on what should be done so that we can ignore this we can fix this this configuration and have a complete secure package for our email so moving onwards why do we need indian first of all we we already have a pka infrastructure which is public infrastructure which is deployed within the tls protocol and why do we need some a new one today so yeah when we use a public infrastructure we have to always uh trust on something called certificate authority and it's a blind trust so specifically authorities create their own self-signed um certificates which we in turn the users have to trust and there has been cases like uh cnn ic

and the digital of the commodore the cas were compromised and misused throttle and then for glen certificates you are deployed so that in terms of that we are in a situation where we cannot trust the sea uh that we get other artists properly so yeah and uh and here is where dain comes in so dane allows us to actually deploy our own certificate without the need of uh ca so basically yourself we can have a sense like a self-signed certificate and we can say to our server that hey listen just use this certificate when any of the entity tries to connect so rather than having the pki model we can say that use our certificate

and when for instance when https connection tries to establish they can verify their connection with the certificate that we have powered and do the verification process right so moving on now let's look into how the smtp transport security is done in the world so basically there are a lot of extensions and protocol in the world which is developed specifically for smtp so here the dame for smtp actually it relies mostly on the start tls extension so start pls extension is uh is basically based on the tls networking itself for the smtp sessions and a lot of the male transfer agents that is the mtas support staff and uh star kls is basically for the encryption and

yeah and there are a lot of research that has been done uh based on the starter section execution such that there is little end-to-end encryption in email and why is that because smtp is a multi-hook store and forward mechanism and tlc so which means that some of the end points would be protected and some might not and another uh use case or another best part of star tls is that we don't have to use a specific port for port such as 443 for the https 25 port number of smtp for and deploy the start dls extension and you might also wonder that there is different protocols such as dki and spf but that has that are for the

authentication and does not encrypt the analysis and there is also something called empty space which is simple to deploy which is uh which is the protocol which is deployed by gmail for instance they deploy the txt record and doesn't have to provide any uh security guarantee for the certificate and the integrity of the record and uh one of the drawback of the empty sds is that it relies on the restaurant costume policy and this initially smtp connection is trusted without authentication of the receiving server so that's why well one of the reason the the dane standardizing folks decided to go with start tls so how does this rtls actually work this is similar to our pcb handshake

initiates so basically smtp means power tcpa so the other pcp hand trick done and initiated by the client and uh something server says hey listen uh i have the services ready with uh some response code of 220 you can try to just let me know if you are online again so the smtp client sends an elfo comment saying that hey i'm listening here and just send me the message so smtp server says that wait a second let me just check if you can support a private conversation between us so it advertises a star teamless support with a response code of 250 and just that we can try to negotiate um tls and have a private chat

so if a smtp client supports start tls it then it allows or for the start dls for conversation to happen so but there's a drawback yes and it is that it is wonderful to downgrade attacks because uh yeah when the as i told smtp is on a multi-core protocol right and there can be a cases where we have we can do a mitm attacks and and because of that with the smtp client and the smtp server which uses the star tls uh service is vulnerable and again why sntp transport with basically one of the reason is that star tls is optional so and that brings the case of fault falling back to the one encrypted

[Music]

is trivial to do as well and another finding is that most of the mtas does not authenticate the receiving server and the server validation is really right and and also we have seen that it doesn't not does not even work and there is very little incentive to do all the diffusion when the only option is to fall back to clear test text as well and also start tls is wonderful to expose the mixer attached and one of the use cases of star tls is that it helps to resist from passive monitoring in the smtp while it's still vulnerable to all of this bjp hijacking and dns was rewarded star tls tripping attacks so similar to similarly to the

opportunity a futuristic uh tls security flaws and it is basically uh based on the sea model that is the pki infrastructure so again as i told you my team attacks is triggered to do and downgrading attacks is still evident in the tls acquisition and when there is an opportunity tls it is it is in the incomplete automation for certificate rollover is also found in the world next before going forward into how dame and the smtp actually work and together let me just give a few pointers on how we can improve the smtp security so it it must be this uh yeah the the smtp mechanism will be deployed should be resistant to active attacks such as the downgrading

a downgraded system should be employed for even the first contact then must support mixed environment and as i mentioned yeah it's a multi-hope mechanism and end-to-end encryption is rare we should we should provide some sort of signal which lets the server and the client knows which beer to entertain and then we we must indicate how to authenticate the hp attachment just the encryption is not you know you should also know how which entity you should trust as well now into the main game for this talk which is the beginning so for as i mentioned before before properly work there is multiple uh path or multiple entities which which the server should support server in the inbound or outbound

servers should support right and one of that is the dns so i'm not going in in depth with dns sec here because it's it's a bit complicated and it's very washed area as well so as you can see it is defined in multiple rfcs so basically i will give an overview of how dns works and how dane uses that in this card so as you might know there were from the inception of dlns it has always been uh send over today uh clear text right and they did not have a mechanism where the solver took trust and dna server as well so the dns set protocol is deployed to add a layer of the trust for uh the uses of games right

and the dns also realize the dns relies on the standard public infrastructure and it also adds new type new records to dns as well and we'll uh learn a little bit of the records which is deployed because of a day in a sec in the next few slides the main point why is deployed is that we provide the dns provides a chain of trust uh till the roof see a dns server obviously so this is why dns sec is said that uh it used to be used to provide uh a trust form for the end users to use dmz and it also because of the chain of trust it prevents fake response responses and tampering

with the dns and that being said let's look into the dna architecture and basically i'm only explaining about the records which is useful for the day and here are the few so we create a couple of signing keys i will explain that in the next sec so this signing keys which uh generates a couple of records for dns so one of that is dns key that is the public key for the entire zone and the private key is used to generate the rr signature so that is the resource resource or record signatures so for every record that is the a for ipv2 for ipv6 and then servers and the email record is create an rr signature is created

and each uh each signature is created at each nodes of the dna and then the next is the ds record so it is the hash of the dns case that is the private public and the private keys and hand it into the parent zone of the obligation and then there is the 10 second in n63 which is which confirms the next homing responses but um record is not so relevant for obtaining foreign

that is as i mentioned before how the key pair is generated so we generate two types of case which is uh zone signing keys and the key signing piece so zone signing case is used to uh sign the zone the particular form itself and the public part becomes the dnsp of that particular then next we have the key signing piece which signs the keys for the particular affects of the room and uh yeah and the public part becomes also the public part becomes the dns um and this this is used to be used for exporting the ds record for that particular that's the introduction into your dns tech and let's move on towards today so

then rfc was published in 2012 and even with its inception

and what name exactly does is that it allows us to bowl a certificate with a but with our domain name as i explained before if we want to have a https connection we can advertise that we have the certificate to use this particular particular certificate rather than providing a certificate which is from the kita similarly for well as i have been explaining about the web infrastructure but uh yeah this is similar case where uh the bane could be used for smtp as well which is a little bit different and i'll explain that in detail in the next community slides with a dns set um the dane adds a trusted layer of authentication and the dns set is

responsible for authenticating the particular server for with data and because of this dns set it enters uh us for the downgrade protection and indicates that encryption is uh yeah so then deploy something called the tlsa record uh and i'll uh tell you exactly what that record is in the next few slides and it also helps to authenticate the receiver

between the smtp and als to fully secure the main delivery ecosystem because again it's a multi-port

[Music]

so yeah similar similar to how a dns uh server server tried to fix the records it purchased something called a tlsr and the rr simulator of that particular account and then when that uh tailors are called with our signature has been fetched by the dns server that our server tries to validate the dna section and if the validation process is complete and it's validated we move on to the smtp client and server communication so well now so uh since we are contradicting that this rtls is possible what the smtp server does it sends a start dls communication with a certificate to the smtp client and once the certificate is received that they simply decline the client the client starts to match

the tlsr card with the certificate so if the matching process is validated and is complete uh the smtp client says that access to the server that has an hour they will cover our private communication with the tls channel so yeah in a brief summary of it another uh dns server which has dana second that is the main point here that the dns server should have dna set and their dns resolver tries to fix their tlsr record with the rr signature and the mail client receives it and they uh client with this help of star tls starts to have a very complicated verification of the encryption complete so next is about how the record deployed by

dna

so this is one of the email service that provides uh email uh

and you can see in the answer section that how the pls record looks like and and things like that so what exactly each of the entities within the pls support me so the initial one that is the 25 which is the smtp and the pcp is the protocol right okay is denoted there and then the host name or the particular host that we are trying to find

which is the hash so what is this particular certificate usage so the certificate usage mentioned that if we are using a trusted angle that is the ca certificate the certificate provider which is which can be pki validated or not and so with the significant usage of zero you can mention that it should be pka then the next is certificate one which means that it's a host certificate or a consent certificate for instance where the pki is validated and the next one is a trust banker again without apk validation and uh again uh satellite usage three with fours of opk validation that's what the certificate usage failed in in the tlsr economy then there is a selector so selector

service that should be used or certificate then that certificate to validate or should we use just a public key and there is a matching type matching type means should it be um [Music]

and that's how a tls record looks like

and the matching type is to three one one and it has a specific meaning for all of those for which one is three one one means it's uh being entered which is a sharp and two fifty six

communication and we use that if our ca and the primary purpose of today is to let dominant owners use custom certificate for the tls connection as i mentioned before by using by deploying their tls

see if we want to use a third party ceo we cannot deploy it with three one one or one we have to use zero or

that way then we cannot benefit fully from the secure security measurement which main province [Music]

there are particular cases where we should be careful on declining and how how silly mistakes can lead to this configuration in the entire ecosystem so for a proper support of day as i mentioned there should be dns sec and start ls deployed perfectly and that means the dns set should have been ds and rcbs published and these records should be correct that means it should not be expired or it should that the r signature should not have configuration in the hashes for instance and things like that and for uh star tls the certificate should be provided and the certificate should be consistent with the tls report for a correcting proper management option and next year so if

there is any missing components and any incorrect components within the dns sec and start als it should be in the case that they and deployed main servers around the ecosystem should not receive any name for instance in our case because there is a risk configuration and we should not trust that so we did a comprehensive analysis on the server side as well as the client side i'm talking about the client side for this talk today and this is case in our white paper as

measurement and to see how the deployment is done and how correct the deployment is we had a test bed and the test bed is as follows so we purchased a second level for instance uh something like a daily test platform and then we created uh with we have we set up our own find a name and a postcard that is

has an expired r signature for instance or the klsa record with the which provides with this station is different so we created a couple of uh correctly more than seven to eight scenarios where this could fail and uh we tested it out with 29 popular email service providers and we will talk about the results in the comments

then we send an email from gmail to our smtp server and when we do that at the first entry point is the dns so the dns is our type of effects the ms mx and the dlc records from the dns examiner and the dns resolver tries to look up from our other server and the authoritative server when it's when it against the image and the tls it tries to do a dns dns lookup and the tftlc and verify if it's correct or uh then when that's done uh and the verification is correct um the smtp client initiates a smtp connection where again there's something server will start uh starting and if it's if this typical client supports it a certificate

is sent through and if the certificate is validated with the tlsa record then this entity connection is established so here is an example of one of our case that i mentioned before that which we deployed that is this configuration in the dns for instance where the rr signature is expired so when our signature is expired however we would like that the smtp client should not um send any emails to their personal points and because the trust is lost or that the here the rs nature is expired so yeah that's it for the testbed and with the mentioned scenarios that we deployed we did a comprehensive analysis on uh as i mentioned 29 email providers and

here is our five bits so from the 29 email providers when we checked for a pro and to say that uh the dns set is properly deployed we say that the dns key and the dsr account should be fixed okay and we could see here that the only 7 out of 29 service providers are actually pitching the dns key and the ds record properly and even out of that only four out of seven are correctly verifying the dns ciphertox

so yeah and once we are completed with the dns uh analysis we went for what we measuring how much uh start als has been deployed in the world and the good news is that 23 out of 29 is supporting starting list and which is good and then there is so as i mentioned in the previous slides as well for a proper working of dane dnsec and staff als should be deployed and for that only four of the providers actually fetched lsa and we could see that only two of them correctly validates them and only two and two and the two others does not even validate the fields such as the usage so finally where are we right now

so as i mentioned we looked into 29 email service providers and our study reveals that there are a mismanagement in the dynamic system and we found that six percent of the tlsa records cannot be updated due to missing or incorrect dna and because dna is an important part of the daily system and of which fourteen point fourteen percent of them are in consistent with their certificate records we have also found that only uh four email service providers support them for both outgoing and incoming emails but two of them have drawback of not checking certificates in the pls and having this misconfiguration developed in the while what could we do to fix such a misconception so as simple answer is for a proper fix

proper certificate validation then we should provide tlc validation should be correct and then the tlc management should have the correct suitable certificate you see and this is a selected field and the matching field for the particular and suitable certificate that we are using that is if it's a host or a trust and the generated certificate we should decide properly on which certificate usage and selector and or in general tls management should be done and to have a proper tlsr record deployed uh the dns must be deployed correctly and also the important thing is that the dns keys should be rolled over and we should not let it expire right and um we should also deploy a ds record

properly in the dns chain and as as it mentions the dns key must be signed by its privacy and which corresponds to the publishing in the dns protocol and on this record and the parent game is going to create a change of trust so in the long term what we should look into right so deployed in a sec on our production domains if it's not already and publish tlc record for your own empty certificates and make sure that these certificates are rolled over so that they never expires apart from this configuration that can so happen the long term we would like all of the player text to be turned off and to be encrypted so that's it

for today and i i only scratched the surface of the entire time plus smtp uh ecosystem there is more to find and you can find a lot more details in our paper which is mentioned in this in this slide as well and if you have any questions feel free to reach out to me through twitter i'll be happy to help you and yeah that's it for today i'm happy to take any questions

[Music]

thank you very much for that fascinating when you're talking about dns uh i must admit it reminds me of the last time i worked on dns which was with windows nt4 so uh just to date myself there a little uh we do have a couple of questions uh so we have one from i just put up on the screen how can i test start tls so basically what we if you are deploying us smtp server we can for instance we use uh tools like hostfix for example in our studio we use hostfix which is a smtp mta we could uh and those kind of uh tools generally generate locks for instance so when when we deploy postfix we could

actually have a configuration done in their config files and say that it should support start ls and once that is done and when we are actually sending email to the smtp server we could see in the launch that the communication is with starting i hope that answers your question and if not i'm happy to help you more in the snap channel if you are here fantastic uh they did have another question it may you may have answered it but can you explain more about start tls by giving an example or is or is that something for the slack channel yeah i think something okay so just head for the slack channel we have one more question um

as for start tls you said need downgrade resistance how can i do it popular software such as thunderbird can do it um so thunderbird is an email client so uh so the client should also deploy a mechanism where they should advertise that they are also supporting start tls and the servers that we are trying to connect with uh should also say that start als is deployed so when a star when that kind of communication happens then uh then it's only there is only where our yeah that is only where the second channel exists and uh start als is not downgrade resistant it is downward distance that's what i was speaking about because star tls41 is an optional feature

so we could uh if if start ls is not supported by one of the mbt it could just say that um let's not have uh the communication of star tls and yeah and all their communication channels could go through the plain text right so start als is not downgraded system that's one main point to keep in mind and that's why we have to bring in bringing dame and dns and the first off chain command into the whole scenario i hope that house once is experienced so it's not actually free to open me up in the slack channel yeah we can discuss more with examples on uh we can discuss more on the examples with the configuration files and how the

logs can look like something which validates how a scatial communication actually looks in the way excellent thank you very much thank you so much for your presentation you get the virtual applause and the applause again because you can't hear us all applauding so you just get to