Meet the crypto officers: How the internet is controlled by 14 people with seven secret keys

Global domain name systems are secured at highest levels by a handful of people

Julie Bort
Friday 14 October 2016 12:10 BST
Comments
Latest figures show 3.6 billion people use the worldwide web
Latest figures show 3.6 billion people use the worldwide web (Shutterstock/REDPIXEL.PL)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

It sounds like something out of a Dan Brown book, but it isn't: The whole internet is protected by seven highly protected keys in the hands of 14 people.

They hold a historic ritual known as the Root Signing Ceremony.

Recently, the world got a good reminder about the importance of the organisation these people belong to.

A good chunk of the internet went down for a while when hackers managed to throw so much traffic at a company called Dyn that Dyn's servers couldn't take it.

Dyn is a major provider of something called a domain name system, which translates web addresses such as businessinsider.com into the numerical IP addresses that computers use to identify web pages.

Dyn is just one DNS provider. And while hackers never gained control of its network, successfully taking it offline for even just a few hours via a distributed denial of service attack shows how much the internet relies on DNS. This attack briefly brought down sites like Business Insider, Amazon, Twitter, Github, Spotify, and many others.

DNS at its highest levels is secured by a handful of people around the world, known crypto officers.

Every three months since 2010, some — but typically not all — of these people gather to conduct a highly secure ritual known as a key ceremony, where the keys to the internet's metaphorical master lock are verified and updated.

The people conducting the ceremony are part of an organisation called the Internet Corporation for Assigned Names and Numbers. ICANN is responsible for assigning numerical internet addresses to websites and computers.

If someone were to gain control of ICANN's database, that person would pretty much control the internet. For instance, the person could send people to fake bank websites instead of real bank websites.

To protect DNS, ICANN came up with a way of securing it without entrusting too much control to any one person. It selected seven people as key holders and gave each one an actual key to the internet. It selected seven more people as backup key holders — 14 people in all. The ceremony requires at least three of them, and their keys, attend, because three keys are needed to unlock the equipment that protects DNS. The Guardian's James Ball wrote a great story about them in 2014.

The physical keys unlock safe deposit boxes. Inside those boxes are smart key cards. It takes multiple keys to gain access to the device that generates the internet's master key.

That master key is really some computer code known as a root key-signing key. It is a password of sorts that can access the master ICANN database. This key generates more keys that trickle down to protect various bits and pieces of the internet, in various places, used by different internet security organisations.

The security surrounding the ceremonies before and after is intense. It involves participants passing through a series of locked doors using key codes and hand scanners until they enter a room so secure that no electronic communications can escape it. Inside the room, the crypto officers assemble along with other ICANN officials and typically some guests and observers.

The whole event is heavily scripted, meticulously recorded, and audited. The exact steps of the ceremony are mapped out in advance and distributed to the participants so that if any deviation occurs the whole room will know.

The group conducts the ceremony, as scripted, then each person files out of the room one by one. They've been known to go to a local restaurant and celebrate after that.

But as secure as all of this is, the internet is an open piece of technology not owned by any single entity. The internet was invented in the US, but the US relinquished its decades of stewardship of DNS earlier this month. ICANN is officially in charge.

Keenly aware of its international role and the worldwide trust placed on it, ICANN lets anyone monitor this ceremony, providing a live stream over the internet. It also publishes the scripts for each ceremony.

On October 27, ICANN will hold another ceremony – and this one will be historic, too. For the first time, it will change out the master key itself. Technically speaking, it will change the "key pair" upon which all DNS security is built, known as the Root Zone Signing Key.

"If you had this key and were able to, for example, generate your own version of the root zone, you would be in the position to redirect a tremendous amount of traffic," Matt Larson, vice president of research at ICANN, recently told Motherboard's Joseph Cox.

Read more:

• May tackles new Brexit Rebellion
Philip Hammond and Mark Carney are in China to secure £1 billion of trade deals
• Facebook admits that social media can be bad for you

Read the original article on Business Insider UK. © 2017. Follow Business Insider UK on Twitter.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in