Linked by Thom Holwerda on Fri 21st Jun 2013 19:08 UTC
Legal "Britain's spy agency GCHQ has secretly gained access to the network of cables which carry the world's phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency. The sheer scale of the agency's ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate." Woah.
Thread beginning with comment 565469
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[7]: Enough already
by Alfman on Mon 24th Jun 2013 12:54 UTC in reply to "RE[6]: Enough already"
Alfman
Member since:
2011-01-28

Lennie,

"The root operators actually can refuse to accept changes."

The root keys aren't intended to be changed, if they were it would be a big deal.

"The root operators are multiple independent organisations."

We need to distinguish between the TLDs and the DNSSEC root key. In theory either could be compromised, but it's the private component of the static root key that would give an attacker the capability to subvert DNSSEC in it's entirety.

It's said that the root key was divided by ICANN unto 7 individuals residing in different countries: Britain, the U.S., Burkina Faso, Trinidad and Tobago, Canada, China, and the Czech Republic. The official procedure is for five to be present on US soil to reveal the root key. (I'm learning some of this right now, so feel free to cite corrections if I'm mistaken on something)

https://www.schneier.com/blog/archives/2010/07/dnssec_root_key.html

Edit: I'm not sure how difficult it would be for the NSA to obtain the keys from these individuals. They might bug the computers being used (hardware or software), they might copy the keys while the individuals are sleeping, some might be hired by the NSA, there's blackmail/threats, etc. I can only speculate here since I have no actual experience with espionage ;)

Edited 2013-06-24 13:11 UTC

Reply Parent Score: 2

RE[8]: Enough already
by Lennie on Mon 24th Jun 2013 13:29 in reply to "RE[7]: Enough already"
Lennie Member since:
2007-09-22

No, no, the root operators are people that operate the root servers: http://root-servers.org/

The people that run a.root-servers.net are a different bunch of people than the people that run k.root-servers.net

ICANN sends them a new root-zone/updates, but they can refuse to update their servers. It is not a fully automated system.

There are lots of procedures around updating the root-zone.

If you want to know how the DNSSEC-keys are signed and handled: http://www.root-dnssec.org/documentation/

It is not enough to get some of the keys from some of the people and you need physical access to the facilities...

There are lots and lots of steps involved in this process. You can watch how they did it here:

http://dns.icann.org/ksk/
http://data.iana.org/ksk-ceremony/

Reply Parent Score: 2

RE[9]: Enough already
by Alfman on Mon 24th Jun 2013 18:17 in reply to "RE[8]: Enough already"
Alfman Member since:
2011-01-28

Ok we're cross talking here. Your talking about the root DNS zones, DNSSEC changes nothing in regards to how these zones are managed, I'm speaking strictly in terms of the cryptographic root signing keys for DNSSEC itself. The mathematical properties which allow PKI to provide immense scalability also make it imperative that the root keys must never be leaked, otherwise the entire chain of trust is broken.

If I had access to DNSSEC root signing key, I could then create a fictitious chain of trust stemming from root and conduct man an the middle attacks against all DNSSEC implementations which trust the official public keys, which will be all of them. I don't need physical access to the root namesevers to pull it off, just the ability to intercept and forge packets to the target who will trust my forgeries because my cryptographic signatures will be valid. *THIS* is what I'm talking about. I'm *NOT* talking about coercing zone administrators to change the zone, that's completely different from breaking the cryptographic chain of trust.

Reply Parent Score: 2