Internet 'Key Holders' Are Insurance Against Cyber Attack

Adam Hadhazy

Date: 29 July 2010 Time: 05:48 AM ET

In a move that seems inspired by "The Lord of the Rings," seven "keys" have been handed out to a trusted circle of people who might get called upon to "save" the Internet in the aftermath of a cyber attack.

But contrary to other news reports, the seven key holders have not been vested with the power to resurrect the entire Internet should it be sabotaged by hackers.

Rather, they have been given encryption keys necessary for restoring a long-touted Internet security protocol that finally came into force earlier this month.

At least five key-holding members of this fellowship would have to meet at a secure data center in the United States to reboot this so-called Domain Name System Security Extensions (DNSSEC) in case of a very unlikely system collapse.

"If you round up five of these guys, they can decrypt [the root key] should the West Coast fall in the water and the East Coast get hit by a nuclear bomb," Richard Lamb, program manager for DNSSEC at ICANN, told TechNewsDaily.

ICANN is short for the Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit corporation dedicated to keeping the Internet operational and responsible for assigning domain names and IP addresses.

Each person's key contains encrypted parts of the root DNSSEC key, and these keys are actually two identical copies of a smartcard, sealed in a tamper-evident plastic bag.

DNSSEC establishes a chain of authentication when a computer looks up an IP address, which is a unique identifier for an Internet-connected device. DNSSEC will ensure that Web sites and emails from them are authentic and not malicious copies that hackers can set up to steal wired funds, for example.

Some governments and top-level domains such as .org have already initiated their own version of the DNSSEC, and eventually the whole Internet will be migrated to function under the official new security umbrella.

The measure is being taken to shore up the network as international interdependence (read: world peace) comes to rely ever more on the flow of information and services over the Internet.

ICANN appointed the seven Trusted Community Representatives (TCRs) from different countries to represent regions. Paul Kane, a prominent British Internet industry head, represents Western Europe, for example. Canada, China, Burkina Faso, Trinidad and Tobago, and the Czech Republic also have representatives. The United States' "ring bearer" is Dan Kaminsky, chief scientist at Recursion Ventures.

Splitting up the encryption info amongst seven people makes it so that no one person or organization can switch the DNSSEC on or off.

Restarting the DNSSEC from scratch would be akin to rebuilding the Internet's trusted "Yellow Pages" of Web site connections and identities.

ICANN, which has two U.S. facilities in Washington, D.C. and Marina del Ray, Calif., oversees DNSSEC. The loss of both of its centers is an example of a very unlikely event that would make calling upon the key holders necessary to restore Internet security.