A “new” system that records every move, stores all passwords and homogenizes software and that will control the net from 3 major hubs.
by John Markoff
June 25, 2011
A small group of Internet security specialists gathered in Singapore this week to start up a global system to make e-mail and e-commerce more secure, end the proliferation of passwords and raise the bar significantly for Internet scam artists, spies and troublemakers.
“It won’t matter where you are in the world or who you are in the world, you’re going to be able to authenticate everyone and everything,” said Dan Kaminsky, an independent network security researcher who is one of the engineers involved in the project.
The Singapore event included an elaborate technical ceremony to create and then securely store numerical keys that will be kept in three hardened data centers there, in Zurich and in San Jose, Calif. The keys and data centers are working parts of a technology known as Secure DNS, or DNSSEC. DNS refers to the Domain Name System, which is a directory that connects names to numerical Internet addresses. Preliminary work on the security system had been going on for more than a year, but this was the first time the system went into operation, even though it is not quite complete.
The three centers are fortresses made up of five layers of physical, electronic and cryptographic security, making it virtually impossible to tamper with the system. Four layers are active now. The fifth, a physical barrier, is being built inside the data center.
The technology is viewed by many computer security specialists as a ray of hope amid the recent cascade of data thefts, attacks, disruptions and scandals, including break-ins at Citibank, Sony, Lockheed Martin, RSA Security and elsewhere. It allows users to communicate via the Internet with high confidence that the identity of the person or organization they are communicating with is not being spoofed or forged.
Internet engineers like Mr. Kaminsky want to counteract three major deficiencies in today’s Internet. There is no mechanism for ensuring trust, the quality of software is uneven, and it is difficult to track down bad actors.
One reason for these flaws is that from the 1960s through the 1980s the engineers who designed the network’s underlying technology were concerned about reliable, rather than secure, communications. That is starting to change with the introduction of Secure DNS by governments and other organizations.
The event in Singapore capped a process that began more than a year ago and is expected to be complete after 300 so-called top-level domains have been digitally signed, around the end of the year. Before the Singapore event, 70 countries had adopted the technology, and 14 more were added as part of the event. While large countries are generally doing the technical work to include their own domains in the system, the consortium of Internet security specialists is helping smaller countries and organizations with the process.
The United States government was initially divided over the technology. The Department of Homeland Security included the .gov domain early in 2009, while the Department of Commerce initially resisted including the .us domain because some large Internet corporations opposed the deployment of the technology, which is incompatible with some older security protocols.
Internet security specialists said the new security protocol would initially affect Web traffic and e-mail. Most users should be mostly protected by the end of the year, but the effectiveness for a user depends on the participation of the government, Internet providers and organizations and businesses visited online. Eventually the system is expected to have a broad effect on all kinds of communications, including voice calls that travel over the Internet, known as voice-over-Internet protocol.
“In the very long term it will be voice-over-I.P. that will benefit the most,” said Bill Woodcock, research director at the Packet Clearing House, a group based in Berkeley, Calif., that is assisting Icann, the Internet governance organization, in deploying Secure DNS.
Secure DNS makes it possible to make phone calls over the Internet secure from eavesdropping and other kinds of snooping, he said.
Security specialists are hopeful that the new Secure DNS system will enable a global authentication scheme that will be more impenetrable and less expensive than an earlier system of commercial digital certificates that proved vulnerable in a series of prominent compromises.
The first notable case of a compromise of the digital certificates — electronic documents that establish a user’s credentials in business or other transactions on the Web — occurred a decade ago when VeriSign, a prominent vendor of the certificates, mistakenly issued two of them to a person who falsely claimed to represent Microsoft.
Last year, the authors of the Stuxnet computer worm that was used to attack the Iranian uranium processing facility at Natanz were able to steal authentic digital certificates from Taiwanese technology companies. The certificates were used to help the worm evade digital defenses intended to block malware.
In March, Comodo, a firm that markets digital certificates, said it had been attacked by a hacker based in Iran who was trying to use the stolen documents to masquerade as companies like Google, Microsoft, Skype and Yahoo.
“At some point the trust gets diluted, and it’s just not as good as it used to be,” said Rick Lamb, the manager of Icann’s Secure DNS program.
The deployment of Secure DNS will significantly lower the cost of adding a layer of security, making it more likely that services built on the technology will be widely available, according to computer network security specialists. It will also potentially serve as a foundation technology for an ambitious United States government effort begun this spring to create a system to ensure “trusted identities” in cyberspace.