If you hear about the "keys to the Internet," the topic usually relates to a very specific thing — a digital key that is used to verify the security of the Domain Name System (DNS). The concept of a master key that controls such an essential function sounds like it is lifted from spy novels. It has been the subject of many stories, television, and radio shows, that focus on the idea that seven people hold keys to the Internet. These fictionalized accounts, and some of the journalistic reporting, can overplay its significance. Let's explore in simple terms what these keys are and how it's all managed.
What keys are we talking about?
The DNS is protected at the highest level using a seal of authenticity, known as the "root zone key signing key". This is often referred to more simply as the "key signing key," "root key," the root "KSK," or the "trust anchor" for the DNS. Computers around the world can verify whether the system is working correctly by examining if this seal of authenticity is present and has not been tampered with. To make this system work this seal must be applied to other keys that are used in daily operations every three months.
Where is the key signing key stored?
The key signing key is stored in two secure facilities. One is located in Los Angeles, California, the other is in Culpeper, Virginia. The facilities are duplicates of each other.
Both facilities house a specially designed ceremony room that holds the key signing key. The key itself is a computer file stored in a specialized device called a Hardware Security Module (HSM). It is designed to securely store the key, similar to an advanced computer hard drive with extra security features.
What are key ceremonies?
When the key signing key is applied to other keys every three months, it must be used in a way that proves the key signing key has not been tampered with and is not used for any other purposes. To accomplish this, a public "key ceremony" is held. At this ceremony, experts from around the world observe the key signing key being used. They also examine each step of the process to ensure it is done correctly. The entire process is recorded, livestreamed, and watched by independent auditors.
Who are the experts that attend?
The experts are security specialists from around the world and ICANN org staff who are responsible for day-to-day operation of the key signing key. Most of the experts who are not on staff are referred to as trusted community representatives, as their job is to represent the broader technical community in the proceedings. In addition to these experts and other participants, members of the media and others who can promote awareness of the key ceremonies often attend.
What are the experts' roles in the ceremony?
Each person has a different role. Access to the key signing key is designed in such a way that many different people need to attend for it to work for added security. Some people are able to access smart cards used to turn on the HSM. Others have combinations to a safe that stores the HSM. Others have keys used to enter the room. Access to the facility is granted by individuals who are completely offsite. Together, at least a dozen people are needed at each ceremony to open and activate all the pieces required to use the key signing key.
What are the ceremonies like?
Each ceremony takes between three and eight hours. Ceremonies follow a rigorous and precise script step-by-step, with each step meticulously followed and verified. This can take a lot of time.
Why is it important to ensure the key is handled correctly?
The key signing key is only valuable if there is a guarantee it hasn't been copied or duplicated by other people. To do this, it must be proven that the key signing key is only used for its proper purpose in these quarterly ceremonies. If there was a risk that the key signing key was used in an unauthorized way, there would be no guarantee it hadn't been duplicated and the seal of authenticity would become useless.
What are the main components keeping the key safe?
There are three essential things to consider:
- The most important principle of the process is preserving the "chain of custody." Much like evidence the police may collect at a crime scene, this involves storing all the components to use the key signing key in a way that proves it hasn't been tampered with for future use. By tagging and bagging all the components in tamper-evident bags and recording on video each time each bag is opened or moved, we know exactly where each piece has been from the moment it is created to the moment it is no longer needed. If a bag is lost or opened in an unauthorized way, it will become obvious. The contents are then considered compromised and can no longer be trusted.
- Access to the facility is controlled by many layers of physical security. The bags are stored in safes, which are stored in cages, which are stored in a secure ceremony room, which is housed in a high-security facility. Each layer of security requires one or more different people to access. Only during a key ceremony do all these people come together to get access to these bags. In addition, the facility has an array of sensors to detect unauthorized access that are monitored around the clock by on-site armed guards and remote technical experts.
- The hardware security module. This device stores the actual digital files that contain the key signing key. It is like a very specialized hard drive. It has special protections that allow it to self-destruct if it is used in an unauthorized way. If someone tries to open it, if someone drops it, if it is shaken, it will destroy the data it contains. If you try to use it without having all the required experts present, it will not function either.
What about the "seven keys to the Internet"?
There are around fifty different experts who are directly involved in key ceremonies. Twenty-one of these are selected from the global Internet community. They are divided into three groups of seven people. Each group has a different purpose. Because we need people from these groups to participate in key ceremonies as part of the security protection for the key signing key, it is often simplified to the idea that there are seven keys to the Internet, or there are seven people that control the Internet. This, however, masks the true complexity that involves many levels of overlapping controls. The complete design requires far more than seven individuals or seven keys to access or use the root zone key signing key.
Is it more complicated than this?
This is a simplified description of a complex topic. The root zone key signing key is at the top of a hierarchical public-key infrastructure containing many different keys operated by others that all interrelate. It is important to consider that the Domain Name System Security Extensions (DNSSEC) technology that these keys enable is just one tool in a large toolbox of technologies that add security to the Internet's operation.
The formal document that governs how this all works is called the DNSSEC Practice Statement. It is published, along with the archival footage of key ceremonies and other things we've discussed, at https://iana.org/dnssec.