1) ICANN implemented DNSSEC at the root zone using AEP Keyper HSMs to securely generate and store cryptographic keys.
2) The AEP Keyper HSMs provide the highest level of security certification (FIPS 140-2 Level 4) and have never been compromised.
3) ICANN uses a split key signing scheme, with the KSK stored offline on an encrypted smartcard for additional protection.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
AEP Netwrorks Keyper HSM & ICANN DNSSEC
1. Securing Digital KeysHigh Quality Key GenerationHighest Level Key Protection The Importance of DNSSEC Case Study of ICAAN Root Implementation Fadi Cotran, Ph.D. Director of Technical Business Development May2011
2. Who Are We and What Do We Do? Provide trusted security everywhere and secure data and voice communication regardless of device, environment or location. Deliver proven security architectures to organisations all over the world including governments, enterprises and carriers. 2
6. RECENT DNS ATTACKS January 2010, websites of Amazon.com and Walmart.com were brought down due to DNS Attacks. Not talked about much publicly… Their DNS servers were compromised. DNS supplier Neustar - UltraDNS 6
7.
8. EU halts trading after hacking - Sydney Morning Herald
10. More than 400 cyber attacks have affected Australian government networks in the past year, figures reveal.
11. And the latest? April 26, 2011: Sony admits that 77 million customer emails and private information compromised on PlayStation worldwide network. Network still out. 25 Million user private information published on the internet. May not be a DNS attack, but… 8
14. Why DNSSEC ? 2008 Black Hat Conference Dan Kaminsky demonstrated live how you can exploit a critical flaw in DNS and hijack a website. He is credited for developing DNSSEC as the solution to prevent DNS exploits. The US Government mandated that all Federal websites implement DNSSEC by end of 2009. 11
16. What are DNSSEC benefits? DNS lookup can be modified in transit to redirect an end user to an imposter or malicious site for password collection. Modification attacks carried out en masse at ISP/enterprise = cache poisoning. A lookup secured with DNSSEC is protected against modification = primary benefit. Greatest benefits may be yet to come. Why not securely distribute more than just DNS info? Other keys? Identification info? DNSSEC deployment at root and TLDs set the stage 13
27. Algorithm / Key Length • Cryptanalysis from NIST: 2048 bit RSA SHA256 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf
28. ICANN PARAMETERS Split KSK and ZSK KSK is 2048-bit RSA Rolled as required RFC 5011 for automatic key rollovers Signatures made using SHA-256 ZSK is 1024-bit RSA Rolled once a quarter (four times per year) Zone signed with NSEC Signatures made using SHA-256 25
29. Crypto Officer (CO) • Have physical keys to safe deposit boxes holding smartcards that activate the HSM • ICANN cannot generate new key or sign ZSK without 3-of-7 COs • Able to travel up to 4 times a year to US.
30. Recovery Key Shareholder (RKSH) • Have smartcards holding pieces (M-of-N) of the key used to encrypt the KSK inside the HSM • If both key management facilities fall into the ocean, 5- of-7 RKSH smartcards and an encrypted KSK smartcard can reconstitute KSK in a new HSM • Backup KSK encrypted on smartcard held by ICANN • Able to travel on relatively short notice to US. Hopefully never. Annual inventory.
31. CO CO BCK RKSH Bevil Wooding, TT Dan Kaminsky, US Jiankang Yao, CN Moussa Guebre, BF Norm Ritchie, CA Ondřej Surý, CZ Christopher Griffiths, US Fabian Arbogast, TZ Alain Aina, BJ Anne-Marie EklundLöwinder, SE FredericoNeves, BR GaurabUpadhaya, NP Olaf Kolkman, NL John Curran, US Nicolas Antoniello, UY Rudolph Daniel, UK Sarmad Hussain, PK Paul Kane, UK Robert Seastrom, US Vinton Cerf, US Ólafur Guðmundsson, IS BCK Andy Linton, NZ Carlos Martinez, UY Dmitry Burkov, RU Edward Lewis, US David Lawrence, US Dileepa Lathsara, LK Jorge Etges, BR Kristian Ørmen, DK Ralf Weber, DE João Luis Silva Damas, PT Masato Minda, JP Warren Kumari, US Subramanian Moonesamy, MU
32. DNSSEC Status 2010 Signed root published 15 July, 2010 51 TLDs: asia. be. bg. biz. br. bz. cat. ch. cz. dk. edu. eu. fi. Fr. gi. gov. hn. in. info. lc. li. lk. mn. museum. na. nl. nu. org. pm. pr. pt. re. sc. se. tf. th. tm. uk. us. yt. 8 out of 16 gTLD registries are signed or in the process to be signed. (e.g. .net 2010, .com 2011) Biggest change to Internet in 20+ years Security applications built on DNSSEC 29
40. Erase pinhole 10/100 Ethernet V24 compatible diagnostics port 2x16 LCD FIPS 140-2 L4 module inside Status LEDS Key switch Fold up keypad LAN LEDs *10 yr battery life *External PSU *Rack mount option ISO 7816 smart card reader Restart button Keyper Hardware
44. Keyper Enterprise Performance 1200 Signing Transactions per Second (1024-bit RSA) 500 TPS (2048-bit RSA) 100 Million Signing Transactions per Day 42 Million TPD (2048-bit RSA) Clustering up to 16 Load Balanced Keypers 1.6 Billion Signing Transactions per Day 700 Million TPD (2048-bit RSA) Verisign signs 96 Million Domains under .com and 6 Million domains under .net with AEP Keypers. 36
45. Series K Secures Internet DNS Root Zone 37 “Security is a critical factor for ICANN’s DNSSEC deployment, so Keyper and FIPS Level 4 was an easy choice,” – Richard Lamb, ICANN
46. If you want to be as secure as the Root of the Internet, then deploy what ICANN implemented for security, AEP Keyper
Editor's Notes
ICANN: Internet Corporation for Assigned Names and NumbersResponsible for top level domain names (root zone)Another core requirement was access to top-notch engineering support. ICANN/Richard Lamb needed to be sure before deploying an HSM that ICANN completely understood how the technology worked. Support contributions from AEP included advice on security policy, architectural guidance, and providing sample PKCS#11 code that Lamb could modify to meet his requirements. Hands-off maintenance reinforced ICANN’s purchasing decision. Though Lamb evaluated a competitor’s product that was priced lower than AEP Keyper, he passed on it because, “it looked clunky to operate and maintain.” Keyper is simple to deploy and manage, and can be used to completely automate the key generation and rollover process.