Internet security keyholder reveals truth behind 'Seven Keys' story

Paul Kane was chosen to be a recovery keen shareholder

Last month, Paul Kane, chief executive of Community DNS, was chosen by the Internet Corporation for Assigned Names and Numbers (Icann) from over 60 nominees to be the western European holder of one of the seven fragments of a cryptographic key designed to protect the internet from malicious attack.

Following numerous misleading reports in the national media describing the keys as a means of 'rebooting the system at the heart of the internet', Kane explained to Computing.co.uk that they do not in fact restart or reboot the internet, but are actually used to restart a new security system underlying it in the case of a disaster.

The security system is DNSSEC (DNS Security Extensions) and the seven keys issued can be combined to create a parent that protects the root zone key and can restart the internet's security system in the event of a catastrophic attack.

“I'm very happy to be involved in promoting DNSSEC, and ensuring safeguards are in place to ensure that DNSSEC signing of the root zone is robust enough to withstand a catastrophic attack," said Kane.

Launched by Icann on 15 July, DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications for authenticating DNS data such as web addresses.

Kane explained: “DNSSEC frustrates the guys trying to spoof legitimate parties, perhaps through a man-in-the-middle attack where they pretend to be a banking web site. The fake site interfaces with the legitimate site creating a transparent proxy, and they get all the bank or credit card details. DNSSEC frustrates this sort of attack.”

On the key fragment he was given, Kane said: “The fragment I hold is part of the key that is protecting the root generation key. The parent key needs to be safeguarded and rebuilt in a disaster. Usually one only uses the child key in day-to-day cryptography. If the child key is compromised, you need to firstly remove it, and use another child key, [but these fragments lend] a source of authority going higher up the tree. My key is part of the encryption key that protects the root zone key [the parent].

“There are seven key holders. You need five key holders to go to the US to start the process of recovering the root zone key. I am a recovery key shareholder.”

But DNSSEC potentially brings disadvantages owing to its large bandwidth requirement. Although the DNSSEC question is one data packet, the answer can be multiple packets, and potentially around eight times larger than it was prior to DNSSEC deployment. This means that an organisation’s return bandwidth needs to be at least eight times larger than it was to function at the same speed.

A malicious attack following the DNSSEC deployment could take the form of a hacker asking lots of bogus DNSSEC questions, meaning the signed answers would come back multiple packets larger than when it was sent and filling the bandwidth available.

This would create a denial of service attack for legitimate users.

A corporation looking to deploy DNSSEC would need to ensure that it not only has sufficient bandwidth but also additional processing resources.

"Before DNSSEC implementation, verification is defined as a simple question in, simple answer out. After deployment, it’s a simple question in, and a complex, cryptographically signed answer out which uses processing power," said a source close to the development of DNSSEC.

“Corporations need to ensure they’ve considered all the ramifications of d eploying DNSSEC. While it gives additional security to their users, infrastructure may need to be enhanced to reflect the additional demands DNSSEC places on it,” said Kane.