University of Twente Student Theses


Taking the quantum leap: Preparing DNSSEC for Post Quantum Cryptography

Beernink, G.J. (2022) Taking the quantum leap: Preparing DNSSEC for Post Quantum Cryptography.

[img] PDF
Abstract:Once a quantum computer is capable of running a cryptanalytic attack against currently used public key cryptographic algorithms, DNSSEC no longer provides DNS with the security that this core Internet Protocol needs. Attacks such as spoofing DNS responses that would lead users to a malicious website are then again possible for adversaries having a functioning quantum computer. While current quantum computers only have a few quantum bits and can not yet perform difficult computations to break modern public key cryptography, progress is made fast and solutions must be designed to keep the Internet a safe and secure place. This is especially important since it is expected that the transition of DNSSEC to more secure signing algorithms will take years. Post-Quantum Cryptography (PQC) must ensure the security of Internet Protocols in the future where quantum computers are available. These PQC algorithms are researched and evaluated by the cryptographic community together with NIST in a competition-like standardization process for quantum-resistant cryptographic algorithms. In this study DNS is researched for its ability to adopt PQC algorithms in its security extension DNSSEC. Limitations exist on several aspects of the DNS protocol that have direct consequences to the adoption of PQC algorithms into DNSSEC. As DNS packets have a limited size, the signatures and public keys that DNSSEC communicates must stay below this size limit. Additionally, PQC algorithms must not cause DNS operators such as resolvers and name servers to experience an extremely high computational overhead on respectively signature verification and zone signing. Based on the results from this study, only the Falcon-512 PQC alternative can be successfully adopted into DNSSEC without resulting in packets growing over the DNS size limit and without significantly increasing the computational load on DNS name servers and resolvers. However, this comes at a cost of an increase in TCP traffic. In this study, a promising approach to enable more PQC algorithms to be adopted into DNSSEC is proposed. Using this approach of out-of-band key exchange, computationally more efficient algorithms such as Rainbow can be implemented at acceptable expense. Post quantum cryptography is fairly new and the standardization process is not yet finished, additionally, algorithms such as Falcon are based on an underlying mechanism that the community is unsure about. Hence, steps must be taken to keep DNS useful in a world where quantum computers are connected to the Internet.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page