GPU-based NSEC3 Hash Breaking

Matthaus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis
University of Duisburg-Essen, Duisburg, Germany
13th IEEE International Symposium on Network Computing and Applications (IEEE NCA), 2014


   title={GPU-based NSEC3 Hash Breaking},

   author={Wander, Matth{"a}us and Schwittmann, Lorenz and Boelmann, Christopher and Weis, Torben},



Download Download (PDF)   View View   Source Source   Source codes Source codes




When a client queries for a non-existent name in the Domain Name System (DNS), the server responds with a negative answer. With the DNS Security Extensions (DNSSEC), the server can either use NSEC or NSEC3 for authenticated negative answers. NSEC3 claims to protect DNSSEC servers against domain enumeration, but incurs significant CPU and bandwidth overhead. Thus, DNSSEC server admins must choose between more efficiency (NSEC) or privacy (NSEC3). We present a GPU-based attack on NSEC3 that revealed 64% of all DNSSEC names in the com domain in 4.5 days. This attack shows that the NSEC3 privacy promises are weak and thus DNSSEC server admins must carefully decide whether the limited privacy is worth the overhead. Furthermore, we show that an increase of the cryptographic strength of NSEC3 puts attackers at an advantage, since the cost of an attack does not rise faster than the costs incurred on the DNSSEC server.
No votes yet.
Please wait...

* * *

* * *

HGPU group © 2010-2021 hgpu.org

All rights belong to the respective authors

Contact us: