If you hear about the “keys to the Internet”, the topic is usually a very specific thing — a digital key that is used to verify the security of the “domain name system”. The domain name system converts addresses you may type into your computer like “nytimes.com” into digital locations that computers can understand.
The concept of a master key that controls such an essential function sounds like it is lifted from spy novels, and leads to some fantastical stories. On the TV show Elementary, here is how it is described to Sherlock Holmes:
With a little more excitement, a March 2017 episode of The Blacklist Redemption:
It has been the subject of many stories that focus on the idea that seven people hold keys to the Internet, and even the main theme of a nine-episode radio show.
These fictionalized accounts, and some of the honest reporting, can overplay its significance. Lets explore in simple terms what it is, what these keys are and how its all managed.
The domain name system is protected using a seal of authenticity, known technically as a “key signing key”, or the “root key”. Computers around the world can verify the system is working correctly by examining if this seal of authenticity is present and not tampered with. Every three months this seal needs to be applied to other keys that are used in daily operations to make this system work.
The key signing key is stored in two secure facilities. One is located very close to LAX airport in Los Angeles, and the other is located a couple of hours drive from Washington D.C. in Culpeper, Virginia. Both facilities are duplicates of each other and work the same way.
Inside those facilities, a specially designed ceremony room sits that holds the key signing key. The key itself is a computer file that is stored in a specialized device designed to securely store it, think of it like an advanced computer hard drive. We call this the hardware security module, or HSM.
Every three months when the key signing key is applied to other keys, it needs to be done in a way that proves the key signing key is not tampered with, and is not used for any other purposes. To accomplish this, a very public event is held called a “key ceremony”. At this ceremony, experts attend from around the world to use the key signing key, and examine each step of the process to ensure it is done correctly. The whole process is recorded, live-streamed, and watched by independent auditors.
The experts that attend are a mixture of security experts from all around the world, and staff who are responsible for day-to-day operation of the key signing key. The security experts that are not on staff are referred to as “trusted community representatives”, as their job is to represent the broader technical community in proceedings.
In addition to security experts, we also have members of the international media attend and other people who can promote awareness of the key ceremonies. Here is a sample from a 2015 BBC documentary:
Each person has a different role. Access to the key signing key is designed such that you need many different people to attend for it to work. This adds security because it means no one person has the ability to do anything, it requires all the people to come together. Some people are able to access smart cards used to turn on the HSM. Others have combinations to a safe that stores the HSM. Others have keys used to enter the room. Overall access to the facility is granted by others who are completely off-site. All-in-all at least a dozen people are needed at each ceremony to open and activate all the pieces needed to use the key signing key.
They are long (each one takes between 3 and 8 hours), and usually quite tedious. Each ceremony follows a rigorous and precise script step-by-step, with each step meticulously followed and verified, which can take a lot of time. This is important to ensure the key is only used exactly what it is intended for.
The key signing key is only valuable if there is a guarantee it hasn't been copied or duplicated by other people. The seal of authenticity can only be trusted if it is known no forgeries of the seals it makes are possible. To do this, it must be proven that the key signing key is only used for its proper purpose in these quarterly ceremonies. If there was a risk the key signing key was used in an unauthorized way, there would be no guarantee it hadn't been duplicated and therefore the seal of authenticity it gives becomes useless.
There are three main things to consider:
The most important principle of the process is preserving the “chain of custody”. Much like evidence that police may collect at a crime scene, this involves storing all the components to use the key signing key in a way that proves it hasn't been tampered with for future use. By tagging and bagging all the components in tamper-evident bags, and recording on video each time each bag is opened or moved, we know exactly where each piece has been from the moment it is created to the moment it is no longer needed. If a bag is lost or opened in an unauthorized way, it will become obvious. The contents are then considered compromised and can no longer be trusted.
Access to this facility is controlled by many layers of physical security. The bags are stored in safes, which are stored in cages, which are stored in a secure ceremony room, which is stored in a high-security facility. Each layer of security requires one or more different people to access. Only in the context of a key ceremony do all these people come together to get access to these bags. In addition, the facility has an array of sensors to detect unauthorized access, which are monitored 24×7 by on-site armed guards and remote technical experts.
The hardware security module. This device stores the actual digital files that contain the key signing key. It is like a very specialized hard drive. It has special protections that allow it to “self-destruct” if it is used in an unauthorized way. If someone tries to open it, if someone drops it, if it is shaken, it will destroy the data it contains. If you try to use it without having all the required experts present, it will not function either.
There are around fifty different experts that are involved in key ceremonies. Twenty-one of these are selected from the global Internet community, and they are divided into 3 groups of 7 people. Each group has a different purpose. Because we need people from these groups to participate in key ceremonies as part of the security protection for the key signing key, it is often simplified to the idea that there are 7 keys to the Internet, or there are 7 people that control the Internet. This, however, masks the true complexity that involves many levels of overlapping controls. See https://www.icann.org/news/blog/the-problem-with-the-seven-keys for a more detailed explanation.
This is a complex topic and the details of how the key signing key works have been simplified. The technology is formally called “DNSSEC” and the master key we are talking about is the key signing key for the “root zone”, which protects the delegations of top-level domains. In practice, the key-signing-key is the top of a hierarchical public-key infrastructure containing many different keys that all interrelate. It is important to consider that DNSSEC is just one tool in a large toolbox of technologies that add security to the Internet's operation.
The formal document that governs how this all works is called the “DNSSEC Practice Statement”, and it is published — along with the the archive footage of key ceremonies and other things we've discussed — at https://iana.org/dnssec.
* * *