On Friday morning, the world got a good reminder about the importance of the Internet and the organization that manage or enable it. The Internet’s state is protected by seven “keys” managed by 14 people. And in a few days, they will hold a historic ritual known as the Root Signing Ceremony.
So, based on your experience a good chunk of the Internet went down for a while when hackers managed to throw so much traffic at a Dyn’s servers it couldn’t take it no more.
Dyn is just one DNS provider. And while hackers never gained control of its network, successfully taking it offline for even just a few hours via a distributed denial of service attack shows how much the internet relies on DNS. This attack briefly brought down sites like Business Insider, Amazon, Twitter, Github, Spotify, and many others.
Basically because of the naming system that supports humanly readable addressing, taking control a DNS service by knocking it out of service means you can either disable service or indeed push or redirect names traffic. By gaining control of a DNS database, one is able to take pretty much control of the internet. For instance, the person could send people to fake bank websites instead of real bank websites.
DNS at its highest levels is secured by a handful of people around the world, known crypto officers. Every three months since 2010, some — but typically not all — of there is a key “signing” ceremony, where the keys to the internet’s metaphorical master lock are verified and updated. This process is entrusted to the Internet Corporation for Assigned Names and Numbers (ICANN) as the responsible part for assigning numerical internet addresses to websites and computers.
To protect DNS, ICANN came up with a way of securing it without entrusting too much control to any one person or State. It selected seven people as key holders and gave each one an actual key to the internet. It selected seven more people as backup key holders — making it 14 people in all. The ceremony requires at least three of them, and their keys unlock the Internets “protocol” and key systems that ensure its integrity.
Participants in the August 2016 ICANN key ceremony.
The ritual of signing!
There are physical keys that are used to unlock safety deposit boxes. Inside these boxes are smart key cards. And it takes a quorum of minimum three to gain access to the device that generates the internet’s master key. That master key is a computer generated code known as a root key-signing key. This key is a password of itself that can enable access the master ICANN database. This key also can be used to generates more keys that trickle down to protect various bits and pieces of the Internet, in various places, used by different internet security organizations.
The security surrounding the ceremonies before and after is so intense such as what you’d have seen in a “Mission Impossible” type of hack. It involves participants passing through a series of locked doors using key codes and hand scanners in a location in U.S. until they enter a room so secure that no electronic communications can escape it. Inside the room, the crypto officers assemble along with other ICANN officials and typically some guests and observers.
The whole event is heavily scripted, meticulously recorded, and audited. The exact steps of the ceremony are mapped out in advance and distributed to the participants so that if any deviation occurs the whole room will know. The group conducts the ceremony, as scripted, then each person files out of the room one by one. It’s so intense the post-ceremony ends in a celebration of its own.
But as secure as all of this is, the internet is an open piece of technology not owned by any single entity. The internet was invented in the US, but the US relinquished its decades of stewardship of DNS earlier this month. Making ICANN the official organization responsible for its upkeep and evolution. Keenly aware of its international role and the worldwide trust placed on it, ICANN lets anyone monitor this ceremony, providing a live stream over the internet and has been known to also publish scripts for each ceremony.
Coming October 27, ICANN will hold another ceremony — and this one will be a historic one. For the first time, it will change out the master key itself, meaning changing the “key pair” upon which all DNS security is built, known as the Root Zone Signing Key. The recent rise in vulnerabilities in DNS have allowed attackers to cleverly improve their easy of hijacking DNS processes. These vulnerabilities have increased interest in introducing a technology called DNS Security Extensions (DNSSEC) to secure this part of the Internet’s infrastructure.
“ICANN is planning to roll, or change, the ‘top’ pair of cryptographic keys used in the DNSSEC protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010,”
ICANN said earlier this year. DNS Security currently relies on the original 1,024-bit RSA key generated in 2010 for its root zone key. Given the increased computational power six years after, the landscape has changed dramatically as the 1,024-bit RSA keys are no longer even secure enough for the modern web. So it’s easily possible with IoT and cloud computing now to crack the 1,024-bit key increases. In this regard, its upping the level of “bandwidth” required to mitigate the root zone key signing key by extending it to a stronger 2,048-bit key.
Top to bottom
DNSSec works as a hierarchy, with different bodies responsible for each layer and signing the key of the entities in the layer below. Individual domain owners get their keys signed from the operator of the top-level domain. For example, owners with .com domains obtain the public key from VeriSign, which administers the .com top-level domain. Every hierarchy has a topmost layer, and for DNS, that’s the DNS root zone, and someone has to manage the ultimate key. The Root Zone Key Signing Key is managed by ICANN in conjunction with 12 other partners.
“DNSSec works by forming a chain of trust between the root (i.e., the aforementioned trust anchor) and a leaf node. If every node between the root and the leaf is properly signed, the leaf data is validated. However, as is generally the case with digital (and even physical) security, the chain is only as strong as its weakest link.
ICANN and volunteers from the global technical community have spent the last five years developing a multistep plan for the rollover. The first step, scheduled for this month, is to generate the new key signing key, then to distribute it so that ISPs, enterprise network operators, hardware manufacturers, and others performing DNSSec validation can update their systems with the public part of the key pair.
As with all cryptography, there are two parts to a key – a public and private parts. The public half of the key pair will be widely distributed to all the servers and devices relying on the DNSSec. The new key signing key will be available on the Internet Assigned Numbers Authority website in February 2017, and it will appear in the DNS for the first time on July 11, 2017. If the systems aren’t updated with the new public key, DNS will eventually break, and users will be unable to access portions of the internet. To make sure the operators have ample time to update their systems, the new keys won’t be used to sign domains until October 2017.
DNSSec will support both the old key signing key and the newly generated one until January 2018, when the old one is scheduled to be revoked. The secure destruction of the old key is set for March 2018.
“Having both keys together lets ICANN work out any issues,” Vixie says, noting that he doesn’t expect there to be any problems. “The teams involved have thought carefully about this.”
ICANN manages one of the 13 DNS root server clusters, so it will be able to detect if there are any problems with the new keys or configuration problems with DNSSec. note though, DNSSec’s job isn’t to encrypt data on the site or in transit, but to ensure users end up on the sites they’re expecting to visit. ICANN and its partner root zone administrators work to make sure that internet users will continue to be able to rely on name translation so that indeed what even the lay man using the Internet requests or aske for is exactly a truthful address of what their directed to or receieced. For how long this integrity in addressing of the Internet remains will be a test of ICANNs full responsibility in the coming years.
The international group of root server operators that voluntarily run and own more than 200 servers around the world that distribute root information from the root zone file across the Internet are designated by alphabetical letters – they are:
- A) VeriSign Global Registry Services;
- B) Information Sciences Institute at USC;
- C) Cogent Communications;
- D) University of Maryland;
- E) NASA Ames Research Center;
- F) Internet Systems Consortium Inc.;
- G) U.S. DOD Network Information Center;
- H) U.S. Army Research Lab;
- I) Autonomica/NORDUnet, Sweden;
- J) VeriSign Global Registry Services;
- K) RIPE NCC, Netherlands;
- L) ICANN;
- M) WIDE Project, Japan.