Fourteen people have access to fragments of a master key that can shut down or reset the internet. Deep in a highly secure, compartmentalized information facility protected by armed guards and biometric scanners, the group holds a highly scripted ritual periodically to exchange their keys and ensure that the internet is still secure.
No, this is not the plot of the latest high-tech thriller from Christopher Nolan or Steven Spielberg. It’s reality. That group, part of the Internet’s largest governing body ICANN, held the ritual several days ago after one of the largest cyber attacks took down sites like Amazon, Netflix, and others for several hours.
The cyber attack targeted Dyn, a domain name service provider, which is one of the largest companies of its kind to supply this critical web technology. Dyn acts as a translator for websites, converting domain names like realclearlife.com into the string of numbers known as an IP address that computers can more easily understand. The numbers are then cataloged in a digital phonebook of sorts called the domain name system (DNS).
Protecting the DNS is ICANN’s primary responsibility, and it is the most tantalizing target for hackers since it allows them to hide their nefarious activity in plain sight. A hacker with access to the DNS could set up a fake website in place of, say, Citibank’s, and users would never notice they weren’t going to the real thing.
In order to prevent this, the DNS is protected by one master key that is then divided into seven smart cards locked in two high-security safety deposit boxes in El Segundo, California, and Culpepper, Virginia. The smart cards are then scattered around the world in the hands of two groups of seven online security experts or crypto officers, which ICANN calls Trusted Community Representatives (TCRs). These TCRs are selected by ICANN from an open pool of applicants (apply here).
Every three months the TCRs meet at the ICANN facility in El Segundo to conduct what they call the Root Signing Ceremony, during which they exchange their master key fragments in exchange for a new one. Three crypto officers are called up, one by one, to join four ICANN staff members, where they’re asked to retrieve their smart card from the safety deposit box. Once the new key has been fully generated, it is passed on to a senior crypto officer, who then transmits it for use.
Despite the seemingly cult-like nature of the process, ICANN is insistent on making the whole operation as transparent as possible. Each ceremony is audited by two major firms to prevent fraud, and everything is recorded and timestamped to GMT for posterity. Roles are even divided in the ceremony to ensure that there’s less than a 1:1,000,000 chance the master key could be comprised.
The whole phenomenon began in 2010. Since then, the Root Signing Ceremony largely remained the same in the six years until just recently. On October 27, 2016, the group of crypto officers swapped out the master key, known as the root signing key, for the first time since the ceremony began. The change was planned before the major attack on Dyn last week, but the timing couldn’t have been better.
To learn more on the Root Signing Ceremony, read a detailed blog post from Cloudflare systems engineer and TCR Olafur Guomundsson here. For more background info on ICANN and to see footage from the first Root Signing Ceremony, watch the video below.
This article was featured in the InsideHook newsletter. Sign up now.
