The Canadian Who Holds the Key To the Internet 199
drbutts writes "The Toronto Star has an interesting story on how they are securing DNS: 'It's housed in two high-security facilities separated by the North American landmass. The one authenticated map of the Internet. Were it to be lost — either through a catastrophic physical or cyber attack — it could be recreated by seven individuals spread around the globe. One of them is Ottawa's Norm Ritchie. Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions). In essence, these seven can rebuild the architecture that allows users to know for certain where they are and where they are going when navigating the Web."
Not good (Score:5, Insightful)
The internet is supposed to be able to repair itself. You know, route around damage and stuff? This all sounds as fragile as our transportation system when merely threatened with an explosive device, bringing it to a complete halt. Is our entire food supply this flimsy?
Re:Really two different halves (Score:1, Insightful)
The article does state that you need 5 of 7 to restore.
So if three of them should happen to suffer an unfortunate "accident", everything is totally screwed?
Re:Really two different halves (Score:1, Insightful)
The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key.
Nonsense. Just splitting the key in half would be stupid. There are more systems that really can require at least 4 of the 7 to work and will work with any 4 of the 7. Threshold Cryptosystem [wikipedia.org].
Re:Really two different halves (Score:3, Insightful)
Or even better, use a cryptographically secure secret sharing scheme, [wikimedia.org] and use the shared secret as a symmetric key to encrypt whatever other data if necessary. Then (if I'm interpreting your post correctly) you wouldn't have to worry about which parties got which segment of the key. In fact, I believe that's just what they're doing. Bruce Schneier had a post on it [schneier.com] the other day.
We don't live in the movies (Score:5, Insightful)
The world is not full of evil organizations who are thoroughly evil, yet well funded, that run around doing evil for its own sake. The likelihood of someone blowing up both facilities and kidnapping the people who hold the cards just to try and take down DNSSEC is pretty unlikely. I think this is more likely protection against hacking (which is much safer) or a gigantic mistake. Always good to ask the question "If everything fails, how are we going to rebuild it?" That's what this is.
Please remember that vast kidnapping conspiracies and so on require a lot of people acting in concert. That is hard to keep hidden. What's more in this case you'd be talking about something all over the world. You are also talking about something that would draw the wrath of the most powerful nations out there. The US (who holds the facilities), the UK, China, etc. It doesn't work like in James Bond where the baddies contact the government and they have to knuckle in unless a lone agent can bring them down. What happens is the governments send in hundreds of heavily armed, highly trained, soldiers that will kill or capture anyone who is involved, or perhaps just as likely simply destroys the building they are in with a well placed smart bomb from a bomber you cannot see.
The idea here seems to more be a final redundancy against a systems failure, but one where a single person can't go rogue and cause a problem.
So please, stop with the paranoid movie plots.
Re:Really two different halves (Score:5, Insightful)
Yup. Poor disaster planning.
They've never heard of assured continuity. It's a good plan if all other services are ok. If I read it right, the folks need to gather at a known point. That would assume air travel was still viable. We saw that stop during 9/11. Since they're smart cards, I'm assuming it would require the appropriate smart card readers. If the physical locations where they are to assemble aren't accessible, that makes it a bit rough. They mention two US sites as the places to gather, so civil unrest in the US could severely limit travel. While us Americans are very America-centric, I'm sure the rest of the world wouldn't be totally delighted if their Internet services stopped working just because we were having problems.
If it does take 5 of 7 to restore the key, that could be problematic. They named one. I'm sure brute force decryption (i.e., torture) could find out who at least two others are. So if 3 were taken out of the equation, that leaves 4 to carry on. As time goes on, it would be a shame if the cards were lost. Just because you stuck it in the safe doesn't mean that safe will always be the one you use. People move. Offices change. People die. When Joe-key-holder dies, and his coworkers don't realize what the keys are, they could easily end up in a file box marked "Joe's office stuff", and stuck in storage to be forgotten about after a few years of staff churn.
I don't see it as catastrophic. It's about as rough as when we were told "be sure to update your named.root file." Lots of people did it. Lots of people who should have didn't know. Even if you missed it, it didn't really break anything very much.
Re:Really two different halves (Score:2, Insightful)
I was thinking something similar to the way RAID6 [wikipedia.org] is implemented, where you have five blocks of data plus two parity blocks so that any two block devices can be missing and all the data can still be reconstructed. This could easily be adapted on a smaller scale to work with key-sharing.
Re:Really two different halves (Score:3, Insightful)
No, for everything to be totally screwed, the full key held at the two secure facilities in the US would have to be lost or destroyed plus the keys held by three of the "key-holders" would have to be lost or destroyed as well.
Re:Really two different halves (Score:4, Insightful)
I am pretty sure if you are one of the only seven people in the world to be trusted with the responsibility of a certain item, you will just "forget" it when you move.
When you come up with outlandish theories, at least use common sense. It is perfectly possible that the card gets stolen by a burglar who doesn't realizes what it is. And even then it will at least be reported and appropriate measures taken. You seem to have picked up some curious notion that nobody had the foresight to keep a note on the whereabouts and well-being of these individuals("Where are those cards again? I dunno... some dude was supposed to have them. Not sure where they are now, or who they were... we sent them deep undercover you see, to protect them against torture from enemy agents!").
This is just a mere precaution of not keeping their eggs in one basket, since losing the key will indeed be catastrophic to DNSSEC. If anything, it is obviously just one of the many other backups they have.
Re:Condescending (Score:1, Insightful)
Re:You might want to look up Dan Kaminsky (Score:3, Insightful)
Trinidad & Tobago (Score:3, Insightful)
The one from Trinidad & Tobago, duh.
Gi is from China, Kwame is from Burkina Faso, Linka is from Czech Republic and Wheeler is from USA.
But, adding Paul from UK and Ritchie from Canada is a bit Anglo-centric and ridiculous.
Those are not even two different countries, let alone continents.
Re:Really two different halves (Score:1, Insightful)
Both the secure sites are in the US.
In the event of an emergency, I can imagine that the US will be distrustful of foreigners trying to enter the country,
Especially if the person has a name which is even slightly Islamic sounding or has a slightly darker skin then a caucasion.
That has been happening since 9/11 - I doubt it will change anytime soon.
If any of the key holders are as I described, they may end up being blocked from entry and "rebooting" the dns.
The captha I got was "paranoia".
How ironic.