Sign In

Communications of the ACM

ACM TechNews

The Cryptographic Key That Secures the Web Is Being Changed For the First Time

Artist's representation of a cryptographic key.

The Internet Corporation for Assigned Names and Numbers will change the key pair that creates the first link in a long chain of cryptographic trust that lies underneath the Domain Name System (DNS).

Credit: Motherboard

The Internet Corporation for Assigned Names and Numbers (ICANN) next month will make the first-ever revision of the Root Zone Signing Key, the cryptographic key pair that underlies the trust of the Domain Name System (DNS).

DNS converts domain names into numerical Internet Protocol addresses, which gives rise to the problem of DNS cache poisoning or DNS spoofing. Many domains attempt to mitigate these vulnerabilities via DNS Security Extensions (DNSSEC), in which cryptographic keys authenticate that DNS data is coming from the correct point of origin.

ICANN manages the top-level DNS root zone, and each entity in this hierarchy has its own keys for generating signatures, and must sign the key of the entity below it.

"ICANN wants to be very transparent in the operation of [the Root Zone Signing Key] because it's important that the community trusts it," says Matt Larson, ICANN's vice president of research.

Internet Architecture Board chair Andrew Sullivan thinks the possibility exists the key has been cracked without ICANN knowing, and changing it is a sensible idea in the same way passwords should be changed every so often. Security researcher Dan Kaminsky agrees, noting the key's enlargement from 1,024 bits up to 2,048 is another imperative.

From Motherboard
View Full Article


Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account