5

Every three months, 7 people fly to a secure ICANN server building and go through an elaborate ceremony to generate a new signing key for DNSSEC. The entire affair appears to be based on politics and not any real security model. If the private keys have not been compromised then no-one else can sign any records, regardless of their control of equipment external to the signing server.

If you are front-loading all of your trust in having the private keys protected, why wouldn't they just ensure that the signing server itself would self-destruct if it was tampered with? You can protect against anyone fiddling with the inputs/outputs by placing 3 of these tamper-proof boxes in different locations world and synchronizing their output. They could be housed in a UN base or a location where the security is jointly handled by countries with semi-adversarial relations (like China and the US) and monitored via a webcam.

Keys would only need to be refreshed if one of the servers goes offline for any reason or if hardware upgrades are needed.

Indolering
  • 862
  • 6
  • 21
  • I would like to add that's it's entirely feasible to build a tamper-proof server. You could, for example, just monitor the electrical resistance of the case and set off some thermite if it changes. – Indolering Mar 04 '14 at 05:44

3 Answers3

5

In theory, you're probably right.

In practice, you need to test all the policies, processes and tools regularly, else you don't know if the members involved are capable of executing the procedure.

From personal experience, there's a serious problem with authority and capability in key management. People who have the authority don't have the capability, and people with the capability are in high demand and don't stay around long enough to be depended upon. Even people with the capability and authority often don't have the diligence to keep up with the requirements.

Try handing your boss a USB key and tell him "you have to put this in your home safe, safety deposit box, or whatever. You have to make sure that it doesn't corrupt over time, but that it's offline. It's vital that you pass it on to whomever replaces you." Don't ask him for that key or talk about that key for two years. Then after two years, in an emergency, ask him to fly out to some datacenter with the key. Or worse, ask the guy who replaced him.

Now you need 5 of 7 similar bosses around the world to show up and provide their keys.

By executing procedures periodically, you ensure that the processes are at least on people's calendars and on people's minds. There's logs in the audit books and mistakes in procedures can be corrected.

N.b., I don't know much about the DNSSEC key signing ceremony, only skimmed the docs a couple times, but I do have experience managing key signing ceremonies and in security policies.

mgjk
  • 7,525
  • 2
  • 22
  • 34
  • They have an M-of-N system here and you could test the integrity of their keys and the system every three months without creating a new signing key. – Indolering Mar 04 '14 at 23:27
  • 1
    "...and the system..." - you can also test backups without performing a restore. In theory, it can be ridiculous, but it's the details which always get you. – mgjk Mar 06 '14 at 11:06
3

Sometimes security is just a ceremony you want to sell to the whole world. The bigger the ceremony the most secure it appears to be. Sometimes enterprises, for commercial purposes, goes through overcomplicated installations and ceremonies to "sell security".

On the other hand, and moving out politics and into security, we don't really know the security analysis results, maybe the implications of the keys to be exposed or cracked are so huge that they can only take the risk during three months, and consider also the costs of these ceremonies, it is just tiny in comparison with company's earnings. You can find the DNSSEC security policy in this link. Maybe it will throw some clues.

As a final word, it seems like you are rolling your own scheme over this very specific problem, why will tamper boxes work better than this scheme? Why is it more secure or more appropiate?

kiBytes
  • 3,470
  • 17
  • 26
  • Thanks for the link, I will go over it when I can. However, note that ICANN does not bear the cost of these ceremonies, all of the key signers have to fly there on their own dime. If the box can run for 3 months without human intervention then it can run a full year without human intervention. – Indolering Mar 04 '14 at 23:31
  • I believe that the refresh can only protect against failures which may have occurred during the last key signing. If the integrity of the key is compromised outside of the key ceremony, it means the equipment itself has been compromised. My proposal focuses makes any "auditing" of the equipment continuous. Perhaps there is something in that god-awful spec you linked to, I'll go digging : ) – Indolering Mar 04 '14 at 23:40
1

I actually spoke with someone who works with one of the key holders and it has to do with the key length of the zone signing key. Basically, there is a 2048 bit Key Signing Key (KSK) that signs a 1024 bit Zone Signing Key (ZSK) and a new ZSK is generated at each of these meetings. This is done for performance reasons, you already have to shove a lot into a single 520 byte UDP packet.

DNSSEC has also made DNS amplification a favorite for DDoS attacks and I would assume that longer keys would only make the situation worse.

Indolering
  • 862
  • 6
  • 21