University of Twente Student Theses


The Performance of ECC Algorithms in DNSSEC: A Model-based Approach

Hageman, Kaspar (2015) The Performance of ECC Algorithms in DNSSEC: A Model-based Approach.

[img] PDF
Abstract:The Domain Name System (DNS) resolves domain names to IP addresses on the Internet. Several vulnerabilities in DNS led to the development and deployment of a secure extension, DNSSEC, which provides authentication and data integrity by including digital signatures in DNS responses. DNSSEC has its own flaws however, of which DDoS amplification potential, fragmentation related issues and deployment complexity are the most severe ones. Where the RSA signature scheme is currently widely deployed in DNSSEC, its elliptic curve (ECC) alternative, Elliptic Curve Digital Signature Algorithm (ECDSA), is more recently standardized and supposedly reduces the aforementioned flaws, by reducing the size of digital signatures and cryptographic keys. EdDSA is another, more recent, digital signature scheme based on elliptic curve cryptography, and has even more promising properties (e.g. smaller key size). The major drawback of ECC is that the validation of signatures is computationally more intensive than RSA. A transition from RSA towards ECC would introduce a significant increase in computational load caused by signature validations for DNS resolvers. While some simple benchmark tests confirm that a single ECC validation is computational costly, there exists no scientific proof that ECC can be deployed on a large scale without causing any performance issues. In our research we have developed a DNSSEC model based on measurement from three deployed resolvers. The resulting regression model was applied to evaluate several scenarios, both current and future scenarios. Based on the scenarios, we can conclude that the switch towards ECC can be made without encountering any computational related issues for validating resolvers. This research was conducted in collaboration with SURFnet, the Dutch national research and education network which provides Internet and services to the research and education community in the Netherlands.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Internet Science and Technology MSc (60032)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page