Schneier on Security
A blog covering security and security technology.
« Pork-Filled Counter-Islamic Bomb Device |
| Security Vulnerabilities of Smart Electricity Meters »
July 28, 2010
DNSSEC Root Key Split Among Seven People
The DNSSEC root key has been divided among seven people:
Part of ICANN's security scheme is the Domain Name System Security, a security protocol that ensures Web sites are registered and "signed" (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC, as it's known, and during a major international attack, the system might sever connections between important servers to contain the damage.
A minimum of five of the seven keyholders -- one each from Britain, the U.S., Burkina Faso, Trinidad and Tobago, Canada, China, and the Czech Republic -- would have to converge at a U.S. base with their keys to restart the system and connect everything once again.
That's a secret sharing scheme they're using, most likely Shamir's Secret Sharing.
We know the names of some of them.
Paul Kane -- who lives in the Bradford-on-Avon area -- has been chosen to look after one of seven keys, which will 'restart the world wide web' in the event of a catastrophic event.
Dan Kaminsky is another.
I don't know how they picked those countries.
Posted on July 28, 2010 at 11:12 AM
• 76 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
ICANN launched an open call to the community and there was a selection process that ended in the selection of 7 crypto officers for the East Coast and another 7 for the West Coast facility.
I was one of the chosen for the West Coast facility.
And if the inter-tubes are down hard, are they going to be able to get to the US?
Travel reservations, flight control, DHS, no-fly list, etc?
So, if one of the seven isn't able to get to the meeting for whatever reason, the internet stays broken? What's the backup plan?
It is probably over-simplistic reporting by the news media to say that the recovery key share holders have shared the root key amongst themselves. They can not reconstruct the root key by themselves. The architecture is spelled out in the DNSSEC Practice Statement at https://www.iana.org/dnssec/icann-dps.txt
The root keys themselves are stored in HSMs in two redundant facilities on each coast of the US.
The list of trusted community representatives is available at http://www.root-dnssec.org/tcr/selection-2010/
I guess only three of the six that are not in the UK are ever going to come to the UK or any other European country....
(Think European Arrest Warrant & UK RIPA).
I just had a go at creating a Shamir's Secret Sharing Scheme
Nice to hear about something that is so simple and hopefully effective. Maybe it could be used to create split passwords to give access to encrypted data when passing through borders. In so far as the shared secret could be given to disparate parties and conditional upon the travellor having passed through the border with the encrypted data, as another option to this one:
Bruce there's clearly a movie plot competition here ... e.g the seven ring-bearers (*ahem* key bearers) are dying under suspicious circumstances and its a race against time to stop the plot to bring down the internet and destroy the key that is needed to bring it back up again .....
"So, if one of the seven isn't able to get to the meeting for whatever reason, the internet stays broken? What's the backup plan?"
No, if three of the seven aren't able to get to the meeting, then the Internet stays broken. It's a 5/7 secret sharing scheme.
"Once again, old news."
I don't even pretend to be a news site.
Kim's comment above is spot-on. There's also a great overview video here:
The article you quoted is overblown, a fact that it admits only in the final paragraph: "In reality, it’s not so dramatic."
"And if the inter-tubes are down hard, are they going to be able to get to the US? Travel reservations, flight control, DHS, no-fly list, etc?"
Yeah, I thought about that. My guess is that this is more for show than anything else. The keys signed by this key are going to be backed up pretty heavily, and it would take a pretty impressive attack to render them obsolete.
"No, if three of the seven aren't able to get to the meeting, then the Internet stays broken. It's a 5/7 secret sharing scheme."
Actually, they don't need those guys. If they aren't able to get there, they drill into the safes. The idea is not to protect the key from being obtained by a determined physical attack, but to detect whether that has taken place.
The choice of countries seems related the their position in the list of top level domains combined with geographic distribution (Biased toward North America and Europe)
I was thinking along Kim's plot lines myself -- except what if the key-holders already figured that out, and are, uhm, a little bit tougher to "take out" than expected.
This would require actors able to portray unsympathetic "good guys," sympathetic villains, screenwriters who can get real character development into an otherwise action-driven plot. Never get made.
Actually, my apologies. I realize I was conflating the crypto officers and the recovery key officers. The latter do indeed need to come together (minimum 5) if the terrorists blow up the east and west coast centers (and the safes held there). In a scenario where the existing key is simply compromised, and the crypto officers can't all get there in time, they can drill.
Allocation was easy: it was necessary to divide those keys between men, elves, and dwarves.
As for The One Key...
Huh, I had never heard about Shamir's sharing, but thats pretty clever really.
As for the "vulnerability", the ZSK is signed for 3 months, so the system could only be very vulnerable as the ZSK expires (isn't there an overlap?), so you would have a 3 month window where the old zone works just wonderfully. You wouldn't be able to change the zone, but you could just let it serve with cached, and valid data.
If DNSSEC goes down, then i guess we will just go back to DNS --like we have been using for I don't know how long.
And When the root servers go down. All the other DNS name servers don't go down at the same time. I even have a caching DNS at home.
In the link posted by Steve Schultze, there's a video of the ceremony.
Personally, I'm a bit surprised that they used 2048-bit keys, rather than 4096-bit, especially for something so critical as the DNSSEC root key.
Is there any particular reason they used this (e.g. shorter signature sizes needed for technical reasons) key length as opposed to a longer one?
@ Alex Bond
The back up plan is to open the door to the core, climb up the ladder to the next level, and insert the key into the control panel there.
Is there I'm one got think about consequence signing authority (by several certificates)?
Kind of like "The Good, the Bad and the Ugly", but with more desperados.
"There are two kinds of people in this world: Those with guns, and those who dig. You dig."
I would suggest reading the information available at http://www.root-dnssec.org
For a brief background on the TCR approach: http://www.root-dnssec.org/wp-content/uploads/...
The RKSH do not hold a share of the KSK itself. They have a wrapping key shared in a 5 of 7 threshold, needed to recover key backups if ALL HSMs are lost.
Background checking may be painful, but is often worth while. Even though it may destroy some of the excitement.
I think the original article is a little long on hyperbole.
This is the procedure that they'll need to enact to implement a new key for the DNSSEC environment, not "rebooting the Internet" after the apocalypse.
So... they're like the Internet planeteers (with some redundancy)?
"By your five of seven of Shamir's Secret Sharing Scheme keys combined, I am captain DNSSEC!"
"Huh, I had never heard about Shamir's sharing but thats pretty clever really"
There are many ways to share a secret the simplest involves binary strings you XOR together and a cipher of some kind.
It gets quite a bit harder when you put in a threshold (M of N shares) but you can still do it.
However most schemes you are going to come up with are going to be grosely inefficient, Shamir's considerably less so and has other advantages.
One Key to bring them all, and in the darkness bind them.
Most of the press releases about the key holders oversimplify things. "Rebooting the web/Internet" is only one example, it gets even worse in some articles.
A factual correct PR was released today by ICANN and can be found here: http://www.prweb.com/releases/DNSSEC/Cyber_Crime/...
So if I understand this correctly... if somebody devises a successful attack against the dnssec architecture or cryptography, then they have an elaborate procedure for resigning exactly the same architecture which is probably still vulnerable to the attack? Yeah, I bet that'll come in real handy.
It's cute, but if we ever needed something like this then we're too screwed to care.
you have fallen as a victim to the PR machine. Unfortunately it was also copied by other media including the BBC :-(.
@Andrew - interesting thread.
A point brought up there (specifically http://mailman.nanog.org/pipermail/nanog/... ) that I haven't seen elswhere, is that the actual point of splitting the key and geographically distributing the peices is NOT for disaster recovery/redundancy purposes, but to PREVENT the US based ICANN from being able to re-sign the root key on its own.
So all they've done is encrypt the key, PAR'd it ala usenet into 5 pieces with 2 par recovery volumes?
Any 5 pieces can reconstruct the encrypted key.
Great Andromeda Strain reference.
As I recall one person had the disarm self destruct key in that movie and although testing showed that there were not enough consoles for all the containment areas, the improvements had not yet been implemented.
Shamir key sharing seems like a much better approach for them.
At the very least, it would have eliminated the need to climb a laser guarded central shaft during an active airborne pandemic release.
I have four serious questions:
1. Does this program deny the US the ability to unilaterally reboot the portion of the Internet on its own soil? The British key holder stated that this program is designed to prevent "fragmentation" on the Internet between regions. This would seem to undermine US sovereignty.
2. If the seven key holders are dead, or cannot agree, does the Internet just stay down permanently?
3. Does this program essentially prevent local workarounds from reestablishing local or regional connectivity, thereby defeating the decentralization designed to protect the early Internet?
4. Why is it better to have no Internet than a corrupted Internet or one with unverified sites?
"the *only* way to get
acceptance of a signed root was to make sure that ICANN is *not* in posession
of enough keying material to sign a key by itself."
I read this on one of the links. Why shouldn't the US be able to restart the Internet on its own?
All seven names:
1) Paul Kane CommunityDNS
2) Norm Ritchie of Canada
3) Jiankang Yao from China
4) Moussa Guebre of Burkina Faso
5) Bevil Wooding from Trinidad and Tobago
6) Ondrej Sury of the Czech Republic
7) Dan Kaminsky, chief scientist at Recursion Ventures
"The keys signed by this key are going to be backed up pretty heavily, and it would take a pretty impressive attack to render them obsolete."
I've seen *major* organizations lose (or forget the password to) signing keys many many times. Often they're "lucky" enough that the password can be cracked with a dictionary attack (although this is the case enough times that one wonders if it isn't luck but skill at making bad passwords :), but in a few rare cases I've seen them unable to recover and have to deal with it from there. Even in these cases it has been with organizations that are supposed to be sophisticated enough, and staffed with enough sharp people that this should never happen. In short, I've learned never to assume the customer/guy I'm evaluating security of would do something as obvious as backup the key very well.
As over the top and maybe even overkill as this idea is, I think that its a good one, given the importance of keeping that key known to the right people.
The purpose of the news release is not cryptographic, but cinematic.
This sets the stage for the most dramatic film ever made about the internet. It is part of the pre-advertising campaign.
"The net goes down. Now the world gasps as seven obscure men must make their way through a post-www world in a desperate struggle to meet and restore the internet before world commerce sinks and world conflict rises. Some may die."
This sounds like the set up for a Dan Brown novel.
"Why shouldn't the US be able to restart the Internet on its own"
It's not a question of "restarting" but "ownership" and "politics".
For some variety of reasons various naming authorities have behaved in odd ways at times. And there has been the very real danger that the Internet naming service would be effectivly broken up.
With no apparent central authority some felt there would be no identifiable path of trust between domains etc for DNSSEC to work (this is an open question as there is not yet sufficient research to say if even hierarchical trust models are workable, let alone the only way to go).
Thus the question still remains as to if this will be the "key to freedom" or the "key that fetters" as it becomes defacto and thus assumes the mantal of legacy issues.
Having seen the security mess that is the result of the myriad of Web CA's and all the root certs that end up in browsers many feel that a single point hierarchie is the way forward.
Others though see the many issues that are unresolved from earlier "key Authority" examples and the fragility of "single point" of fail/attack/control.
Personaly I'm in the latter camp as in practice we have found de-centralised systems to be more robust and open to improvment via evolution than centralised hierarchical systems.
At the end of the day however the current DNS is open to abuse and has no trust model built in, and the only trust model we have any real working knowledge of is "centralised hierarchical". Sometimes you have to go with what you've got, and plan your exit strategy...
Call me old-fashioned but I'd feel more secure if it wasn't public knowledge who has the keys... if a person/people have taken action to take the internet down I'm sure they'd be willing to track down enough of the keyholders to create a secondary problem.
I can't help wondering how a US immigration officer would react when one of these keyholders explained the reason for their need to enter the US.
"wondering how a US immigration officer would react" [Tim]
Funny thought indeed, but I hope in case of an emergency they don't have to much immigration to clear while they are cordoned from the military airbase to the military bunker. But actually this makes me wish to a) be one of the selected b) have an emergency. Must be an incredible feeling of "woa, what kind a importance". Then, on the other hand, how free would you be in deciding whether or not to use the key if a whole apparatus of military is pushing you?
But then, I think the whole scheme is only there to prevent those sufficient keys being stolen before someone notices it, rebooting the DNS probably is not a decision but a task.
Question is, how often are those guys checking the storage, meaning, how much time does an attacker have to steal 5 keys before being noticed? (Assuming they are not able to tamper with a tamper proof bag after they somehow managed to get access to the bank and the safe room and the box.)
Otherwise, I do like the idea of spreading the responsibilities for "our" world-wide communications infrastructure beyond the borders of a single state.
Wonder triplets power activate!
Form of a bespectacled college dean!
Form of a key!
Form of a committee!
@lars " Must be an incredible feeling of "woa, what kind a importance". "
I was wondering what kinds of person I would select for the job. Technical skills and understanding is a given.
But I think I would rate high - someone who has never locked themselves out of their car or house.
I hope there's more controls built in than a secret sharing scheme. Because, from what I'm seeing, taking over DNS now means only five people must be compromised. And I think Kaminsky likes to drink and party with the likes of Joanna Rutowska. If I was an agency with even a five digit budget, I would own DNS in a few months. Does DNS relying on five people bother anyone else?
Five of them must come together!
Except that if the internet fails they won't be able to take any flights :D
For more details...but basically, they hold the pieces of the key that is used to encrypt the backups.
The hardware is very tamper resistant, and in facilities it'd be very hard to extract the key from. This is just a way to keep people from stealing the backup state successfully.
ICBM lanuch codes and keys and TS/SCI CRYPTO is maintained by two person integrity (TPI).
Is it reasonable to believe that TPI is less effective than 5PI?
"ICBM lanuch codes and keys and TS/SCI CRYPTO is maintained by two person integrity (TPI).
Is it reasonable to believe that TPI is less effective than 5PI?"
As for ICBM launch, I presume it is harder to get 5 raving lunatics to agree to launch than it is to get two raving lunatics to do the same. Which might explain tpi vs 5pi there.
After having given some thought to the various schemes to preserve these kind of secrets, I just figured that the failure mode for losing these kind of keys - key compromise, or losing access to a key - is not really that bad.
No, really. The DNSSec key is just NOT that important.
Here's some scenarios - you can interpret "lose" to mean disclosure or denial:
Problem: DNSSec key to the internet is lost
Solution: Make new key, sign a message with some trusted PGP keys, send it to the root servers and major DNS providers. The hostmasters can disable signature checking and/or disable updates in the meantime.
Result: Even without signatures, today's unsigned DNS system is relatively protected against unauthorized update. So we could just turn DNSSec off like it was never there.
Problem: Some country loses the signing key for their ePassport (RFID Passport).
Solution: Publish new key. Send key hash via diplomatic courier to relevant parties.
Result: Passports support offline authentication through sophisticated measures. Unless the attacker can forge the printed pages, even an undetected key disclosure does not allow forgery (since everyone still checks the printed data today), and the loss of RFID as a trusted mechanism does not invalidate existing documents.
Problem: Verisign loses its root key.
Solution: Windows Update, Apple Software Update, etc. phase out the old key and put a new one in. The OCSP server consults a list of all known valid certificates from the sales data and does not approve any unknown ones.
Result: Unless attackers already control the communication channel to your bank, a fake certificate simple don't grant "instant access" to your banking password. If Verisign gets taken out of service for a week or month or year for a key change, there's plenty of certification authorities that still sell them.
Problem: Someone steals the nuclear codes, and transmits them via ELF to the submarines.
Solution: A nuclear strike? In peacetime? I think you would wonder!... The officers will likely call in to get confirmation and find out that, whaddaya know, the White House is looking for a missing BlackBerry...
Result: People aren't that dumb.
All cryptographic systems that involve humans, have inherently renewable security. When dealing with security systems that where humans manually make decisions or update key material, the simplest solution to dealing with these crypto problems is to fall back on traditional offline authentication systems used for thousands of years. Like sending a signed letter.
@ BF Skinner,
Well primarily 2PI was actually to prevent unautherised launch not to ensure autherised launch.
With MAD people in the US suddenly got nervous that an Airforce Officer etc could go rogue and start WWIII. And this thinking went on to be built directly into the weapons themselves via Permissive Action Links (bomb codes).
One study sugested that the number of "protection" systems built into US nukes would render a significant percentage as duds should they ever be launched.
The Red Army on the other hand had no Permissive Action links, and apparently went for a different launch procedure involving more than two people on silo type weapons, but no protection what soever on tactical / field weapons which most infantry soldiers could deploy singly. That is the Russian view was to reliability as a weapon not political consideration.
Either way most of us are still here and don't glow in the dark, so it could be said that both The US and CCCP systems worked...
Something very like this was used at a University,
for sharing the protection of access keys to a very privelegeed hard copy document
of rarified historical importance.
Each of seven department heads was given one of the seven keys required
to unlock access,
and the names of two others.
It was thus necessary to convince each one to:
not only disclose whether or not they were on the secret list of those with the key,
but also to hvae sufficent cionfidence to disclose the name of another key holder.
There are several possible geometries of succession,
and the toggle requirement
whether each department head had to first gain permission to disclose another's name.
This protocol was created because the document was known
to have other value to an occult group
that had already killed to try to gain possession of it,
before it came into the hands of the university.
The reason more than one name was known to each was
to recover that key in the event of death or disability.
If all members agreed,, they had to also convene, and use their keys together.
After an occasion of identification of four or more,
that the keys would be re-assigned to new department heads
by the key warden,
under similar secrecy.
A kind of security byy structural obscurity.
What do you think of it as security?
The physical location was secured:
each key fit a lock,
a locks had to disengage.
This allowed access to a dial safe,
which required seve combinations,
one dial to each member.
@ BF Skinner I have a motorcycle...It's impossible to lock yourself out of one....do I count
"I have a motorcycle...It's impossible to lock yourself out of one....do I count"
Yes you probably do... to ten and then offer up a profanity ;)
On that "I must not be late today morning" on discovering that in your haste, that you have left your keys to both your motorcycle and your front door inside the house (or flat etc).
And all you can do is sit on your motorcycle and wait for somebody to arive with the key or tools to get you in or worse get public transport or a taxi dressed in your motorcycle leathers (you do wear them don't you...).
Burkina Faso, Trinidad and Tobago:
So, if the problem is political instead of technical, those three at least are small enough to be bought or coerced.
Isn't Tobago one of the usual suspects when the US needs votes in the UN?
@Michael Lynn "I presume it is harder to get 5 raving lunatics"
Actually, I think, you really only need the one. Unless Wing Attack Plan-R is still kicking around.
(good thing we voted against putting the raving L into the veeps office last election cycle. Sen. McCain is getting crazy now but wasn't raving during the '08 campaign.)
"The Internet is broken", "Reboot the Internet" NOT!
This is about the DNS. The Internet (routers, backbone, etc.) will be fine. The routing and forward on the backbones are not dependent on the DNS.
It would be nice if the discussion was limited to the vulnerabilities of the DNS. DNSSEC is important, but is only a part of the Internet infrastructure.
My HS Diploma is younger.
@Bruce: "I don't know how they picked those countries."
They played spin the bottle.
"They played spin the bottle."
While drinking from another...
Volker Hetzer: Burkina Faso, Trinidad and Tobago: [...] those three at least are small enough to be bought or coerced.
That's only two countries.
Maybe they should choose nations/geographies WITHOUT internet access.
Dan kaminsky OMG!!!
he couldn't protect his own website!!!
Dan kaminsky is a retard, charlatan, and an attention whore. He can't be trusted with the security of anything.
There wasn't a reason to put much effort into securing his website. That they hacked it didn't put a dent in his career or image. It was a nice boost for him and the others. ZF0 just scored themselves another "FAIL" pursuing a goal that will lead to more FAIL's. I wrote about it back then on BinRev.com after it was hacked:
"These guys are run of the mill hackers with excellent showmanship. How can I make that claim? They exploited common vulnerabilities, using common tools and techniques. It was evident that their brains were required occasionally, and I'm sure it was refreshing after all that routine hacking they bragged about. The choice of targets? High profile hacking- or security-oriented sites that focused more on content than their site security. Bragging about hacking these sites is like saying you can shoot fish in a bucket... with a machine gun! Of course, these sites do get lots of press, so whatever happens to them gets noticed. In the end, Zero for Owned resembles a Richard Nixon publicity stunt more than a Kevin Mitnick exploit story. Does anyone else think Zero was named after its contribution to IT security?
Zero for Owned: Forever Powned!"
A year later and one is still bragging about nothing. If you have skills, feel free to make a *real* contribution to IT security. Otherwise, you're just trolls with Metasploit.
that's the point! you can't be hacked by script kiddies like ZF0 if you are a notable "IT security expert".
Daniel Bernstein is a real IT security expert and IMO he must be one of the seven.
Also he is the real discover of the DNS cache poisoning vulnerability ten years ago.
Oh if you want to know why some people are nervous about how much power holding the "key to the kingdom" gives, some of you might have noticed at the begining of last month the US Gov doing a "Takedown" on the likes TVShack.net,
The fact that it was circumvented in some cases within four hours is going to make a number of lobbyists get onto various politicos and do some serious ear bending...
Obviously, you're point is wrong. Security experts' web sites get hacked repeatedly and it doesn't cause them any real harm. They issue a notice, people ignore whatever happened, and life goes on. It's because the populace at large has learned to accept that vulnerabilities are inevitable, so it doesn't really hurt their image. If they are focused on making money and protecting their most important assets, why should they care about a web site getting defaced? It costs little to nothing and even gets them nice publicity. I'd say ZFO just indirectly padded their bank accounts. Good job guys. ;)
It's about risk management. It's about cost benefit analysis. You kids at ZFO don't get it. Your philosophy rejects the existence of market forces and the nature of psychology. Any theory of how IT security should work must work with those mechanisms, not against them. There's no real business motivation for those specific people to put that much effort into web security and there may be a reward to a compromise in PR and advertising. Would you tell me again why they should prevent ZFO from giving them a chance to give some speeches, make news and make more money?
"I am the keymaster. Are you the gatekeeper?"
@ David Conrad
No, I'm the most terrifying thing you can possibly imagine: the Stay Puft Marshmallow Man. Yes, *that* terrifying. At least I'm not J. Edgar Hoover. ;)
@Clive: I had it from a good source that altho them pesky Rooskies did not themselves yet have PAL technology, the US turned it over to them in a meet in Austria. This would be in the early 1980s.
"... Rooskies did not themselves yet have PAL technology, the US turned it over to them in a meet in Austria."
Hmm depends on who your source is but "turned it over" is at best a little misleading.
The stories that did the rounds at the time where that,
"US agents had infiltrated a Russian 'technology spy operation' and had supplied them with deliberately sabotaged hardware"
"US agents in Russia replaced parts in the existing system with deliberately sabotaged hardware".
The information coming back down the line from other sources was a bit more prosaic, in that the whole system was a "bodge together" of incompatable parts that had had subsiquent "lash ups" and it was surprising it had taken so long to go bang.
Further that the "US agent" claim was just a "political invention" handy to both sides post a very dramatic but far from unusual failure of Russian technology under central political control.
Personaly I favour the Russian Incompetance idea over "US agents" simply because it has happened oh so many times and was a natural consequence of the Russian attempts to "keep up" with the West (for the younger readers look up "cold war arms race" and such things as various claims made about the US President Ronnie Reagan's 1983 "Star Wars" speach that gave rise to the Strategic Defense Initiative).
It was similar incompetance that gave rise to the disaster of the 26th April 1986 at the Chernobyl Nuclear Power Plant which saw the largest release of radioactive material ever (so far) from a Nuclear reactor (and surprisingly shows that the effects of Nuclear meltdown is not as bad as was once belived).
Likewise many many other problems with Russian Industry leading up to the eventual meltdown of their economy and eventual breakup of the old CCCP / USSR.
The simple fact is that the whole PetroChem and other similar large industrial operations all have a dirty secret they don't want the public to know...
They are all very easy to sabotage by just a single person with no more than a few rudimentry house hold items and a few minutes unobserved activity. No explosives or other specialised equipment is required.
Also that not just security but safety as well is seen as an "optional extra" that decreases short term "shareholder value" by senior managment of US and other nations International Corporates.
It is no real secret that one of the reasons that many of these Corporates build plants in third world countries simply because they know these plants are going to go wrong and that the cost when it does will be a fraction of that on home soil or in home waters.
I suspect that many US citizens are thinking a little more about this around the Gulf in recent times.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.