Whenever we access the internet, we rely on
information security. In particular, we all rely on a subsystem of the internet
we hardly pay any attention to – the Domain Name System. As it happens,
computers are not quite as enamoured as you and I are for pesky human-readable
words. They’d rather depend on numbers. And thus, most websites on the internet
have a numerical address – to go to Google’s web page, for example, you can
just type 172.217.6.132 in your web browser, and voila! You’re there!
Needless to say, remembering strings of
numbers is quite taxing, and that’s why the Domain Name System exists. You type
in ‘www.google.com’, and a domain name server will be queried with your
request. It then returns the numerical internet protocol address for the web
site you’re trying to visit. Quite crucial, wouldn’t you say, for easy access
to the internet.
We trust the domain name system implicitly.
When we type in a web address, we trust it will take us to the site we are
trying to reach – whether that be Facebook, or online banking facilities. So
consider this: What if the Domain Name System was compromised? What if someone
were to rewrite this global phone book of the internet, and when you type in
the address for your bank, it returns a different site? Similar looking, but
designed to capture your online banking details, and empty your account?
This question, naturally, has haunted the
Internet Corporation for Assigned Names and Numbers (ICANN) as well. They are
the non-profit organization responsible for co-ordinating and maintaining the
DNS, ensuring its stable and secure operation. They operate the 13 root name
servers that provide the authoritative addresses for all top-level domains. To use
‘www.google.com’ as an example, your computer asks the root name server where
to find information on ‘.com’. The root name server directs your computer to
the verified ‘.com’ directory service, which will instruct it where to find the
directory service for ‘.google.com’, and the google.com directory service will
provide the final address for ‘www.google.com’.
The root name server is thus the first link
in the chain to direct you to the correct website, and the authenticity of its
information is critical to maintain a secure and stable internet. And so, ICANN
devised a system to ensure the root name servers can be trusted. They signed
these records with an asymmetric cryptographic key. Now, usually cryptography
work via symmetric keys – you’d know it as a password. Someone encrypts
something with a password, then you can only open that information if you know
the password as well.
Asymmetric keys work a bit differently.
They have a public key and a private key. The public key can be shared far and
wide, while the private key is held in secret – shared with no one. When something
is encrypted with the private key, the public key can decrypt it, while if
something is encrypted with the public key, only the private key can decrypt
it. Thus, when you sign something with a private key, it can be trusted to only
come from you, since the public key can decrypt it, and no one else knows the
private key that can be used to create such a message. Conversely, when you
encrypt something with the public key, you can be sure that only someone with
the private key will be able to open it.
Every chain in the DNS system thus signs
their records, and to ensure you know its secure, their public key is signed by
the layer above. But as you travel upwards, you reach a level where a key
cannot be signed by anyone above – the root key. The master key of the entire
system. The private key that signs that all other public keys so you can be
sure they’re genuine. The private key that has to be kept safe at all costs.
And so, ICANN has kept them secure. In two
facilities, 4 000 km apart, there sits 2 specialized devices called a Hardware
Security Modules. In their rooms, no electrical signals can come in or out.
Building security guards are barred, as are cleaners. These rooms are
surrounded by multiple layers of physical security such as building guards,
cameras, monitored cages and safes. These modules resist physical tampering - if
someone attempts to open the device or even drops it, the HSM erases all the
keys it stores to prevent compromise.
The Hardware Security Modules are used to
generate and store the root key, but to use them, physical keys are needed that
must be inserted into the module. Fourteen Trusted Community Representatives,
the Cryptographic Officers from across the globe, have a physical key that is
used to access a smartcard stored in a safety deposit box that is used during
the key ceremony to activate the HSM, seven for each location. Seven more
Trusted Community Representatives, Recovery Key Share Holders, each have a
smart card containing a fragment of the code needed to build a replacement
Hardware Security Module in case all four are destroyed. Once a year, these
Recovery Key Holders have to send ICANN a photograph of themselves with that
day’s newspaper and their key to confirm all is well.
Whenever they meet to generate a new key,
they pass stringent security measures, requiring them to pass through two doors
that each require a smartcard, pin code and a hand scan in sequence. Only then
do their keys have any purpose, as outside the facility the keys cannot be used
to access the root key. Only once they’ve all entered, and set up the machine,
will the master key be generated, and a lengthy cryptographic code be produced.
So whenever you find yourself typing in the
address of a website, cast a thought for the level of security that is behind
your simply query of the Domain Name System. And ask yourself, if others are
willing to invest this much effort to ensure your information security, how
much are you willing to invest? Because security comes not only from without,
but from within as well. ICANN’s measures are of no use to you if your own
passwords are insecure.