I’ve been saying for a while now that Command and Control messages to be signed. It’s a question of authentication. When you pass a message to perform an administrative action, what assurance do you have that the message got to the destination unchanged? For example, if the message contains credentials such as a user ID, an LTPA token or a shared secret, how does the command processor know that the message has arrived intact and that those fields are reliable? Remember that this is administrative functionality we are talking about so if there is no message integrity then authentication is not reliable. Without reliable authentication, there is no accountability.
WebSphere Application Server is an example of the model I’d like to see. When you install WAS it sets up a lightweight Certificate Authority under the covers. Then as each node is created, WAS generates a certificate. The act of federating a node into the cell causes a certificate exchange to occur and from that point on all command and control messages are signed. The nice thing is that all the complexity is hidden from the administrator. What is exposed is pretty simple: Federate this node into the cell? Yes? OK, done.
This is, I believe, the model that pretty much everything will follow 10 years from now. Hopefully sooner, but surely in 10 years, right? Does anyone out there really think that users will buy (and auditors will allow) enterprise-class software that does not authenticate commands in 10 years time? After a couple years of making this prediction, I was beginning to doubt that it might come true until I read this story in Technology Review.
It seems that the .org and .gov top-level domains are going to turn on DNSSEC. What is DNSSEC, you ask? It is DNS using signed messages! The protocol has been around for more than a decade but has lacked resources to test and refine it due to widespread disinterest. That has all changed since Dan Kaminsky demonstrated a method that makes hacking into regular DNS trivial. Fortunately, DNSSEC was waiting in the wings and now .org and .gov are embracing it with open arms.
This is great news. Not only does it address a big problem with DNS, but it means that this most ubiquitous of all protocols will use signed command and control messages. Many more people will become aware of the inherent danger in blindly processing unauthenticated messages and begin to wonder what other applications and protocols they use have the same issue. Widespread adoption of DNSSEC sets a precedent that will make it easier for the next application or protocol to make the change, and the next one after that. This news makes me think that maybe, just maybe, my prediction was not so far off the mark.