The Canadian Who Holds the Key To the Internet

drbutts writes "The Toronto Star has an interesting story on how they are securing DNS: 'It's housed in two high-security facilities separated by the North American landmass. The one authenticated map of the Internet. Were it to be lost — either through a catastrophic physical or cyber attack — it could be recreated by seven individuals spread around the globe. One of them is Ottawa's Norm Ritchie. Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions). In essence, these seven can rebuild the architecture that allows users to know for certain where they are and where they are going when navigating the Web."

Really two different halves

[XanC]

The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key. Two of them, if they were the right two, could do it. But having four out of seven guarantees that you have at least one copy of both halves.

Re:Really two different halves

[joeflies]

The article does state that you need 5 of 7 to restore.

Re:Really two different halves

[XanC]

Looks like you're right; they appear to be using an implementation of Shamir's Secret Sharing

Re:Really two different halves

No, if they say 4 of 7, then they probably really in fact mean 4 of 7. You are right that having just 2 pieces and distributing copies of them would get the situation you describe (well, actually, it would require 5 of 7 as 4 people would have one half and 3 would have the other half), but algorithms exist to split a key into any number of a pieces and require any number of those pieces to get a full key. Basically, just make a PAR of the key with the desired amount of redundancy and hand out equal sized chunks of the file. This is probably not exactly what they do, but it would work similarly.

Re:Really two different halves

[Actually,+I+do+RTFA]

There's no need to split it up so simply. There are ways of splitting up a dataset in 7 such that any 4 can reconstitute it without allowing any handpicked 3 to be able to do so.

An example, where you wanted to require two of three could be accomplished by splitting the key and a random number into thirds. Each party would get 1/3 of the key, 1/3 of the random number and 1/3 of the XOR of the two. Then any two can determine the whole key (assuming they knew which one of their thirds each section was, of course). It's generalizable to 4 of 7.

Re:Really two different halves

[LambdaWolf]

Or even better, use a cryptographically secure secret sharing scheme, and use the shared secret as a symmetric key to encrypt whatever other data if necessary. Then (if I'm interpreting your post correctly) you wouldn't have to worry about which parties got which segment of the key. In fact, I believe that's just what they're doing. Bruce Schneier had a post on it the other day.

Re:Really two different halves

[JWSmythe]

    Yup. Poor disaster planning.

    They've never heard of assured continuity. It's a good plan if all other services are ok. If I read it right, the folks need to gather at a known point. That would assume air travel was still viable. We saw that stop during 9/11. Since they're smart cards, I'm assuming it would require the appropriate smart card readers. If the physical locations where they are to assemble aren't accessible, that makes it a bit rough. They mention two US sites as the places to gather, so civil unrest in the US could severely limit travel. While us Americans are very America-centric, I'm sure the rest of the world wouldn't be totally delighted if their Internet services stopped working just because we were having problems.

    If it does take 5 of 7 to restore the key, that could be problematic. They named one. I'm sure brute force decryption (i.e., torture) could find out who at least two others are. So if 3 were taken out of the equation, that leaves 4 to carry on. As time goes on, it would be a shame if the cards were lost. Just because you stuck it in the safe doesn't mean that safe will always be the one you use. People move. Offices change. People die. When Joe-key-holder dies, and his coworkers don't realize what the keys are, they could easily end up in a file box marked "Joe's office stuff", and stuck in storage to be forgotten about after a few years of staff churn.

    I don't see it as catastrophic. It's about as rough as when we were told "be sure to update your named.root file." Lots of people did it. Lots of people who should have didn't know. Even if you missed it, it didn't really break anything very much.

   

Re:Really two different halves

[PAjamian]

No, for everything to be totally screwed, the full key held at the two secure facilities in the US would have to be lost or destroyed plus the keys held by three of the "key-holders" would have to be lost or destroyed as well.

Re:Really two different halves

[thej1nx]

As time goes on, it would be a shame if the cards were lost. Just because you stuck it in the safe doesn't mean that safe will always be the one you use. People move. Offices change. People die. When Joe-key-holder dies, and his coworkers don't realize what the keys are, they could easily end up in a file box marked "Joe's office stuff", and stuck in storage to be forgotten about after a few years of staff churn.

I am pretty sure if you are one of the only seven people in the world to be trusted with the responsibility of a certain item, you will just "forget" it when you move.

When you come up with outlandish theories, at least use common sense. It is perfectly possible that the card gets stolen by a burglar who doesn't realizes what it is. And even then it will at least be reported and appropriate measures taken. You seem to have picked up some curious notion that nobody had the foresight to keep a note on the whereabouts and well-being of these individuals("Where are those cards again? I dunno... some dude was supposed to have them. Not sure where they are now, or who they were... we sent them deep undercover you see, to protect them against torture from enemy agents!").

This is just a mere precaution of not keeping their eggs in one basket, since losing the key will indeed be catastrophic to DNSSEC. If anything, it is obviously just one of the many other backups they have.

Re:Really two different halves

[slick7]

Yup. Poor disaster planning.

More like typical disaster planning.

Re:Really two different halves

[JWSmythe]

    But, that's half the fun. Damn.

Re:Really two different halves

[crossmr]

if their Internet services stopped working

This wouldn't happen.
While Domain name resolution would stop working, if there was some kind of emergency situation, lists could be published of ip addresses for each site.
Domain name resolution is convenient it isn't required for operation.
The government of the country in question could also fire up their own DNS system and publicly publish the address for it so that citizens could use it.

Re:Really two different halves

[maxwell+demon]

Of course they should instead have chosen a system where you need 7 of 9 to restore!

Re:Really two different halves

[d3vi1]

Nope. It's common practice in the PKI world to use an HSM which calculates the private key upon startup. The key is not stored anywhere. It's calculated when you start the HSM. It's a function with 7 intersection points with the X axis. Knowing any 4 of the 7 intersection points is enough to calculate the function parameter. That in turn is the actual private key.

RAID has nothing to do with this. The HSMs operate under the presumption that the safest guard for the private key is not to have it at all, encrypted or not. You calculate it only when needed. If the HSM goes down you need a new key migration ceremony in a worst case scenario, and in the best case scenario, just the administrator and operator smart cards to unlock the security world.

This is what is being done at any public CA installed in your browser and at any Publicly signed Enterprise CA.

Not good

[countertrolling]

The internet is supposed to be able to repair itself. You know, route around damage and stuff? This all sounds as fragile as our transportation system when merely threatened with an explosive device, bringing it to a complete halt. Is our entire food supply this flimsy?

Re:Not good

[Barny]

Think about it, if walmart lost their supply chain, probably 1/3 of Americans would die of malnutrition within a week, or gain 50kg from the take out consumed.

To be honest, the "internet" would keep going, and does indeed route around damage, but the "web" would have the computer version of a stroke if you dropped the root DNS.

Re:Not good

[nacturation]

The internet is supposed to be able to repair itself. You know, route around damage and stuff?

The internet will continue to work fine. This only impacts DNSSEC and the ability to rebuild based on the private key distributed on those smartcards. If all 7 get assassinated and their smart cards hacked to bits with no backups, we can still revert to plain old DNS.

Re:Not good

[rolfwind]

Think about it, if walmart lost their supply chain, probably 1/3 of Americans would die of malnutrition within a week, or gain 50kg from the take out consumed.

Walmart is nutritious AND less calories than take-out?! BTW, Americans don't gain kg, pounds or lbs, sure, but not kg.

Re:Not good

[Vahokif]

This is like all the phone books in the world going up in flames. The network would still work, but you wouldn't know people's numbers.

Re:Not good

[hitmark]

that is a feature of IP, not a feature of DNS. The article is about DNS, or more specifically, about DNSSEC.

very few today use straight up IP addresses to access a service (heck, a lot of services are potentially housed under a single IP, but you get the one you want thanks to the browser telling the server what domain name you entered), and DNSSEC puts a extra layer of verification that you get the correct IP when you enter a domain name.

If all seven get together do they become Voltron?

[Pezbian]

Or do they summon Captain Planet? ...or Wilford Brimley?

seven? nine? three?

[chub_mackerel]

Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions).

I thought the dwarves got seven cards. And, the humans got nine... and the elves three. Or, am I mixing something up?

007

[tsa]

I see a new James Bond movie in the making here...

We don't live in the movies

[Sycraft-fu]

The world is not full of evil organizations who are thoroughly evil, yet well funded, that run around doing evil for its own sake. The likelihood of someone blowing up both facilities and kidnapping the people who hold the cards just to try and take down DNSSEC is pretty unlikely. I think this is more likely protection against hacking (which is much safer) or a gigantic mistake. Always good to ask the question "If everything fails, how are we going to rebuild it?" That's what this is.

Please remember that vast kidnapping conspiracies and so on require a lot of people acting in concert. That is hard to keep hidden. What's more in this case you'd be talking about something all over the world. You are also talking about something that would draw the wrath of the most powerful nations out there. The US (who holds the facilities), the UK, China, etc. It doesn't work like in James Bond where the baddies contact the government and they have to knuckle in unless a lone agent can bring them down. What happens is the governments send in hundreds of heavily armed, highly trained, soldiers that will kill or capture anyone who is involved, or perhaps just as likely simply destroys the building they are in with a well placed smart bomb from a bomber you cannot see.

The idea here seems to more be a final redundancy against a systems failure, but one where a single person can't go rogue and cause a problem.

So please, stop with the paranoid movie plots.

Re:We don't live in the movies

[Jeremi]

So please, stop with the paranoid movie plots.

You have to admit this does provide the basis for a pretty good movie plot... I predict that Jason Bourne (or Robert Langdon, or Richard Stallman) will be trying to save at least 5 of these people on screen within a few years.

Seven, heh ?

[zzyzyx]

One Card to rule them all, One Card to find them,
One Card to bring them all and in the darkness bind them

Article Omega

[Da+Cheez]

The truth is, these keys are really just a safe guard in case /. ever posts Article Omega, bringing about the systematic slashdotting of the ENTIRE INTERNET!!!

This, Jen, is the internet

[dangitman]

Jen: What is it?
Moss: This, Jen, is the Internet.
Jen: What?
Moss: That's right.
Jen: This is the Internet?
[Moss is nodding his head]
Jen: (suspiciously) The whole Internet?
Moss: (agreeably) Yep. I asked for a loan of it, so that you could use it in your speech.
[Roy enters the room.]
Roy: (irritated) Hey! What is Jen doing with the Internet?
Jen: Moss said I could use it for my speech.
[Roy speaks to Moss in an edgy way.]
Roy: Are you insane? What if she drops it?
Jen: I won't drop it, I'll look after it.
Roy: No. No, no, no, no, Jen. [Takes the box back from Jen.] No, this needs to go straight back to Big Ben.
Jen: Big Ben?
Moss: Yep. It goes on top of Big Ben. That's where you get the best reception.
Jen: I promise I won't let anything happen to it.
Roy: No, Jen, I'm sorry. [Jen becomes woeful.] The elders of the Internet would never stand for it.

My first thought...

Earth! Fire! Wind! Water! Heart!

It'd be awesome if they yelled that out as they each scanned their cards.

Re:My first thought...

[Dogers]

com! net! org! tv! biz!

Captain DNS and the Resolveteers!

Re:I don't care if you are from Iran

[AfroTrance]

The key holders are the Elders of the Internet.

Seven to the Canadians in their Halls of Snow

[Arancaytar]

(But in secret, another smart-card was made - one that could rule all the others...)

Re:You might want to look up Dan Kaminsky

[Wandering+Idiot]

Thanks for "leaving it at that"! God forbid you provide any basic information on what you're talking about or why anyone should be interested.

A British key-holder giving and interview

[Cougem]

http://www.bbc.co.uk/news/uk-10781240 Not the best interview, but relevant.

Trinidad & Tobago

[denzacar]

The one from Trinidad & Tobago, duh.
Gi is from China, Kwame is from Burkina Faso, Linka is from Czech Republic and Wheeler is from USA.

But, adding Paul from UK and Ritchie from Canada is a bit Anglo-centric and ridiculous.
Those are not even two different countries, let alone continents.

Re:You might want to look up Dan Kaminsky

[leuk_he]

Dan Kaminsky got a key,
Paul Kane got one,
the others well geograpically distributed make the international resque team complete.

You couldn't just find everyone?

[Toad-san]

Perhaps I don't have a grasp on how the Internet, TCP/IP, etc. work.

But it seems to me, if you turned loose a spider that wandered around (from 000.000.0000 to 999.999.9999) and queried EVERY IP out there ... wouldn't you end up with a complete structure of which IPs were active, which were not, and some sort of identification for each and every one of them? And what was connected to what (to rebuild routing tables. Especially if the IP host actually responded with some sort of ID?

For that matter, that identification could be done after the fact, ne? "Dude, if you're an active IP, send an email to this site with your IP and this completed DNS form. You won't be on the active list until you do."

Bidda boom, bidda bing.

Besides, this is just a plain old database anyway, isn't it? Just back up the damned thing.

Re:You couldn't just find everyone?

[rickb928]

1) Yes, you could.

2) When you have a workable method for sending a postcard to every IP address, let me know. Mapping IP address to street address is a neat trick if you can pull it off. Just don't rely on WHOIS, for obvious reasons.