The in­ter­net se­cret keys

Re­cently, a large por­tion of the in­ter­net went down be­cause of hack­ers who man­aged to send un­con­trol­lable traf­fic to Dyn servers.

Malta Independent - - eNEWS & TECH - Jonathan Mizzi Jonathan Mizzi is Man­ager of the Alert Dig­i­tal by Deloitte Data Cen­ter.

Al­though hack­ers re­mained un­able to take con­trol one of the ma­jor DNS ser­vice providers, they suc­cess­fully man­aged to take a por­tion of the in­ter­net off­line for a few hours. Con­se­quently, this brought down web­sites such as Ama­zon, Twit­ter, Busi­ness In­sider, SoundCloud, Github, Spo­tify, amongst oth­ers.

Dyn is a ma­jor provider of some­thing called a Do­main Name Sys­tem (DNS), which trans­lates web ad­dresses such as your­do­ into a nu­mer­i­cal IP ad­dresses that com­put­ers use to iden­tify web pages. Al­though hack­ers never gained full con­trol of their net­work, they man­aged to suc­cess­fully take it off­line for just a few hours via a dis­trib­uted de­nial of ser­vice at­tack and this shows how much the in­ter­net re­lies on DNS.

This at­tack on DNS has ba­si­cally shaken the en­tire sys­tem. More re­spon­si­bil­ity has fallen on the Crypto of­fi­cers who are few of the peo­ple in the world who hold pro­tected keys to con­trol the en­tire in­ter­net. Th­ese four­teen high­est level se­cu­rity of­fi­cers have a com­mand over those seven pro­tected keys, and few days ago, they con­ducted a his­toric rit­ual known as the Root sign­ing cer­e­mony.

This cer­e­mony is largely pro­ce­dural and was ini­ti­ated in 2010 by the In­ter­net Cor­po­ra­tion for As­signed Names and Num­bers, or ICANN. ICANN is a non-profit pub­lic-ben­e­fit cor­po­ra­tion with par­tic­i­pants from all over the world which is ded­i­cated to keep­ing the In­ter­net se­cure and sta­ble. Its main role is that to as­sign nu­mer­i­cal IP ad­dresses to web­sites and com­put­ers.

To­wards the end of

Oc­to­ber, ICANN started the process of a new root zone key sign­ing key (KSK). KSK is a cryp­to­graphic pub­lic-pri­vate key pair that plays an im­por­tant role in the Do­main Name Sys­tem Se­cu­rity Ex­ten­sions (DNSSEC) pro­to­col. The pub­lic por­tion of the key pair serves as the trusted start­ing point for DNSSEC val­i­da­tion, sim­i­lar to how the root zone serves are the start­ing point for DNS res­o­lu­tion. The pri­vate por­tion of the KSK is used dur­ing the Root KSK cer­e­monies to sign the Zone Sign­ing Keys used by Verisign on the DNSSEC-sign root zone. This task is en­trusted to seven peo­ple which are cho­sen to hold the keys, and seven fur­ther peo­ple to hold the backup keys. The smart card which is re­quired to gen­er­ate the mas­ter key is it­self held in an in­cred­i­bly pro­tected environment due to its sen­si­tiv­ity. The keys used to pro­tect this sys­tem are usu­ally re­newed ev­ery three months as part of the Zone Sign­ing Key (ZSK)

pro­to­col that ap­plies to the end of URLs, such as .com, and so on.

This process was needed so that the se­cu­rity pro­to­cols that gov­ern the way web ad­dresses are han­dled on the in­ter­net are changed. ICANN ex­plained that the changes re­late to the DNSSEC se­cu­rity sys­tem are to en­sure that when peo­ple try to reach a spe­cific web­site, the sys­tem can­not be hi­jacked to re­di­rect to a dif­fer­ent, pos­si­bly ma­li­cious, web­site. This new cryp­to­graphic pub­lic/pri­vate key pair was done dur­ing the Root KSK Cer­e­mony at the se­cure key man­age­ment fa­cil­ity in Culpeper, Vir­ginia. With this key gen­er­a­tion, the ini­tial op­er­a­tional phase of the first-ever root KSK rollover, the process of chang­ing the “mas­ter key” of the Do­main Name Sys­tem (DNS), has be­gun.

Since this is the first time the root’s KSK key pair was changed, a co­or­di­nated ef­fort is re­quired across many in the In­ter­net com­mu­nity to suc­cess­fully

en­sure that all rel­e­vant par­ties have the new pub­lic por­tion of the KSK and are aware of the key roll event. ICANN will be dis­cussing the KSK rollover at var­i­ous tech­ni­cal fora and will also be us­ing the hash­tag #KeyRoll to ag­gre­gate con­tent, pro­vide up­dates, and ad­dress in­quiries on so­cial me­dia with the aim to min­imise im­pact as much as pos­si­ble.

If the KSK rollover is smoothly com­pleted, there will be no vis­i­ble change for the end user. But as with pretty much any change on the In­ter­net, there is a small chance that some soft­ware or sys­tems will not be able to grace­fully han­dle the changes. If com­pli­ca­tions be­come wide­spread, the Root Zone Man­age­ment Part­ners may de­cide that the key roll needs to be re­versed so the sys­tem can be brought back to a sta­ble state.

For more in­for­ma­tion, please visit

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.