DNSSEC Based on hybrid encryption mechanism
SymmetricEncryptionEncryption andDecryptionShare the sameKey, Also known as the single-key algorithm. It requires the sender and receiver to jointly agree on a key before secure communication. The security of symmetric encryption algorithms depends on shared keys. symmetric encryption algorithms have the advantages of Public algorithms, low computing workload, fast encryption speed, and high encryption efficiency.
Figure symmetric encryption algorithm flow
The figure shows a typical symmetric encryption algorithm. The sender and receiver use the same key K to encrypt and decrypt the information.
Hybrid encryption mechanism and its application in DNSSEC
In terms of data encryption/Decryption processing efficiency, symmetric encryption algorithms are superior to asymmetric encryption algorithms. For example, DES symmetric encryption algorithms have a length of only 56 bits. They can be used in hardware and software for high-speed processing, the encryption efficiency of the software can reach several megabytes/second, which is suitable for fast encryption and decryption of large amounts of information. For example, because the RSA algorithm requires large numbers, its encryption and decryption speed is much slower than that of DES. In terms of key management, asymmetric encryption algorithms are better than symmetric encryption algorithms. For example, RSA Algorithms can expose public keys and only keep their private keys confidential. It is difficult to update DES algorithms.
The hybrid encryption mechanism uses asymmetric encryption algorithms to encrypt keys of symmetric encryption algorithms, and then uses symmetric keys to encrypt and decrypt DNS data, the hybrid encryption mechanism combines the fast Key Management of asymmetric encryption algorithms with the advantages of high encryption and decryption efficiency and good security of symmetric encryption algorithms, and improves the overall execution efficiency of DNSSEC protocol.
Figure 4 Application Process of the hybrid encryption mechanism in DNSSEC
The figure shows the main flow of the hybrid encryption mechanism in DNSSEC. After a user initiates a resolution request for a domain name, the user's local DNS uses the trust chain to obtain the public key of the domain name's authoritative server. the authoritative DNS of the ZONE uses the private key to encrypt the symmetric key and then sends it to the local DNS, the local DNS uses the obtained asymmetric public key to decrypt the data and obtain the symmetric key. Then, the authoritative DNS uses the symmetric key to encrypt the DNS data to be transmitted and sends it to the local DNS, the local DNS uses the symmetric key shared with the sender's authoritative DNS to decrypt the received data and return the decrypted DNS data to the requesting user, the user finally obtains the complete and correct domain name resolution results. After that, the domain name resolution communication between the local DNS and authoritative DNS can be quickly processed using Symmetric keys.
This solution can reduce the overall computing complexity of DNSSEC on the basis of ensuring security. Because symmetric encryption algorithms are still less difficult to crack than asymmetric encryption algorithms, once a symmetric key is cracked, the entire DNSSEC system will face a threat. The communication content between the two Parties will be eavesdropped and may be tampered with. Therefore, the concept of a symmetric key lifecycle can be introduced in future research work, if the symmetric key used by both parties exceeds a certain period of time, it will be forcibly updated to ensure the security of DNSSEC.
For more information, see:
Analysis of DNSSEC based on public key technology
Complexity of Public Key Technology-based technical solutions