"If you had this key ... You would be in the position to redirect a tremendous amount of traffic"--- almost as much as Google.
On Wednesday, September 21, 2016 at 6:17:51 AM UTC-5, Travis wrote: > > > > > > > > > > http://motherboard.vice.com/read/the-encryption-key-that-secures-the-web-is-being-changed-for-the-first-time?utm_source=Sailthru&utm_medium=email&utm_campaign=Military%20EBB%209-20-16&utm_term=Editorial%20-%20Military%20-%20Early%20Bird%20Brief > > > The Cryptographic Key That Secures the Web Is Being Changed for the First > TimeWritten by Joseph Cox <http://motherboard.vice.com/author/JosephCox> > > September 19, 2016 // 07:10 AM EST > > Copy This URL > > Soon, one of the most important cryptographic key pairs on the internet > will be changed for the first time. > > The Internet Corporation for Assigned Names and Numbers (ICANN), the > US-based non-profit responsible for various internet infrastructure tasks, > will change the key pair that creates the first link in a long chain of > cryptographic trust that lies underneath the Domain Name System, or DNS, > the "phone book" of the internet > <https://dyn.com/blog/dns-why-its-important-how-it-works/>. > > This key ensures that when web users try to visit a website, they get sent > to the correct address. Without it, many internet users could be directed > to imposter sites crafted by hackers, such as phishing websites designed to > steal information. > > “ICANN wants to be very transparent in the operation of this key because > it's important that the community trusts it,” Matt Larson, vice president > of research at ICANN <https://www.icann.org/profiles/matt-larson>, told > Motherboard in a phone call. > > DNS translates easy-to-remember domain names—such as Google.com—into their > numerical IP addresses, so computers can visit them. But DNS was never > built with security in mind. “The domain name system was designed when the > internet was a friendlier place, and there wasn't much thought of security > put into it,” Larson said. > > As a result, a particular problem has been something called DNS cache > poisoning or DNS spoofing, where a server doing the phone book-like lookups > is forced to return an incorrect IP address, resulting in traffic being > diverted somewhere else, such as a malicious site controlled by a hacker. > > To deal with this problem, many domains use DNS Security Extensions > (DNSSEC). With DNSSEC, crypto keys authenticate that DNS data is coming > from the correct place. If something dodgy has happened along the way and > the signatures don't line up, your browser will just return an error > instead of being sent to the wrong website. DNSSEC doesn't encrypt data on > the site—that's a job for protocols such as SSL or TLS—but lets you know > whether the site you're trying to visit is legitimate. > > In 2010, ICANN, along with other organisations, introduced DNSSEC > <https://www.icann.org/news/blog/changing-the-keys-to-the-domain-name-system-dns-root-zone> > > to protect the internet’s top DNS layer, the DNS root zone. > > A hierarchy of keys governs the process of DNSSEC authentication, with > different bodies responsible for each stage of the system. The top-level > root zone, managed by ICANN, is followed by the operators of different top > level domains such as .com, and then those managing individual domains, > such as MyWebsite.com. > "If you had this key ... You would be in the position to redirect a > tremendous amount of traffic" > > Each organisation in this structure has its own keys for making > signatures, and must sign the key of the entity below it. So for > MyWebsite.com, .com will sign MyWebsite.com's key, and the root will sign > .com's key. When visiting a website, this information is checked almost > instantaneously, before your computer loads up the correct site. Not > everyone uses DNSSEC, but adoption has increased over the years: Comcast > turned > it on > <http://corporate.comcast.com/comcast-voices/comcast-completes-dnssec-deployment> > > for its customers in 2012, and in 2013, Google’s own DNS service started > to fully support DNSSEC > <https://developers.google.com/speed/public-dns/docs/security#dnssec>. > > The key pair at the top of this chain, or the Root Zone Signing Key, is > what ICANN is changing for the first time. > > “If you had this key, and were able to, for example, generate your own > version of the root zone, you would be in the position to redirect a > tremendous amount of traffic,” Larson said. > > “We want to roll the key because it's good cryptographic hygiene,” he > added. > > In the same way that it might be a good idea to change your password in > case it was swept up in a data breach, changing keys every so often is a > standard security practice. > > “There is a logical possibility that somebody has cracked it and we don’t > know,” Andrew Sullivan, chair of the Internet Architecture Board > <https://www.iab.org/>, a group that oversees organisations involved in > the evolution of the internet, told Motherboard in a phone call. He > stressed, however, that there is no reason to believe the key has been > compromised. > > Indeed, ICANN incorporates some extraordinary security measures > <https://www.theguardian.com/technology/2014/feb/28/seven-people-keys-worldwide-internet-security-web>, > > and considers its potential threats as everything up to nation states. For > its quarterly ceremonies, so-called “crypto officers” from all over the > world congregate in one of the key management facilities, after passing > layers of physical and digital security. > > Another reason for the key switch is that it is going to increase in size, > from 1024 bits up to 2048. As time goes on, and computing power increases, > the chance of someone cracking the key, although still low, increases. > > “It's important to get a larger key for the root, and I don't want to see > anything delay that,” Dan Kaminsky, a renowned security researcher who > carried out much of the early work > <http://www.circleid.com/posts/87143_dns_not_a_guessing_game/> into DNS > security, told Motherboard in an email. > > ICANN wants to make the change during a period of calm, rather than having > to act quickly if the key was compromised. > > “We want to do this process when things are normal; when there's not any > kind of emergency,” Larson said. This way, if an actor does manage to get > the key somehow later, at least ICANN will have a better idea of how the > process works. > > *Read More: *Ted Cruz Is Trying to Sabotage the Internet's Governance > Transition > <http://motherboard.vice.com/read/internet-takeover-ted-cruz-icann> > > This October <https://www.iana.org/dnssec/ceremonies>, in one hyper-secure > <https://www.theguardian.com/technology/2014/feb/28/seven-people-keys-worldwide-internet-security-web> > > key management facility on the US east coast, ICANN will generate a new > cryptographic key pair. One half of that pair is private, and will be kept > by ICANN; the other is public. Internet service providers, hardware > manufacturers, and Linux developers need the public key part for their > software to connect to sites properly. > > In the first quarter of 2017, two employees will then take a copy of the > encrypted key files on a smartcard over to another facility on the west > coast, using regular commercial transport. Eventually, the public part of > the key pair will be distributed to other organisations. > > In all, the whole switchover will take around two years from start to > finish. Larson said that the new key will appear in the DNS for first time > on July 11, 2017. In October 2017, the new key will be used > <https://www.icann.org/en/system/files/files/ksk-rollover-at-a-glance-22jul16-en.pdf> > > for making signatures. > > Getting the word out in time is one of the main concerns. Although many > larger organisations will have already been monitoring the looming key > change for some time, Sullivan said there’s a chance that a piece of > hardware left on a shelf between now and the key change, such as a router > or firewall appliance, may miss the switchover and require a manual update. > > Talking to media is one way of spreading the message, but being very > public about the key change also serves another purpose that is very much > fundamental to the internet’s infrastructure generally: trust. > > “Because the internet is a network of networks and it's all voluntary, > people have to *believe *they are getting some value out of this, > otherwise they just won't use it,” Sullivan said. > > DNSSEC and other forms of authentication may seem like totally > technological solutions. But at bottom, they are also systems resting on > the fragility of human belief. > > Ultimately, no one can know with absolute certainty whether the ICANN key > has been compromised or not. > > “Trust is an ephemeral thing,” said Larson from ICANN. > > *Correction: **The Root Zone Signing Key was originally described as an > "encryption key." It is a cryptographic key pair, but not an encryption > key. The headline of this story has been amended; we regret the error.* > > > > > ------------------------------ > [image: Avast logo] <https://www.avast.com/antivirus> > > This email has been checked for viruses by Avast antivirus software. > www.avast.com <https://www.avast.com/antivirus> > > > > __._,_.___ > ------------------------------ > Posted by: "Beowulf" <beo...@westerndefense.net <javascript:>> > ------------------------------ > > > Visit Your Group > <https://groups.yahoo.com/neo/groups/grendelreport/info;_ylc=X3oDMTJmZW9zcjRqBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE0NzQ0MTA1NzQ-> > > > > [image: Yahoo! Groups] > <https://groups.yahoo.com/neo;_ylc=X3oDMTJlcXU4cWk0BF9TAzk3NDc2NTkwBGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTQ3NDQxMDU3NQ--> > > • Privacy <https://info.yahoo.com/privacy/us/yahoo/groups/details.html> • > Unsubscribe <javascript:> • Terms of Use > <https://info.yahoo.com/legal/us/yahoo/utos/terms/> > > __,_._,___ > > > -- -- Thanks for being part of "PoliticalForum" at Google Groups. For options & help see http://groups.google.com/group/PoliticalForum * Visit our other community at http://www.PoliticalForum.com/ * It's active and moderated. Register and vote in our polls. * Read the latest breaking news, and more. --- You received this message because you are subscribed to the Google Groups "PoliticalForum" group. To unsubscribe from this group and stop receiving emails from it, send an email to politicalforum+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
