terena networking conference 2010

HTTP Response Signing Using DNSSEC

Alex Giurgiu, Arthur van Kleef, Cosmin Dumitru, Niek Timmers (University of Amsterdam)

The project described in this paper is written for the course Security of Systems & Networks. This course is given at the System & Networking Engineering study at the University of Amsterdam. During some brainstorm sessions we came up with several ideas. The first idea which we were quite enthusiastic about was signing HTTP responses in order add authenticity and integrity to the HTTP protocol. The idea is to use a public key infrastructure. The problem with a public key infrastructure is where to store the public key and make sure that this key cannot be tampered with. We concluded after some brainstorming that it could be very well possible that DNSSEC is the perfect infrastructure for storing the public keys in a secure way. In our four week research we tried to give an answer on the following research question: Is DNSSEC a feasible infrastructure to use for signing HTTP responses? To answer this this question we give also an answer on the sub questions which are listed below. By answering these questions we can substantiate our conclusions.

  • Can the HTTP protocol be extended to provide integrity and authenticity?
  • What are the advantages and disadvantages of signing the HTTP re-sponses?
  • In which situations would the signing of HTTP responses be useful?
  • How should the public key infrastructure be realized?
  • What is the degradation of performance while signing HTTP responses?

This report does not focus mainly on proving that DNSSEC is a feasible infrastructure to use for signing HTTP responses, instead it will provide details about the mechanisms that were used and the reasoning behind it. Besides theoretical information we created a proof of concept from which we will draw our conclusions. During our research we have experienced that implementing and extending an existing protocol can be quite subtle. Thereby our research is certainly not complete in its details. To solve all the problems that appeared during our research we need a lot more time than four weeks. We have dedicated a section to all the issues we found. We also tried to provide possible solutions for these issues.

Download poster (PDF)