Internet security depends on seven master keys guarded by 14 people

DDoS attacks on Dyn, a major DNS provider, that for a few hours prevented the world from accessing Twitter, Netflix or Spotify have shown us the importance of DNS in the proper operation of the network. Domain Name System converts addresses like Xataka.com into numeric IP addresses that are understandable by computers, making this technology the Internet’s master key.

A few weeks ago we learned that the keys to accessing the computers that control the DNS were no longer in the hands of the United States, and that they came to be controlled solely and exclusively by ICANN. Therefore ICANN is an organization that protects the Internet, and as if it were a spy movie, it does it with 7 access keys to its main computer that distributes between 14 people. The true guardians of the network of networks.

Every three months since 2010, the guardians of the seven keys gather to perform a kind of security ritual in which they update and verify the keys that allow them to have access to the device that generates all the Internet’s master keys, the keys with which to access the main ICANN database.

And what if someone with bad intentions got access to this ICANN database? Basically it would have the control of the Internet, and that for example could send us to fraudulent addresses when we wrote the URL of a web. We can imagine it as a phishing at epic levels, you can write the address of your bank and take you to a fraudulent account where you steal your credentials.

The Seven Keys Ritual

ICANN has seven physical keys that it distributes to fourteen people, of whom seven are “titular” bearers and the other seven remain as substitutes. These keys give access to safes, within which are the cryptographic cards with which to generate a new SKR (Signed Key Response), which in turn contains new keys that will have to be distributed over the Internet to secure DNS systems.

But the process is not as simple as it seems, since before arriving at the main computer to generate the new SKR it is necessary to pass a whole security ritual. Key holders have to overcome a series of locked doors with access keys and hand scanners until they reach a secured room so that electronic communications can not be made, and in that room is where keys are updated.

The entire event is scripted, and is recorded and audited methodically. It is more the steps that have to follow the participants have been described and distributed among attendees and participants so that anyone can detect that something is not being done as it should. Once the ceremony is over, everything is more casual and Internet owners leave for a restaurant.

In an exercise in transparency, ICANN publishes the scripts for each ceremony and broadcasts it around the world. The next one will take place next October 27 and will be especially relevant, since for the first time will be made the change of the cryptographic master key that ensures that we go to the web that we should when we enter it from the browser.