14712146
story
Comments: 199 + - Technology: The Canadian Who Holds the Key To the Internet on Saturday July 31, @12:17AM
Posted
by
Soulskill
on Saturday July 31, @12:17AM
from the hope-nothing-breaks-during-hockey-season dept.
from the hope-nothing-breaks-during-hockey-season dept.
background: url(//a.fsdn.com/sd/topics/topiccanada.png); width:80px; height:82px;
canada
background: url(//a.fsdn.com/sd/topics/topicnetworking.gif); width:71px; height:37px;
networking
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicinternet.gif); width:70px; height:73px;
internet
background: url(//a.fsdn.com/sd/topics/topicit.gif); width:75px; height:61px;
it
background: url(//a.fsdn.com/sd/topics/topictech2.gif); width:60px; height:80px;
technology
drbutts writes "The Toronto Star has an interesting story on how they are securing DNS: 'It's housed in two high-security facilities separated by the North American landmass. The one authenticated map of the Internet. Were it to be lost — either through a catastrophic physical or cyber attack — it could be recreated by seven individuals spread around the globe. One of them is Ottawa's Norm Ritchie. Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions). In essence, these seven can rebuild the architecture that allows users to know for certain where they are and where they are going when navigating the Web."
Related Stories
Submission: The Canadian who holds the key to the Internet by Anonymous Coward
I like work; it fascinates me; I can sit and look at it for hours.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
Really two different halves (Score:3, Interesting)
The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key. Two of them, if they were the right two, could do it. But having four out of seven guarantees that you have at least one copy of both halves.
Re:Really two different halves (Score:5, Informative)
Parent
Re:Really two different halves (Score:5, Informative)
Looks like you're right; they appear to be using an implementation of Shamir's Secret Sharing [wikipedia.org]
Parent
Re: (Score:2, Insightful)
I was thinking something similar to the way RAID6 [wikipedia.org] is implemented, where you have five blocks of data plus two parity blocks so that any two block devices can be missing and all the data can still be reconstructed. This could easily be adapted on a smaller scale to work with key-sharing.
Re:Really two different halves (Score:5, Informative)
Nope. It's common practice in the PKI world to use an HSM which calculates the private key upon startup. The key is not stored anywhere. It's calculated when you start the HSM. It's a function with 7 intersection points with the X axis. Knowing any 4 of the 7 intersection points is enough to calculate the function parameter. That in turn is the actual private key.
RAID has nothing to do with this. The HSMs operate under the presumption that the safest guard for the private key is not to have it at all, encrypted or not. You calculate it only when needed. If the HSM goes down you need a new key migration ceremony in a worst case scenario, and in the best case scenario, just the administrator and operator smart cards to unlock the security world.
This is what is being done at any public CA installed in your browser and at any Publicly signed Enterprise CA.
Parent
Re: (Score:2)
Looks like you're right; they appear to be using an implementation of Shamir's Secret Sharing [wikipedia.org]
That sounds like the Arabic version of the Colonel's 7 secret herbs and spices. [kfc.com]
Re: (Score:3, Funny)
Of course they should instead have chosen a system where you need 7 of 9 to restore!
Re:Really two different halves (Score:5, Insightful)
Yup. Poor disaster planning.
They've never heard of assured continuity. It's a good plan if all other services are ok. If I read it right, the folks need to gather at a known point. That would assume air travel was still viable. We saw that stop during 9/11. Since they're smart cards, I'm assuming it would require the appropriate smart card readers. If the physical locations where they are to assemble aren't accessible, that makes it a bit rough. They mention two US sites as the places to gather, so civil unrest in the US could severely limit travel. While us Americans are very America-centric, I'm sure the rest of the world wouldn't be totally delighted if their Internet services stopped working just because we were having problems.
If it does take 5 of 7 to restore the key, that could be problematic. They named one. I'm sure brute force decryption (i.e., torture) could find out who at least two others are. So if 3 were taken out of the equation, that leaves 4 to carry on. As time goes on, it would be a shame if the cards were lost. Just because you stuck it in the safe doesn't mean that safe will always be the one you use. People move. Offices change. People die. When Joe-key-holder dies, and his coworkers don't realize what the keys are, they could easily end up in a file box marked "Joe's office stuff", and stuck in storage to be forgotten about after a few years of staff churn.
I don't see it as catastrophic. It's about as rough as when we were told "be sure to update your named.root file." Lots of people did it. Lots of people who should have didn't know. Even if you missed it, it didn't really break anything very much.
Parent
Re:Really two different halves (Score:4, Insightful)
I am pretty sure if you are one of the only seven people in the world to be trusted with the responsibility of a certain item, you will just "forget" it when you move.
When you come up with outlandish theories, at least use common sense. It is perfectly possible that the card gets stolen by a burglar who doesn't realizes what it is. And even then it will at least be reported and appropriate measures taken. You seem to have picked up some curious notion that nobody had the foresight to keep a note on the whereabouts and well-being of these individuals("Where are those cards again? I dunno... some dude was supposed to have them. Not sure where they are now, or who they were... we sent them deep undercover you see, to protect them against torture from enemy agents!").
This is just a mere precaution of not keeping their eggs in one basket, since losing the key will indeed be catastrophic to DNSSEC. If anything, it is obviously just one of the many other backups they have.
Parent
Re:Really two different halves (Score:5, Funny)
Yup. Poor disaster planning.
More like typical disaster planning.
Parent
Re: (Score:3, Interesting)
This wouldn't happen.
While Domain name resolution would stop working, if there was some kind of emergency situation, lists could be published of ip addresses for each site.
Domain name resolution is convenient it isn't required for operation.
The government of the country in question could also fire up their own DNS system and publicly publish the address for it so that citizens could use it.
Re: (Score:3, Funny)
But, that's half the fun. Damn.
Re: (Score:3, Insightful)
No, for everything to be totally screwed, the full key held at the two secure facilities in the US would have to be lost or destroyed plus the keys held by three of the "key-holders" would have to be lost or destroyed as well.
Re: (Score:2, Informative)
Re: (Score:3, Informative)
There's no need to split it up so simply. There are ways of splitting up a dataset in 7 such that any 4 can reconstitute it without allowing any handpicked 3 to be able to do so.
An example, where you wanted to require two of three could be accomplished by splitting the key and a random number into thirds. Each party would get 1/3 of the key, 1/3 of the random number and 1/3 of the XOR of the two. Then any two can determine the whole key (assuming they knew which one of their thirds each section was, of c
Re: (Score:3, Insightful)
Or even better, use a cryptographically secure secret sharing scheme, [wikimedia.org] and use the shared secret as a symmetric key to encrypt whatever other data if necessary. Then (if I'm interpreting your post correctly) you wouldn't have to worry about which parties got which segment of the key. In fact, I believe that's just what they're doing. Bruce Schneier had a post on it [schneier.com] the other day.
My first thought... (Score:5, Funny)
Earth! Fire! Wind! Water! Heart!
It'd be awesome if they yelled that out as they each scanned their cards.
Parent
Re:My first thought... (Score:5, Funny)
com! net! org! tv! biz!
Captain DNS and the Resolveteers!
Parent
Not good (Score:5, Insightful)
The internet is supposed to be able to repair itself. You know, route around damage and stuff? This all sounds as fragile as our transportation system when merely threatened with an explosive device, bringing it to a complete halt. Is our entire food supply this flimsy?
Re: (Score:2)
Is our entire food supply this flimsy?
Nothing is immune from attack. Some attacks might take more thought, but are no harder to pull off.
Re:Not good (Score:4, Funny)
Think about it, if walmart lost their supply chain, probably 1/3 of Americans would die of malnutrition within a week, or gain 50kg from the take out consumed.
To be honest, the "internet" would keep going, and does indeed route around damage, but the "web" would have the computer version of a stroke if you dropped the root DNS.
Parent
Re:Not good (Score:4, Funny)
Walmart is nutritious AND less calories than take-out?! BTW, Americans don't gain kg, pounds or lbs, sure, but not kg.
Parent
Re: (Score:2)
And the ordinary grocery is as cheap as it gets. Try comparing nutrition contents between generics and the name-brand sometime. It's amazing how different they can be.
Re:Not good (Score:5, Informative)
The internet is supposed to be able to repair itself. You know, route around damage and stuff?
The internet will continue to work fine. This only impacts DNSSEC and the ability to rebuild based on the private key distributed on those smartcards. If all 7 get assassinated and their smart cards hacked to bits with no backups, we can still revert to plain old DNS.
Parent
Re: (Score:3)
Re: (Score:3, Interesting)
that is a feature of IP, not a feature of DNS. The article is about DNS, or more specifically, about DNSSEC.
very few today use straight up IP addresses to access a service (heck, a lot of services are potentially housed under a single IP, but you get the one you want thanks to the browser telling the server what domain name you entered), and DNSSEC puts a extra layer of verification that you get the correct IP when you enter a domain name.
That would mean... (Score:2)
That would mean that any successful attack on the system would have to include the kidnapping/assassination of at least six of these people. Plan for seven hits--the attackers could completely botch one attempt and still be successful. Pretty good odds.
Nice of them to provide names.
We don't live in the movies (Score:5, Insightful)
The world is not full of evil organizations who are thoroughly evil, yet well funded, that run around doing evil for its own sake. The likelihood of someone blowing up both facilities and kidnapping the people who hold the cards just to try and take down DNSSEC is pretty unlikely. I think this is more likely protection against hacking (which is much safer) or a gigantic mistake. Always good to ask the question "If everything fails, how are we going to rebuild it?" That's what this is.
Please remember that vast kidnapping conspiracies and so on require a lot of people acting in concert. That is hard to keep hidden. What's more in this case you'd be talking about something all over the world. You are also talking about something that would draw the wrath of the most powerful nations out there. The US (who holds the facilities), the UK, China, etc. It doesn't work like in James Bond where the baddies contact the government and they have to knuckle in unless a lone agent can bring them down. What happens is the governments send in hundreds of heavily armed, highly trained, soldiers that will kill or capture anyone who is involved, or perhaps just as likely simply destroys the building they are in with a well placed smart bomb from a bomber you cannot see.
The idea here seems to more be a final redundancy against a systems failure, but one where a single person can't go rogue and cause a problem.
So please, stop with the paranoid movie plots.
Parent
Re: (Score:2)
12-21-2012, the World wide intertubes crashes and now an international team of super hackers/spies must quickly move to find and safely bring together the seven cards before The Inventor (Al Gore) allows one ACTA to rule them all
hmmmm.......me thinks I should open up Celtx and start writing...
Re: (Score:3, Funny)
So please, stop with the paranoid movie plots.
You have to admit this does provide the basis for a pretty good movie plot... I predict that Jason Bourne (or Robert Langdon, or Richard Stallman) will be trying to save at least 5 of these people on screen within a few years.
Re: (Score:2)
Plan for seven hits--the attackers could completely botch one attempt and still be successful.
It's a 4-of-7 recreation set. You only have to knock out four to prevent the key being rebuilt. You also don't have to kill them -- just prevent them from remembering their passwords.
Re: (Score:2)
Assassination is cheap. Kidnapping is expensive.
All a working assassination takes is one nutjob with a gun. He doesn't even have to escape, if he's crazy enough. It really doesn't even require a gun, but it's much easier to pop a person than to do it in a whole variety of manual ways. Of course, people look at movies and think of all the other options. "We could plant a pound of C4 under his car, and detonate it with a cell phone." Ya, good luck there, First you have to
Re: (Score:2)
I'm a little worried that you are so familiar with these topics. Please wait, police are enroute.
If all seven get together do they become Voltron? (Score:2, Funny)
Or do they summon Captain Planet? ...or Wilford Brimley?
seven? nine? three? (Score:5, Funny)
Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions).
I thought the dwarves got seven cards. And, the humans got nine... and the elves three. Or, am I mixing something up?
Re: (Score:2)
And Al Gore got one to rule them all? Hmmm....whiskey and slashdot don't mix well....
007 (Score:3, Funny)
I see a new James Bond movie in the making here...
I'm sorry.... (Score:2)
but this reads like an intro to a bad cyberpunk novel/movie....
Seven, heh ? (Score:5, Funny)
One Card to rule them all, One Card to find them,
One Card to bring them all and in the darkness bind them
Article Omega (Score:2, Funny)
This, Jen, is the internet (Score:5, Funny)
Jen: What is it?
Moss: This, Jen, is the Internet.
Jen: What?
Moss: That's right.
Jen: This is the Internet?
[Moss is nodding his head]
Jen: (suspiciously) The whole Internet?
Moss: (agreeably) Yep. I asked for a loan of it, so that you could use it in your speech.
[Roy enters the room.]
Roy: (irritated) Hey! What is Jen doing with the Internet?
Jen: Moss said I could use it for my speech.
[Roy speaks to Moss in an edgy way.]
Roy: Are you insane? What if she drops it?
Jen: I won't drop it, I'll look after it.
Roy: No. No, no, no, no, Jen. [Takes the box back from Jen.] No, this needs to go straight back to Big Ben.
Jen: Big Ben?
Moss: Yep. It goes on top of Big Ben. That's where you get the best reception.
Jen: I promise I won't let anything happen to it.
Roy: No, Jen, I'm sorry. [Jen becomes woeful.] The elders of the Internet would never stand for it.
Sure, there are seven of them now... (Score:2)
...but there can be only one.
Seven to the Canadians in their Halls of Snow (Score:5, Funny)
(But in secret, another smart-card was made - one that could rule all the others...)
A British key-holder giving and interview (Score:3, Informative)
You couldn't just find everyone? (Score:3, Interesting)
Perhaps I don't have a grasp on how the Internet, TCP/IP, etc. work.
But it seems to me, if you turned loose a spider that wandered around (from 000.000.0000 to 999.999.9999) and queried EVERY IP out there ... wouldn't you end up with a complete structure of which IPs were active, which were not, and some sort of identification for each and every one of them? And what was connected to what (to rebuild routing tables. Especially if the IP host actually responded with some sort of ID?
For that matter, that identification could be done after the fact, ne? "Dude, if you're an active IP, send an email to this site with your IP and this completed DNS form. You won't be on the active list until you do."
Bidda boom, bidda bing.
Besides, this is just a plain old database anyway, isn't it? Just back up the damned thing.
Re:You couldn't just find everyone? (Score:4, Informative)
1) Yes, you could [isi.edu].
2) When you have a workable method for sending a postcard to every IP address, let me know. Mapping IP address to street address is a neat trick if you can pull it off. Just don't rely on WHOIS, for obvious reasons.
Parent
Re: (Score:2)
You may know. I may know. Most of us may know. There are still a lot of people out there who don't understand how any of this works. To them it's just like magic.
LK
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Dan Kaminsky got a key,
Paul Kane [cdns.net] got one,
the others well geograpically distributed [geekosystem.com] make the international resque team complete.
Trinidad & Tobago (Score:3, Insightful)
The one from Trinidad & Tobago, duh.
Gi is from China, Kwame is from Burkina Faso, Linka is from Czech Republic and Wheeler is from USA.
But, adding Paul from UK and Ritchie from Canada is a bit Anglo-centric and ridiculous.
Those are not even two different countries, let alone continents.