Presentation and Application

layer security
Presentation Layer
• The Presentation layer deals primarily with data presentation.
• For instance, if one host uses Extended Binary-coded Decimal Interchange Code (EBCDIC) for
character sets and its communication partner uses American Standard Code for Information
Interchange (ASCII), the Presentation layer converts the data according to each hosts’ needs.
• This is especially helpful when you have a heterogeneous network, because different hosts might
represent data in diverse manners.
• Such functionality alleviates the need for application programmers to embed such code into their
work.
• Other functionality within the Presentation layer includes data compression, data encryption,
manipulating Extensible Markup Language (XML) objects, and other data handling deemed
necessary.
• The Presentation layer provides insulation between the various forms of data representation
encountered in multivendor environments, much like the ASN.1 (Abstract Syntax Notation)
notation employed in the Simple Network Management Protocol (SNMP).
The Structure of NetBIOS and SMB
• Network Basic Input/Output System (NetBIOS) is an application programming
interface (API) that provides the essential network functions that a system needs (e.g.,
identify self, form connections with other hosts, exchange datagrams, and so forth).
• In the 1980s, a company named Sytec, Inc. created NetBIOS for IBM.
• At that time, NetBIOS was a standalone entity embodied by Read-Only Memory
(ROM) functionality built into the original IBM PC local area network (LAN)
adapter, and traversing the wire by itself.
• Today, most implementations utilize NetBIOS over Transmission Control
Protocol/Internet Protocol (TCP/IP) or NETBIOS over TCP/IP (NBT), but it can also
run over Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) or
other transport mechanisms.
• Regardless of the implementation, the functionality remains the same, and irrespective
of how it is implemented—natively or over TCP/IP—the API is the same.
Server Message Block (SMB)
• NetBIOS provides the framework that allows two or more networked hosts to
share objects located on one of the networked hosts.
• Used in conjunction with Server Message Block (SMB), the two most prominent
services that machines offer are file and printer shares.
• Some people think NetBIOS is too “chatty” (e.g., the host announcements that
emanate from Windows machines every 12 minutes, master browser elections,
and so forth), and can generate a considerable amount of broadcast and multicast
traffic.
• However, NetBIOS is just the messenger, and is no more chatty than other
protocols.
How NetBIOS works?
• In order to share programs, machines have to be able to communicate with each other.
• To accomplish this, each machine is given a unique hostname; consequently, there has to be a
way to identify naming conflicts.
• Within NetBIOS there is a functionality called “NetBIOS Names Services,” where associated
communications generally take place over User Datagram Protocol UDP) port 137 (default).
• Because it is over UDP, the service is connectionless; thus, there is no guarantee that packets
will be delivered.
• To avoid any syntactical issues, NetBIOS names are converted to 15 uppercase characters.
• Appended to the name is a 1-byte service value, which is used to identify the type of name,
workstation, workgroup, and so on.
• These names are used to identify the endpoints to one another during an exchange of
information over the network.
Local NetBIOS Name Table
• To join the network, a host must verify that its name is unique on the network.
• To do this, it broadcasts a name registration request out to the network.
• If there is another host on that segment with that name registered, the request is
denied.
• To prevent naming conflicts, each machine maintains an enumeration of unique
names called a “NetBIOS Name Table.”
• Whenever there is a request for an existing host name, a deny request is initiated.
• Essentially, the requestor does not go out and search for a conflict, but rather it
announces its presence and waits for another host to deny it entry.
• If no other hosts deny the request, it is stored in the local NetBIOS Name Table.
Windows Internet Name Service (WINS)
• Clients began utilizing Windows Internet Name Service (WINS) to resolve names to Internet Protocol (IP)
address mappings.
• What is commonly referred to as WINS is Microsoft’s implementation of NetBIOS Name Services (NBNS).
• A server (with WINS running) stored registration information for all of the hosts on the network.
• If a host wanted to communicate with another host, it would query the WINS server for the IP address of the
destination server. Static files are also used in mapping names to IP addresses.
• In all hosts (platform-independent) there is a hosts file.
• On Windows machines, there is also a LAN Manager Host (LMHost) file.
• In addition to machine names, the LMHost file translates other Windows’ networking information.
• These methods can also be used alone or in conjunction with one another.
• The risk in utilizing static (file-based) translation is not receiving an updated host address. Beginning with
Windows 2000, hosts began registering names with Domain Name Services (DNS). (DNS is available to any
host, not just Windows-based clients.)
NetBIOS Threats
• As you will see later, if not properly protected, NetBIOS can give an
attacker easy access to information about networks and hosts (known
as an enumeration attack).
• Another possibility is that an attacker might gain access to the file
system by exploiting vulnerabilities found in some Windows operating
systems administrative shares.
• There is also an opportunity for Denial of Service (DOS) via
NetBIOS.
SMB
• SMB is another interface that offers similar functionality to that provided by NetBIOS.
• In earlier versions of SMB, clients used the NETBIOS over TCP/IP (NBT) transport to
carry SMB packets over the network.
• These days, SMB implementations can use TCP/IP directly as a transport for
communications.
• By default, clients use TCP port 445 for such traffic.
• Again, there is a need for name resolution; SMB can use NetBIOS names, WINS, or
standard DNSes for that service.
• Once name resolution occurs, a host can begin negotiating the protocol and session with
another host.
• After negotiation, the two clients continue a session of requests and responses until one
receives a close request and sends a close response.
Attacking the Presentation Layer
• Presentation layer attack is the act of taking advantage of a vulnerability or weaknesses within the
functionality (code).
• NetBIOS and enumeration relate to null (anonymous) users.
• Some Microsoft operating systems and services used to require that you utilize the null user in
order to operate properly (e.g., in old NT domains, trust relationships utilized null users to
authenticate users [from trusted domains]).
• Unless permissions are specifically changed for a service, they are most likely running the system
account (by default).This isn’t a problem until you consider sharing/using remote resources.
• The system account uses the null user to get to remote resources; however, because the system
account exists on each machine and does not have a password set, it must use the null/anonymous
account to connect to other machines.
• As you can see, there are valid reasons for using null sessions; however, there are also many
reasons to protect your servers from the null session.
Null Session
• Null sessions allow users to communicate via NetBIOS in order to query any server
as the null user.
• If this occurs, user’s can enumerate shares, users, groups, permissions, policies, and
so forth (known as an information disclosure).
• If attackers can enumerate usernames, group memberships, and the password policy
of domain members, they can probably brute force their way into the network,
which (depending on password policies and other controls) may lead to an intrusion.
• There are countless tools to help enumerate different aspects of a Windows server.
One of these tools is enum
• (www.cotse.com/tools/netbios.htm ), which allows you to see the different aspects
without having explicit permissions on the server or in the domain
Admin$ and ipc$ share
• Admin$ is specifically used to deploy software remotely. If you
have ever 'pushed' software to a computer across your network,
then you have used the admin$ share. When software is pushed,
it uses this share to upload the file.
• The Interprocess Communication ipc$ share is a resource
that shares the named pipes that are essential for communication
between programs.
• The ipc$ share is used during remote administration of a
computer and when viewing a computer's shared resources. You
cannot change the share settings, share properties, or ACLs of
the ipc$ share
 Exploiting the IPC$ Share
• Windows operating systems have hidden
administrative shares that typically have a $ at the
end (e.g., C$ [or any local drive],ADMIN$, and
IPC$), which are not usually available to generic
users.
• By placing the $ on the end of the share name, the
system tells itself to omit this share from any
request for the enumeration of shares.
• Figure shows all of the shares that are configured
on the server.
• Notice the number of hidden/administrative shares
that exist by default.
• Only the AppShare and FileShare folders were
created by the administrator for explicit sharing.
The Interprocess Communication (IPC$)
• The Interprocess Communication (IPC$) share is necessary in order for systems to work properly.
• There are many different processes that are active on any given machine.
• For this reason, these modules need to communicate with one another.
• A program may need to verify permissions for a remote user.
• The program would have to communicate via IPC.
• In Windows, processes communicate via the IPC$ hidden share.
• In some configurations of Windows (especially NT) users can exploit the use of the IPC$ and other
hidden shares through a null session.
• Once a user connects to a null session, it may then utilize the net view and net use commands within a
console window to browse and connect to the hidden shares on a machine.
• To illustrate this weakness, we use the winfo tool (http://ntsecurity.nu/toolbox/winfo/), which allows you
to connect via the null session to the IPC$ share, and then enumerate all of the hidden/administrative
shares.
• As a user without domain privileges, you can run the utility and recover a complete listing of the
hidden/administrative shares on the target server.
Figure shows the results
of the query.
Other NetBIOS Worries

• Other than null session weakness and IPC$ vulnerability, there are several other
attacks that can be used against the NetBIOS protocol.
• Recall that in order to establish an identity, a new member sends out a packet
notifying the other machines of its desire to establish a unique machine name.
• Because the requestor waits for another machine to deny the request (i.e., the
name is already in use), it’s not difficult to write a utility that denies every request
received.
• The result of this is that all of the machines that are booting into the network will
not be able to join.
• Although this may be of little consequence for some client machines, if it occurs
in combination with another attack on a domain controller (requiring a reboot to
reconcile), the consequences could be dire.
Windows Server OS
• These types of weaknesses only exist in older implementations of
Windows Server operating systems; however, some legacy systems
never change.
• This is especially true in large corporations and in government.
• These organizations are so dependent on these operating systems that
they cannot easily migrate to a more recent application running on a
more recent platform.
• Because of this, these types of NetBIOS vulnerabilities still exist.
• You already know that enum and winfo are good tools; however, there are
numerous other utilities available—some for a fee, and some for free. Some of the
more notable utilities include dumpsec, Hyena (both available at
www.somarsoft.com/), and NBTScan (www.inetcat.org/software/nbtscan.html ).
• For more guidance regarding security tools, a great source can be found at
http://sectools.org/. When you use these tools against the Windows test hosts, you
may receive different results based on which version and operating system you
test.
• Table shows an outbreak of the default settings for Windows operating systems
Other attacks
• Sniffing Encrypted Traffic : some that utilize encryption and others that use
one-way functions. All of these techniques exist to make it difficult to
intercept a transmission and retrieve the contents of the message. In other
words, these mechanisms exist to protect the confidentiality of the transaction.
As well, these same systems may also prevent message modification, thus
protecting the integrity of the message.
• A Maturing Dictionary Attack- looking for passpword table
• Attacking Kerberos- The purpose of the Kerberos Service is to authenticate
users to servers and servers to users. Most networks are diverse with regard to
servers and services, so there is a need for such a capability. Kerberos is
designed to utilize symmetric encryption, meaning it’s based on a shared-key
approach.
Tools Used to Intercept Traffic
• Burp Proxy- (www.portswigger.net/proxy/ ) is a tool that lets you
create a history of packets traversing through the proxy or it allows
you to intercept the traffic, make modifications to the packet (or not),
and then forward it on to the destination. It also allows you to intercept
Hypertext Transfer Protocol Secure sockets (HTTPS) traffic.
• Achilles - (www.mavensecurity.com/achilles ) is another proxy tool
that can be used to capture, modify, and view transactions.
Defending the Presentation Layer

• Encryption
• The use of IPSec protocol
• Tightening NetBIOS Protections
Tightening NetBIOS Protections-
• Increasing the security applied to your local security policy.
• There are two ways to address this issue.
• The first is to modify the registry directly. In this case, you want to set the HKLM\
System\CurrentControlSet\Control\Lsa\RestrictAnonymous value so that these
protections are enabled.This will essentially turn on anonymous restrictions on your
host.
• The other way to enable this option is to modify the local security policy via the user
interface and set the value to “enabled.”
• Either way will stop unauthorized users from connecting to null sessions and
performing NetBIOS enumerations.
• As always, manually editing the registry can be dangerous, so you should backup
your registry before making any changes.
Application Layer
Security
 Application Layer
 Provides services for an application to send
and recieve data over the network, e.g.,
telnet (port 23), mail (port 25), finger (port 79)
 DNS Security
 Email Security
 Interface to the transport layer
– Operating system dependent
– Socket interface

CSCE 813 - Farkas 24

 Application Layer Security
 Advantages:
- Most flexible
- Executing in the context of the user  easy access to user’s
credentials
– Complete access to data  easier to ensure nonrepudation and
small security granularity
– Application-based security
 Disadvantages:
– Most intrusive
– Implemented in end hosts
– Need for each application 
– Expensive
– Greated probability of making mistake

CSCE 813 - Farkas 25

Providing Security
• Provide security system that can be used by different applications
• Develop authentication and key distribution models
• Enhance application protocol with security features
• Need to enhance each application

CSCE 813 - Farkas 26

Authentication and Key Distribution

• Kerberos (MIT) and its extensions (Secure European System for

Application in a Multi-vendor Environment (SESAME))
• Network Security Program (IBM)
• SPX (Digital Equipment Corporation)
• The Exponential Security System (University of Karlsruhe)

CSCE 813 - Farkas 27

Requirements
• Secure
• Reliable
• Transparent
• Scalable

• Trusted Third Party authentication service

• Based on Needham-Schroeder (1978) protocol

CSCE 813 - Farkas 28

Kerberos Components
• Key Distribution Center (KDC)
• Authentication server (AS)
• Ticket-granting server (TGS)
• Database: users’ identifiers + secret key shared between KDC and user
• Need physical security

CSCE 813 - Farkas 29

Ticketing System
• KDC issues tickets that clients and servers can use to mutually
authenticate themselves and agree on shared secrets.
• Ticket:
• Session key
• Name of principal
• Expiration time
• Ticket types:
• Ticket-granting ticket: issued by AS and used between client and TGS
• Service ticket: issued by TGS and used between client and server

CSCE 813 - Farkas 30

Kerberos
1.Request ticket- Kerberos
granting ticket Once per
2. Ticket + user logon
session key KDC session

Client 3. Request service-

granting ticket
TGS Once per
4. Ticket +
type of
session key service
6. Provide server 5. Request service
authentication

Server
Once per
service
session

CSCE 813 - Farkas 31

Kerberos Versions
• Version 4 (MIT) – 1992
• Versions 1-3 were only used at MIT
• Shortcomings and limited functionality (S. Bellovin and M. Merrit 1990)
• Version 5 (RFC 1510) – 1993
• Improves on version 4 shortcomings

CSCE 813 - Farkas 32

Version 4 limitations
• Environmental shortcomings
• Encryption system dependence
• Internet protocol dependence
• Message byte ordering
• Ticket lifetime
• Authentication forwarding
• Inter-realm authentication
• Technical deficiencies
• Double encryption
• PCBC encryption
• Session keys
• Password attack

CSCE 813 - Farkas 33

Kerberos Threats
• User gains access to workstation and pretends to be another user
operating from that workstation
• User may alter the network address of a workstation so that the
requests form the altered workstation appear to come from the
impersonated workstation.
• User may eavesdrop on exchanges and use a replay attack to gain
access to a server or to disrupt operation.

CSCE 813 - Farkas 34

Security-Enhanced Application Protocol

• Applications:
• Terminal access
• File transfer
• Electronic mail
• WWW transactions
• DNS
• Distributed file system

CSCE 813 - Farkas 35

Terminal Access
• Protocols running on top of TCP/IP
• Telnet: password based authentication
• Rlogin: address-based authentication
• Security enhanced Telnet
• Kerberos-mediated Telnet encryption: difficult to achieve
• Security-enhanced Telnet (e.g., Secure Telnet (STEL) Univ. Milan
• Authentication enforced by STEL is stronger than Telnet
• All data traffic is encrypted between client and server
• Secure Shell (SSH)

CSCE 813 - Farkas 36

SSH
• Provides similar services than SSL
• Mutual authentication
• Encrypted sessions between two endpoints
• Most often used to replace traditional terminal access  Application
layer security
• Any application running on top of TCP can be secured by SSH

CSCE 813 - Farkas 37

SSH versions
• SSH v1
• Tatu Ylonen, Helsinki University of Technology, Finland
• Implementation, source code, documentation, configuration scripts: public
and freely available
• Widespread use
• SSH v2
• Specified by IETF Secure Shell WG (1st draft: 1997)
• Widespread use
• Open source implementations: OpenSSH

CSCE 813 - Farkas 38

SSH
• Both version use generic transport layer security protocol over TCP/IP
• Support for
• Host and user authentication
• Data compression
• Data confidentiality
• Integrity protection
• Server listens for TCP connection on port 22, assigned to SSH

CSCE 813 - Farkas 39

SSH v1 keys
• Host public key pair
• Bind connection to the desired server host
• Long-term
• Long key size (typically 1,024 bit RSA)
• Server public key pair
• Provide confidentiality
• Short-term
• Short key size (typically 768 bit RSA)
• Changes periodically (i.e., every hour by default)
• For PFS server’s private key cannot be saved on disk

CSCE 813 - Farkas 40

SSH Session
• Client  Server: Authentication request
• Server  Client: Server public keys (long-term and short-term)
• Client:
• Compares received keys to its database of pre-distributed keys and (usually)
accepts keys
• Generates 256-bit random session key
• Chooses encrypting algorithm
• Pads session key
• Double encrypts session key with server and host public keys

CSCE 813 - Farkas 41

SSH Session
• Client  Server: Sends double encrypted session key
• Server:
• Decrypts session key
• Server  Client: send confirmation encrypted by session key

Both parties use session key to encrypt

traffic between server and client
CSCE 813 - Farkas 42
Authentication
• After session key agreement, client assumes that the server is
authenticated
• If user authentication is required:
• Password authentication
• RSA authentication (server need to know the user’s public key)

CSCE 813 - Farkas 43

Electronic Mail Security
Sending E-mail
•The simplest way of sending an e-mail would be sending a message directly from the sender’s
machine to the recipient’s machine.
•In this case, it is essential for both the machines to be running on the network simultaneously.
However, this setup is impractical as users may occasionally connect their machines to the network.
•Hence, the concept of setting up e-mail servers arrived. In this setup, the mail is sent to a mail server
which is permanently available on the network.
•When the recipient’s machine connects to the network, it reads the mail from the mail server.

•In general, the e-mail infrastructure consists of a mesh of mail servers, also termed as Message
Transfer Agents (MTAs) and client machines running an e-mail program comprising of User Agent
(UA) and local MTA.
Email Protocols
•The protocols used for e-mail are as follows −
 Simple mail Transfer Protocol (SMTP) used for forwarding e-mail
messages.
 Post Office Protocol (POP) and Internet Message Access Protocol (IMAP)
are used to retrieve the messages by recipient from the server.
MIME
•Basic Internet e-mail standard was written in 1982 and it describes the format of e-mail
message exchanged on the Internet.
•It mainly supports e-mail message written as text in basic Roman alphabet.
•By 1992, an additional standard Multipurpose Internet Mail Extensions (MIME) was
defined.
•It is a set of extensions to the basic Internet E-mail standard.
•MIME provides an ability to send e-mail using characters other than those of the basic
Roman alphabet such as Cyrillic alphabet (used in Russian), the Greek alphabet, or even
the ideographic characters of Chinese.
•Another need fulfilled by MIME is to send non-text contents, such as images or video clips.
•Due to this features, the MIME standard became widely adopted with SMTP for e-mail
communication.
Email Security
 Confidentiality − E-mail message should not be read by anyone but the intended recipient.

 Authentication − E-mail recipient can be sure of the identity of the sender.

 Integrity − Assurance to the recipient that the e-mail message has not been altered since it was
transmitted by the sender.

 Non-repudiation − E-mail recipient is able to prove to a third party that the sender really did send
the message.

 Proof of submission − E-mail sender gets the confirmation that the message is handed to the
mail delivery system.

 Proof of delivery − Sender gets a confirmation that the recipient received the message.
•Security services such as privacy, authentication, message integrity, and non-repudiation are usually
provided by using public key cryptography.
Secure E-mail Approaches
• PGP: Pretty good Privacy
• PEM: Privacy-Enhanced Mail
• Secure Multipurpose Internet Mail Extensions (S/MIME)

CSCE 813 - Farkas 49

Pretty Good Privacy
• Phil Zimmermann
• Confidentiality and authentication for
• Electronic mail and
• Storage applications

CSCE 813 - Farkas 50

PGP – Evolution
•Pretty Good Privacy (PGP) is an e-mail encryption scheme. It has become the de-facto standard for
providing security services for e-mail communication.
•As discussed above, it uses public key cryptography, symmetric key cryptography, hash function, and
digital signature. It provides −
 Privacy
 Sender Authentication
 Message Integrity
 Non-repudiation
•Along with these security services, it also provides data compression and key management support.
PGP uses existing cryptographic algorithms such as RSA, IDEA, MD5, etc., rather than inventing the
new ones.

CSCE 813 - Farkas 51

PGP - Usage
PGP became widely used within a few years
• Available worldwide for different platforms
• Based on proven secure algorithms (RSA, IDEA, MD5)
• Wide range of applicability
• Was not developed or controlled by government standards

CSCE 813 - Farkas 52

Why PGP?
• Protect privacy
• “I don’t need encryption!” = “I don’t need privacy.”
• Interception transmission to destinations ?
• Transparent mailbox (dial-up connection)
• You may not but other party may want privacy
• Commercial privacy
• Customer’s data
• Company data
• User’s profiling
• Signed messages
• Authentication
• Integrity

CSCE 813 - Farkas 53

PGP Services
 Digital Signature: RSA, MD5
 Hash code of message is created using MD5, encrypted using RSA, with
sender’s private key, and attached to the message
 Confidentiality: RSA, IDEA
 Message is encrypted using IDEA, with one-time session key generated by
the sender, session key is encrypted, using RSA and the recipient’s public
key, and attached to the message

CSCE 813 - Farkas 54

PGP Services
Compression: ZIP
Message may be compressed for storage or transmission
E-mail compatibility: Radix 64 conversion
Encrypted message is converted to ACSII string
Segmentation
To accommodate maximum message size, PGP performs segmentation and
reassembly

CSCE 813 - Farkas 55

Working of PGP
 Hash of the message is calculated. (MD5 algorithm)
 Resultant 128 bit hash is signed using the private key of the sender (RSA Algorithm).
 The digital signature is concatenated to message, and the result is compressed.

 A 128-bit symmetric key, KS is generated and used to encrypt the compressed message
with IDEA.

 KS is encrypted using the public key of the recipient using RSA algorithm and the result is
appended to the encrypted message.
 PGP Format
• The format of PGP message is shown in the following diagram.
• The IDs indicate which key is used to encrypt KS and which key is to be used to verify the signature
on the hash.
• In PGP scheme, a message in signed and encrypted, and then MIME is encoded before
transmission.
PGP Certificate
•PGP key certificate is normally established through a chain of trust. For example,

•A’s public key is signed by B using his public key and B’s public key is signed by C using his public
key. As this process goes on, it establishes a web of trust.
•In a PGP environment, any user can act as a certifying authority.

•Any PGP user can certify another PGP user's public key.

•However, such a certificate is only valid to another user if the user recognizes the certifier as a
trusted introducer.
•Several issues exist with such a certification method. It may be difficult to find a chain leading from a
known and trusted public key to desired key.
•Also, there might be multiple chains which can lead to different keys for desired user.

•PGP can also use the PKI infrastructure with certification authority and public keys can be certified by
CA (X.509 certificate).
Confidentiality

Ksession
Ksession(M)
Ksession(M)
E E M
concatenate
M c
E D Ksession
KBpublic (Ksession)
Ksession
KBpublic (Ksession)
K B
public
KBprivate
Receiver B
Sender A

CSCE 813 - Farkas 59

Compression
• Usually after signature and before encryption
• Preferable to sign uncompressed message -> store them together for future
verification
• PGP’s compression algorithm is not deterministic
• Encryption after compression strengthen cryptographic security (less
redundancy)

CSCE 813 - Farkas 60

Confidentiality
• IDEA: secret-key encryption
• Key-distribution:
• randomly generated, one-time session keys
• Encrypted by receiver’s public key
• Attached to the message
• Double encryption
• IDEA
• One-time key
• RSA key size:
• Casual: 384 bits
• Commercial: 512 bits
• Military: 1024 bits

CSCE 813 - Farkas 61

E-mail Compatibility
• PGP encryption: arbitrary 8-bit binary stream
• Several e-mail system: ASCII text
• PGP: converts the binary stream to a stream of printable ASCII
characters
• Expands the message by 33%
• Converts everything, regardless of content (even ASCII characters)

CSCE 813 - Farkas 62

Segmentation and Reassembly
• E-mail: restriction on maximum message length
• Long messages broken into segments
• Segments are mailed separately
• PGP automatically divides a long message
• Segmentation is done after all other processing
• Receiving PGP reassembles the original message

CSCE 813 - Farkas 63

SMIME
• S/MIME stands for Secure Multipurpose Internet Mail
Extension.
• S/MIME is a secure e-mail standard.
• It is based on an earlier non-secure e-mailing standard called
MIME.
DNS Security

• In the first lesson, we have mentioned that an attacker can use

DNS Cache Poisoning to carry out an attack on the target user.
• Domain Name System Security Extensions (DNSSEC) is an
Internet standard that can foil such attacks.
Vulnerability of Standard DNS

•In a standard DNS scheme, whenever the user wants to connect to any
domain name, his computer contacts the DNS server and looks up the
associated IP address for that domain name.
• Once IP address is obtained, the computer then connects to that IP address.

•In this scheme, there is no verification process involved at all.

•A computer asks its DNS server for the address associated with a website,
the DNS server responds with an IP address, and your computer
undoubtedly accepts it as legitimate response and connects to that website.
• A DNS lookup actually happens in several stages
Securing DNS lookup
• Standard DNS lookup is vulnerable to the attacks such as DNS
spoofing/cache poisoning.
• Securing DNS lookup is feasible using DNSSEC which employs
the public-key cryptography