Is this the first ever practically-deployed use of a threshold scheme?
thierry.moreau at connotech.com
Sun Aug 1 16:52:25 EDT 2010
Peter Gutmann wrote:
> Thierry Moreau <thierry.moreau at connotech.com> writes:
>> With the next key generation for DNS root KSK signature key, ICANN may have
>> an opportunity to improve their procedure.
> What they do will really depend on what their threat model is. I suspect that
> in this case their single biggest threat was "lack of display of sufficient
> due diligence", thus all the security calisthenics (remember the 1990s Clipper
> key escrow procedures, which involved things like having keys generated on a
> laptop in a vault with the laptop optionally being destroyed afterwards, just
> another type of security theatre to reassure users). Compare that with the
> former mechanism for backing up the Thawte root key, which was to keep it on a
> floppy disk in Mark Shuttleworth's sock drawer because no-one would ever look
> for it there. Another example of this is the transport of an 1894-S dime
> (worth just under 2 million dollars) across the US, which was achieved by
> having someone dress in somewhat grubby clothes and fly across the country in
> cattle class with the slabbed coin in his pocket, because no-one would imagine
> that some random passenger on a random flight would be carrying a ~$2M coin.
> So as this becomes more and more routine I suspect the accompanying
> calisthenics will become less impressive.
> (What would you do with the DNSSEC root key if you had it? There are many
> vastly easier attack vectors to exploit than trying to use it, and even if you
> did go to the effort of employing it, it'd be obvious what was going on as
> soon as you used it and your fake signed data started appearing, c.f. the
> recent Realtek and JMicron key issues. So the only real threat from its loss
> seems to be acute embarassment for the people involved, thus the due-diligence
I fully agree with the general ideas above with one very tiny exception
explained in the next paragraph. The DNSSEC root key ceremonies remains
nonetheless an opportunity to review the practical implementation details.
The exception lies in a section of a paranoia scale where few
organizations would position themselves. So let me explain it with an
enemy of the USG, e.g. the DNS resolver support unit in a *.mil.cc
organization. Once their user base rely on DNSSEC for traffic encryption
keys, they become vulnerable to spoofed DNS data responses. I leave it
as an exercise to write the protocol details of an hypothetical attack
given that Captain Pueblo in unito-223.naval.mil.cc routinely relies on
a web site secured by DNSSEC to get instructions about where to sail his
war ship on June 23, 2035 (using the unrealistic assumption that
Pueblo's validating resolver uses only the official DNS root trust anchor).
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography