Predictive Cipher-Suite Negotiation for Boosting Deployment of New Ciphers

Deployment of strong cryptographic ciphers for DNSSEC is essential for long term security of DNS. Unfortunately, due to the hurdles involved in adoption of new ciphers coupled with the limping deployment of DNSSEC, most domains use the weak RSA-1024 cipher. The main problem towards deployment of new ciphers is the resulting bloat of DNSSEC-signed responses due to support of multiple ciphers. This causes not only load on network, but worse, it results in DNS lookup failures, e.g., many network devices block such huge packets. Merely dropping the old ciphers and moving to use new stronger ciphers is not an option since this would break the DNS functionality for all the clients which do not support those new ciphers. The requirement to support new ciphers on both clients and servers coupled with the possible DNS failures due to the resulting large responses reduces the motivation to improve the security of DNS. We aim to resolve this vicious circle. In this work we propose an approach for deployment of new ciphers using a single-sided cipher-suite negotiation. Our mechanism uses machine learning for inferring the set of ciphers potentially supported by the client and then selecting the best cipher from that list. Our evaluations demonstrate that our single-sided cipher-suite negotiation not only allows the domains to unilaterally improve security without waiting for clients to integrate support for new secure ciphers, but it also improves DNS performance by reducing failures. Our results show that a single sided solution can, not only push adoption of new ciphers forward, but it also will resolve the existing interoperability problems with DNSSEC. Our design and preliminary analysis on the feasibility of applying machine learning to this context results in more secure and available DNSSEC. We outline our methodology for machine learning assisted cipher-suite negotiation and provide steps and challenges for future research.