Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Canada Networking Security The Internet IT Technology

The Canadian Who Holds the Key To the Internet 199

drbutts writes "The Toronto Star has an interesting story on how they are securing DNS: 'It's housed in two high-security facilities separated by the North American landmass. The one authenticated map of the Internet. Were it to be lost — either through a catastrophic physical or cyber attack — it could be recreated by seven individuals spread around the globe. One of them is Ottawa's Norm Ritchie. Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions). In essence, these seven can rebuild the architecture that allows users to know for certain where they are and where they are going when navigating the Web."
This discussion has been archived. No new comments can be posted.

The Canadian Who Holds the Key To the Internet

Comments Filter:
  • by XanC ( 644172 ) on Friday July 30, 2010 @11:18PM (#33092962)

    The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key. Two of them, if they were the right two, could do it. But having four out of seven guarantees that you have at least one copy of both halves.

    • by joeflies ( 529536 ) on Friday July 30, 2010 @11:24PM (#33092988)
      The article does state that you need 5 of 7 to restore.
      • by XanC ( 644172 ) on Friday July 30, 2010 @11:28PM (#33093010)

        Looks like you're right; they appear to be using an implementation of Shamir's Secret Sharing [wikipedia.org]

        • Re: (Score:2, Insightful)

          by PAjamian ( 679137 )

          I was thinking something similar to the way RAID6 [wikipedia.org] is implemented, where you have five blocks of data plus two parity blocks so that any two block devices can be missing and all the data can still be reconstructed. This could easily be adapted on a smaller scale to work with key-sharing.

          • by d3vi1 ( 710592 ) on Saturday July 31, 2010 @04:55AM (#33094154)

            Nope. It's common practice in the PKI world to use an HSM which calculates the private key upon startup. The key is not stored anywhere. It's calculated when you start the HSM. It's a function with 7 intersection points with the X axis. Knowing any 4 of the 7 intersection points is enough to calculate the function parameter. That in turn is the actual private key.

            RAID has nothing to do with this. The HSMs operate under the presumption that the safest guard for the private key is not to have it at all, encrypted or not. You calculate it only when needed. If the HSM goes down you need a new key migration ceremony in a worst case scenario, and in the best case scenario, just the administrator and operator smart cards to unlock the security world.

            This is what is being done at any public CA installed in your browser and at any Publicly signed Enterprise CA.

            • by Dr. Evil ( 3501 )

              All these guys know one another and probably share tips on running private companies, including which banks offer the best safe deposit boxes. They all travel a lot, so they'd be crazy to keep stuff in a personal safe.

              I bet all 7 keys are within 5 meters of each other at the 200 Bay office of RBC in Toronto.

              • by d3vi1 ( 710592 )

                These Ultra Secure Environment things are usually governed by a clear set of policies created for each such project uniquely. The keys are usually not allowed by policy to be in the same geographical area unless so requested by the policy creating authority.
                For such an op (strictly speaking it's a ceremony), you should schedule the arrival in advance and securely send all the documentation detailing the process to all participants with time to spare. If the information is valuable enough, the participants s

        • by syousef ( 465911 )

          Looks like you're right; they appear to be using an implementation of Shamir's Secret Sharing [wikipedia.org]

          That sounds like the Arabic version of the Colonel's 7 secret herbs and spices. [kfc.com]

          • by Dahamma ( 304068 )

            Seven? SEVEN!? No, man, no! 11's the key number here. Think about it. 7-Elevens. 11 chipmunks twirlin' on a branch, eatin' lots of sunflowers on my uncle's ranch. You know that old children's tale from the sea. It's like you're dreamin' about Gorgonzola cheese when it's clearly Brie time, baby. Step into my office.

      • Re: (Score:3, Funny)

        Of course they should instead have chosen a system where you need 7 of 9 to restore!

    • Re: (Score:2, Informative)

      by Anonymous Coward
      No, if they say 4 of 7, then they probably really in fact mean 4 of 7. You are right that having just 2 pieces and distributing copies of them would get the situation you describe (well, actually, it would require 5 of 7 as 4 people would have one half and 3 would have the other half), but algorithms exist to split a key into any number of a pieces and require any number of those pieces to get a full key. Basically, just make a PAR [wikimedia.org] of the key with the desired amount of redundancy and hand out equal sized ch
    • Re: (Score:3, Informative)

      There's no need to split it up so simply. There are ways of splitting up a dataset in 7 such that any 4 can reconstitute it without allowing any handpicked 3 to be able to do so.

      An example, where you wanted to require two of three could be accomplished by splitting the key and a random number into thirds. Each party would get 1/3 of the key, 1/3 of the random number and 1/3 of the XOR of the two. Then any two can determine the whole key (assuming they knew which one of their thirds each section was, of c

      • Re: (Score:3, Insightful)

        by LambdaWolf ( 1561517 )

        Or even better, use a cryptographically secure secret sharing scheme, [wikimedia.org] and use the shared secret as a symmetric key to encrypt whatever other data if necessary. Then (if I'm interpreting your post correctly) you wouldn't have to worry about which parties got which segment of the key. In fact, I believe that's just what they're doing. Bruce Schneier had a post on it [schneier.com] the other day.

    • by Anonymous Coward on Saturday July 31, 2010 @12:56AM (#33093352)

      Earth! Fire! Wind! Water! Heart!

      It'd be awesome if they yelled that out as they each scanned their cards.

      • by Dogers ( 446369 ) on Saturday July 31, 2010 @05:15AM (#33094214)

        com! net! org! tv! biz!

        Captain DNS and the Resolveteers!

        • Oh and Ritchie, you get to wear this. When you're on duty, that is.

          "Do I have to?!"

          Shall we go over this again? It happens at every Secret Session.

          "'Secret session?' Just call them meetings, for cryin out loud!"

          In an abandoned underground bunker somewhere, the Captain mentally goes to his quiet place...

      • Earth! Fire! Wind! Water! Heart!

        So, you're saying love is the fifth element?
        • Earth! Fire! Wind! Water! Heart! So, you're saying love is the fifth element?

          Actually it's more like communing with animals. (Insert preemptive "getcher minds outta the gutter" here.)

    • by leto ( 8058 )

      It's 4 out of 7 to get the key that can decrypt the backup. The backup is not in the hands of the 7,so they cannot do anything by themselves!

    • by slick7 ( 1703596 )

      The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key. Two of them, if they were the right two, could do it. But having four out of seven guarantees that you have at least one copy of both halves.

      Don't forget the two complete sets that I have in a shoe box next to my underwear.

    • by DrXym ( 126579 )
      The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key. Two of them, if they were the right two, could do it. But having four out of seven guarantees that you have at least one copy of both halves.

      The attacker would have to make sure to kill 3 of them (or the cards they carry) to defeat this scheme.

  • Not good (Score:5, Insightful)

    by countertrolling ( 1585477 ) on Friday July 30, 2010 @11:23PM (#33092978) Journal

    The internet is supposed to be able to repair itself. You know, route around damage and stuff? This all sounds as fragile as our transportation system when merely threatened with an explosive device, bringing it to a complete halt. Is our entire food supply this flimsy?

    • Is our entire food supply this flimsy?

      Nothing is immune from attack. Some attacks might take more thought, but are no harder to pull off.

    • Re:Not good (Score:4, Funny)

      by Barny ( 103770 ) on Friday July 30, 2010 @11:30PM (#33093026) Journal

      Think about it, if walmart lost their supply chain, probably 1/3 of Americans would die of malnutrition within a week, or gain 50kg from the take out consumed.

      To be honest, the "internet" would keep going, and does indeed route around damage, but the "web" would have the computer version of a stroke if you dropped the root DNS.

      • Re:Not good (Score:4, Funny)

        by rolfwind ( 528248 ) on Friday July 30, 2010 @11:38PM (#33093074)

        Think about it, if walmart lost their supply chain, probably 1/3 of Americans would die of malnutrition within a week, or gain 50kg from the take out consumed.

        Walmart is nutritious AND less calories than take-out?! BTW, Americans don't gain kg, pounds or lbs, sure, but not kg.

    • Re:Not good (Score:5, Informative)

      by nacturation ( 646836 ) * <nacturation@gmai l . c om> on Friday July 30, 2010 @11:34PM (#33093048) Journal

      The internet is supposed to be able to repair itself. You know, route around damage and stuff?

      The internet will continue to work fine. This only impacts DNSSEC and the ability to rebuild based on the private key distributed on those smartcards. If all 7 get assassinated and their smart cards hacked to bits with no backups, we can still revert to plain old DNS.

      • I am soooooo glad you explained this.

        I had just been handed the assignment, from the World Domination Society, to plan the covert murders of all seven. Now I realize it won't be necessary.....at least not at this time.

        [Amerika is Skynet]

    • This is like all the phone books in the world going up in flames. The network would still work, but you wouldn't know people's numbers.
    • Re: (Score:3, Interesting)

      by hitmark ( 640295 )

      that is a feature of IP, not a feature of DNS. The article is about DNS, or more specifically, about DNSSEC.

      very few today use straight up IP addresses to access a service (heck, a lot of services are potentially housed under a single IP, but you get the one you want thanks to the browser telling the server what domain name you entered), and DNSSEC puts a extra layer of verification that you get the correct IP when you enter a domain name.

  • That would mean that any successful attack on the system would have to include the kidnapping/assassination of at least six of these people. Plan for seven hits--the attackers could completely botch one attempt and still be successful. Pretty good odds.

    Nice of them to provide names.

    • by Sycraft-fu ( 314770 ) on Friday July 30, 2010 @11:50PM (#33093146)

      The world is not full of evil organizations who are thoroughly evil, yet well funded, that run around doing evil for its own sake. The likelihood of someone blowing up both facilities and kidnapping the people who hold the cards just to try and take down DNSSEC is pretty unlikely. I think this is more likely protection against hacking (which is much safer) or a gigantic mistake. Always good to ask the question "If everything fails, how are we going to rebuild it?" That's what this is.

      Please remember that vast kidnapping conspiracies and so on require a lot of people acting in concert. That is hard to keep hidden. What's more in this case you'd be talking about something all over the world. You are also talking about something that would draw the wrath of the most powerful nations out there. The US (who holds the facilities), the UK, China, etc. It doesn't work like in James Bond where the baddies contact the government and they have to knuckle in unless a lone agent can bring them down. What happens is the governments send in hundreds of heavily armed, highly trained, soldiers that will kill or capture anyone who is involved, or perhaps just as likely simply destroys the building they are in with a well placed smart bomb from a bomber you cannot see.

      The idea here seems to more be a final redundancy against a systems failure, but one where a single person can't go rogue and cause a problem.

      So please, stop with the paranoid movie plots.

      • 12-21-2012, the World wide intertubes crashes and now an international team of super hackers/spies must quickly move to find and safely bring together the seven cards before The Inventor (Al Gore) allows one ACTA to rule them all

        hmmmm.......me thinks I should open up Celtx and start writing...

      • Re: (Score:3, Funny)

        by Jeremi ( 14640 )

        So please, stop with the paranoid movie plots.

        You have to admit this does provide the basis for a pretty good movie plot... I predict that Jason Bourne (or Robert Langdon, or Richard Stallman) will be trying to save at least 5 of these people on screen within a few years.

      • I think this is more likely protection against hacking (which is much safer) or a gigantic mistake. Always good to ask the question "If everything fails, how are we going to rebuild it?" That's what this is.

        Eh, maybe. That's perfectly reasonable of course, and they should have exactly that planning. But they're taking some strange precautions if that's all they're guarding against. Why physically separate the cards? That's just going to make any effort to restore after a gigantic mistake take even longe

        • The trick is we have 2 concerns

          1 disaster recovery (the hot copy gets destroyed)
          2 ensuring security

          If anybody wants to somehow compromise the system they would need to somehow gets hands on the keyset. Given that these persons are "targets of opportunity" i would bet that various TLAs know exactly where each of these folks are at any given time.

          So we have the possibility that in an attack Norm Ritchie goes missing then depending on the lag time every TLA in the area gets their hands on the other six on a "M

      • The world is not full of evil organizations who are thoroughly evil, yet well funded, that run around doing evil for its own sake.

        Alternatively, one or more of these evil-for-evil's-sake, well funded organizations do exist, and have just convinced you that they don't exist. Had you been wearing my tinfoil hat, that wouldn't have happened.

      • So please, stop with the paranoid movie plots.

        I love writing paranoid movie plots. I can give the fun details, without having to drag it out to be a feature length film, or even a single television episode.

        In my next episode, the secret evil government agency will start kidnapping Slashdot users with low UID's (see, you're safe), and post disinformation on their plans here, so anyone who thinks they know something about a secret government conspiracy can be written off as it b

      • by isorox ( 205688 )

        What happens is the governments send in hundreds of heavily armed, highly trained, soldiers that will kill or capture anyone who is involved, or perhaps just as likely simply destroys the building they are in with a well placed smart bomb from a bomber you cannot see.

        Caught Bin Laden yet? Stopped Al-Qaeda yet?

    • Plan for seven hits--the attackers could completely botch one attempt and still be successful.

      It's a 4-of-7 recreation set. You only have to knock out four to prevent the key being rebuilt. You also don't have to kill them -- just prevent them from remembering their passwords.

    • Assassination is cheap. Kidnapping is expensive.

      All a working assassination takes is one nutjob with a gun. He doesn't even have to escape, if he's crazy enough. It really doesn't even require a gun, but it's much easier to pop a person than to do it in a whole variety of manual ways. Of course, people look at movies and think of all the other options. "We could plant a pound of C4 under his car, and detonate it with a cell phone." Ya, good luck there, First you have to

      • by tylernt ( 581794 )

        I'm a little worried that you are so familiar with these topics. Please wait, police are enroute.

      • Then you have to convert a cell phone to be a trigger.

        Well, supposing you buy the detonator along with the C4, you just need an electric charge, right? Just get the phone's ringer or vibration motor and cut the wires.
        Maybe it's more difficult, but many of the people who have used it where not electrical engineers by any means, so it must not be terrible difficult.

        We all get spam phone calls. One call offering you a free trip to Disney ruins the whole plan.

        Oh, that I know how to solve.
        1) Get a cheap Nokia.
        2)

        •     Actually, if I know C4 and it's detonators right, the electrical charge goes to the small primer explosive, which detonates the whole package. I'd assume the vibrator motor could provide sufficient power, but it may need to trigger a relay to provide power from a larger power source (like a pack of D cell batteries). It makes "what wire do I cut" a lot easier. :)

      • by grumling ( 94709 )

        Nicky Santoro: [voice-over] A lot of holes in the desert, and a lot of problems are buried in those holes. But you gotta do it right. I mean, you gotta have the hole already dug before you show up with a package in the trunk. Otherwise, you're talking about a half-hour to forty-five minutes worth of digging. And who knows who's gonna come along in that time? Pretty soon, you gotta dig a few more holes. You could be there all frekin' night.

      • by TheLink ( 130905 )

        > The US has 12 reserve banks, and there are about 8,100 tonnes of gold in them

        Hmm that's about 310 billion US dollars, or about 26 billion per bank.

        I think the investment bankers help lose a lot more money than that ;).

        The Federal Reserve also secretly loaned out more than that:

        http://www.google.com/search?q=+site:www.bloomberg.com+federal+reserve+trillions [google.com]

        So I think there are ways to make a huge profit and do it far more safely and legally[1] than robbing banks.

        [1] Yes there's some relativeness - even

    • by jd2112 ( 1535857 )

      Nice of them to provide names.

      When the Hope Diamond was moved from from South Africa to England they made a big deal about it, sending a whole fleet of Royal Navy ships to protect it.

      Only the diamond wasn't on any of the ships. It was sent parcel post through standard shipping channels. The fleet was just a diversion.

      This guy may be one of the ships protecting the DNSSec key...

  • Or do they summon Captain Planet? ...or Wilford Brimley?

  • by chub_mackerel ( 911522 ) on Friday July 30, 2010 @11:41PM (#33093102)

    Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions).

    I thought the dwarves got seven cards. And, the humans got nine... and the elves three. Or, am I mixing something up?

    • And Al Gore got one to rule them all? Hmmm....whiskey and slashdot don't mix well....

    • I came to post something like this. I'm glad someone did it already (and did it well).
    • Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions).

      I thought the dwarves got seven cards. And, the humans got nine... and the elves three. Or, am I mixing something up?

      No no, you've got it right. It's just that, well, Ritchie's not all that tall, and he's got a beard...

  • 007 (Score:3, Funny)

    by tsa ( 15680 ) on Friday July 30, 2010 @11:49PM (#33093140) Homepage

    I see a new James Bond movie in the making here...

  • but this reads like an intro to a bad cyberpunk novel/movie....

  • by zzyzyx ( 1382375 ) on Saturday July 31, 2010 @12:04AM (#33093200)

    One Card to rule them all, One Card to find them,
    One Card to bring them all and in the darkness bind them

  • The truth is, these keys are really just a safe guard in case /. ever posts Article Omega, bringing about the systematic slashdotting of the ENTIRE INTERNET!!!
  • by dangitman ( 862676 ) on Saturday July 31, 2010 @12:46AM (#33093322)

    Jen: What is it?
    Moss: This, Jen, is the Internet.
    Jen: What?
    Moss: That's right.
    Jen: This is the Internet?
    [Moss is nodding his head]
    Jen: (suspiciously) The whole Internet?
    Moss: (agreeably) Yep. I asked for a loan of it, so that you could use it in your speech.
    [Roy enters the room.]
    Roy: (irritated) Hey! What is Jen doing with the Internet?
    Jen: Moss said I could use it for my speech.
    [Roy speaks to Moss in an edgy way.]
    Roy: Are you insane? What if she drops it?
    Jen: I won't drop it, I'll look after it.
    Roy: No. No, no, no, no, Jen. [Takes the box back from Jen.] No, this needs to go straight back to Big Ben.
    Jen: Big Ben?
    Moss: Yep. It goes on top of Big Ben. That's where you get the best reception.
    Jen: I promise I won't let anything happen to it.
    Roy: No, Jen, I'm sorry. [Jen becomes woeful.] The elders of the Internet would never stand for it.

  • ...but there can be only one.

  • The one authenticated map of the Internet.
    Were it to be lost ... it could be recreated by seven individuals spread around the globe.

    Here are the first three things I though after reading this. None are good...

  • One secure sight in Culpeper, VA; the other site in El Segundo, CA. These sites both seem rather exposed to attack, compared to the vast interior of America. Why no secure site in the empty, hard-to-bomb middle of the country?

    Also, check out the googlemap of El Segundo [google.com] -- it's right next door to a buttload of chemical (gasoline?) storage tanks. I've heard there's a risk of those things going "boom" in a real real nasty way, if some smallish explosion sets them off. Seems like a kinda shitty spot to loca

  • (But in secret, another smart-card was made - one that could rule all the others...)

  • by Cougem ( 734635 ) on Saturday July 31, 2010 @05:04AM (#33094176)
    http://www.bbc.co.uk/news/uk-10781240 [bbc.co.uk] Not the best interview, but relevant.
  • Seems I've heard something like this before. [wikipedia.org]
  • I used to work with/under Norm (he was my boss) and he's a great guy! When I worked with him he wasn't a Keeper of the Key but he was still pretty cool

  • by Toad-san ( 64810 ) on Saturday July 31, 2010 @09:08AM (#33095080)

    Perhaps I don't have a grasp on how the Internet, TCP/IP, etc. work.

    But it seems to me, if you turned loose a spider that wandered around (from 000.000.0000 to 999.999.9999) and queried EVERY IP out there ... wouldn't you end up with a complete structure of which IPs were active, which were not, and some sort of identification for each and every one of them? And what was connected to what (to rebuild routing tables. Especially if the IP host actually responded with some sort of ID?

    For that matter, that identification could be done after the fact, ne? "Dude, if you're an active IP, send an email to this site with your IP and this completed DNS form. You won't be on the active list until you do."

    Bidda boom, bidda bing.

    Besides, this is just a plain old database anyway, isn't it? Just back up the damned thing.

  • This is a Really Stupid Idea. 5 people from 5 different countries have to all get together in the same place to restore the signing key to restart a trusted Internet. If civilization has truly gone down the tubes otherwise, just getting to the next town, let alone across an ocean, just isn't likely. This is all just a PR puff-piece of something unlikely to ever actually work out as intended in practice.
  • ...no one will ever find it there. (Czech Republic has the best looking women!)

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...