Unthinkable: the Internet is controlled by 14 people-IT information
It sounds like the plot of the da Vinci Code, but it is true: the Internet consists of 14 hands seven key people protected under guard.
A few days later, they will hold a signing ceremony (Root Signing Ceremony) the historic ceremony.
Friday night, the whole world knows how important their organizations. United States on October 21 in the morning, many Western users suddenly unable to access social networking sites including Twitter, and Tumblr. Dynamic Network Service that provides domain name services for sites the company (referred to as Dyn), starting from Friday at 7 o'clock in the morning local time, the domain name system (DNS) service encountered large-scale distributed "denial of service" (denial-of-service) to attack, after attack is resolved in the first round, Dyn said at noon in the day suffered a second round of attacks.
Dyn is the main provider of DNS. DNS such as businessinsider.com (easier for humans to remember) site into the numeric IP address of the computer to recognize it.
Although hackers never gained control of the Dyn networking, but they succeeded by distributed denial of service attack that is offline for a few hours. That underscores the Internet depends on DNS.
If you control all the DNS, you control the entire Internet
The top of the DNS by the small number of people from all over the world to protect the. Their job titles are encrypted (Crypto officer).
Since 2010, some of them (usually not all) will meet once every three months, a top secret ceremony was held. This ceremony is called "key" ceremony (Key Ceremony). At the ceremony, open Internet lock key will be validated and updated.
Person who organized the ceremony from a group called "Internet Corporation for assigned names and numbers" (ICANN) Organization. ICANN's role is to assign IP addresses to Web sites, and computers.
If someone took control of ICANN's database, then that person can control almost the entire Internet. For example, this person can send people to a fake banking Web site, rather than a real Bank Web site.
In order to protect the DNS,ICANN proposed a able to protect DNS, and does not grant any individual control mechanisms. The organization chose seven people as key holder, and give everyone a copy of the key that can open the Internet. It also chose seven people as a backup key holder. A total of 14 people. Requires at least three key people to participate in the ceremony, as unlocked devices to protect DNS needs three keys.
Highly programmed ceremony
Physical key used to unlock the safe, safe is a smart card key. You need lots of keys to open the create master key equipment on the Internet.
The master key is actually called "root key signing key" (root key-signing key) the computer code. It is an Access database password of ICANN. This key can generate more keys. In various Internet safety organizations around the world use these keys to protect all aspects of the Internet.
Key ceremony security measures are very strict. Participants need to repeatedly scan fingerprints, use more than one key code, enter the room to open the doors. This room is closed, even the electrical signals are passed out. Encryption with other ICANN officials, observers and some guest collection.
Entire activity program is choreographed in advance, someone would videotape and supervision. Participant one step brochure of this beforehand, if there are any errors, the whole room will know.
Ceremony participants according to a pre-established procedure, after the one line out of the room. It is said that they will go to a local restaurant to celebrate.
All of this is safe, but the Internet is open, do not belong to any single entity. The Internet is in the United States invented, but the United States earlier this month to give up its management of DNS for decades, formally handed over to ICANN in charge.
ICANN is aware of its international role, as well as global confidence, so the Organization let anyone overseeing the ceremonies. They provide live video on the Internet, and each step of the ritual book.
On October 27, ICANN will hold another ceremony. This time will also be historic. The Organization will first change master key itself. Technically speaking, it would change guaranteed DNS security relies on "key pair". This key pair is called "root zone signing key" (Root Zone Signing Key).
"If you have the key, and be able to build your own root zone signing, you will be able to redirect a lot of traffic. "ICANN Vice President make·lasen said.
不可思议:整个互联网竟然被14个人控制着 - IT资讯
这听起来像《达芬奇密码》里的情节,但却是真实存在的:整个互联网由14个手中掌握着七把受严密保护的钥匙的人保护着。
过几天,他们将举行一个称为根签署仪式(Root Signing Ceremony)的历史性仪式。
星期五夜间,整个世界都知道他们所在的组织有多重要了。美国时间10月21日早晨,许多西方用户突然发现包括Twitter、Tumblr等社交网站无法登陆。为这些网站提供域名服务的Dynamic Network Service公司(简称Dyn)称,从当地时间周五上午7点开始,其域名服务系统(DNS)服务遭遇到大规模分布式“拒绝服务”(denial-of-service)的攻击,在第一轮攻击得以解决以后,Dyn称又在当天中午遭遇到第二轮攻击。
Dyn是DNS的主要提供商。DNS将诸如businessinsider.com(让人类更易于记住)的网址转化成计算机能够识别的数字IP地址。
虽然黑客从来没有获得对Dyn网络的控制权,但他们成功地通过分布式拒绝服务攻击使其离线了几个小时。这凸显了互联网对DNS的依赖程度。
如果你控制了所有的DNS,你就控制了整个互联网
DNS的最顶端由来自世界各地的少数几个人保护着。他们的职务名称是加密员(crypto officer)。
自2010年以来,他们中一些人(通常不会所有人都到场)每三个月就会聚会一次,举行一个高度保密的仪式。这个仪式被称为“钥匙仪式”(Key Ceremony)。在仪式中,打开互联网之锁的钥匙将会被验证和更新。
举办该仪式的人员来自一个名为“互联网名称与数字地址分配机构”(ICANN)的组织。ICANN的职责是为网站和计算机分配IP地址。
如果有人控制了ICANN的数据库,那么这个人几乎就可以控制整个互联网。比如,这个人可以向人们发送假冒银行网址,而不是真正的银行网址。
为了保护DNS,ICANN提出了一个能够保护DNS,同时又不会授予任何个人过多控制权的机制。该组织选择了七个人作为钥匙持有人,并给每个人一份能够打开互联网的密钥。它还选择了七个人作为备份密钥持有人。总共是14人。仪式要求至少三个持有钥匙的人参加,因为解锁保护DNS的设备需要三个钥匙。
高度程序化的仪式
物理钥匙用来解锁保险箱,保险箱里面是智能钥匙卡。你需要很多钥匙才能打开生成互联网主密钥的设备。
该主密钥实际上是一种被称为“根密钥签名密钥”(root key-signing key)的计算机代码。它是可访问ICANN主数据库的密码。这个密钥可以生成更多的密钥。位于世界各地的各种互联网安全组织使用这些密钥保护互联网的方方面面。
钥匙仪式的安全措施非常严格。参与者需要多次扫描指纹,使用多个密钥代码,才能打开进入会议室的一道道门。这个会议室是密闭的,连电子信号都传不出去。加密员将在这里同其他ICANN官员和一些客人、观察员集合。
整个活动的程序都是预先编排好的,有人会进行录像和监督。参与者人手一本事先做好的步骤册子,如果发生任何偏差,整个房间的人都将知道。
参与者按预先制定的步骤举行仪式,完毕之后,一个一个地排队走出房间。据说他们会去当地的餐馆庆祝一番。
所有这一切都是安全的,但互联网是开放的,不属于任何单一的实体。互联网是在美国发明的,但美国在本月早些时候放弃了它对DNS几十年的管理,正式交给ICANN负责。
ICANN十分清楚其在国际上的作用以及全球对他们的信任,因此该组织让任何人监督这个仪式。他们在互联网上提供视频直播,还发布了每次仪式的步骤册子。
10月27日,ICANN将再次举行仪式。这一次也将是历史性的。该组织将第一次改变主密钥本身。从技术上讲,它会改变保证DNS安全所依赖的“密钥对”。这个密钥对被称为“根区域签名密钥”(Root Zone Signing Key)。
“如果你有这个密钥,并能够生成自己的根区域签名,你将能够重定向大量的流量。”ICANN研究副总裁马克·拉森表示。