Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AEP Netwrorks Keyper HSM & ICANN DNSSEC


Published on

SecureMetric's partner AEP Networks presented at the ISOC Malaysian chapter DNSSEC Awareness Campaign.

The slides details AEP Network's involvement in protecting the root of the Internet.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

AEP Netwrorks Keyper HSM & ICANN DNSSEC

  1. 1. Securing Digital KeysHigh Quality Key GenerationHighest Level Key Protection<br />The Importance of DNSSEC<br />Case Study of ICAAN <br />Root Implementation<br />Fadi Cotran, Ph.D.<br />Director of Technical Business Development<br />May2011<br />
  2. 2. Who Are We and What Do We Do?<br />Provide trusted security everywhere and secure data and voice communication regardless of device, environment or location. <br /> Deliver proven security architectures to organisations all over the world including governments, enterprises and carriers. <br />2<br />
  3. 3. 3<br />
  4. 4. Why DNSSEC ?<br />4<br />
  5. 5. Why DNSSEC ?<br />
  6. 6. RECENT DNS ATTACKS<br />January 2010, websites of and were brought down due to DNS Attacks.<br />Not talked about much publicly… <br />Their DNS servers were compromised.<br />DNS supplier Neustar - UltraDNS<br />6<br />
  7. 7. Why DNSSEC ?<br /><ul><li> Cyber raids 'threaten British, US stock markets‘ January 31, 2011 - 8:39PM
  8. 8. EU halts trading after hacking - Sydney Morning Herald
  9. 9. Nasdaq acknowledges hit by hackers February 7, 2011 - 12:01AM NYT
  10. 10. More than 400 cyber attacks have affected Australian government </li></ul> networks in the past year, figures reveal.<br />
  11. 11. And the latest?<br />April 26, 2011: Sony admits that 77 million customer emails and private information compromised on PlayStation worldwide network.<br />Network still out.<br />25 Million user private information published on the internet.<br />May not be a DNS attack, but…<br />8<br />
  12. 12. Why DNSSEC ?<br />9<br />
  13. 13. Why DNSSEC ?<br />10<br />Dan Kaminsky<br />
  14. 14. Why DNSSEC ?<br />2008 Black Hat Conference<br />Dan Kaminsky demonstrated live how you can exploit a critical flaw in DNS and hijack a website.<br />He is credited for developing DNSSEC as the solution to prevent DNS exploits.<br />The US Government mandated that all Federal websites implement DNSSEC by end of 2009.<br />11<br />
  15. 15. 12<br />
  16. 16. What are DNSSEC benefits?<br />DNS lookup can be modified in transit to redirect an end user to an imposter or malicious site for password collection. <br />Modification attacks carried out en masse at ISP/enterprise = cache poisoning.<br />A lookup secured with DNSSEC is protected against modification = primary benefit.<br />Greatest benefits may be yet to come. Why not securely distribute more than just DNS info? Other keys? Identification info?<br />DNSSEC deployment at root and TLDs set the stage<br />13<br />
  17. 17. ICANN DNSSEC Implementation<br />14<br />
  18. 18. July 16, 2010 ICANN goes live with <br />AEP & ISC DNSSEC solution <br />
  19. 19. Los Angeles Datacenter<br />16<br />
  20. 20. Washington DC Datacenter<br />17<br />
  21. 21. Secure Cage in Datacenter<br />18<br />
  22. 22. Physical Security<br />19<br />
  23. 23. 20<br />
  24. 24. 21<br />
  25. 25. Root Key Generation<br />22<br />
  26. 26.
  27. 27. Algorithm / Key Length <br />• Cryptanalysis from NIST: 2048 bit RSA SHA256 <br /> <br />
  28. 28. ICANN PARAMETERS<br />Split KSK and ZSK<br />KSK is 2048-bit RSA<br />Rolled as required<br />RFC 5011 for automatic key rollovers<br />Signatures made using SHA-256<br />ZSK is 1024-bit RSA<br />Rolled once a quarter (four times per year)<br />Zone signed with NSEC<br />Signatures made using SHA-256<br />25<br />
  29. 29. Crypto Officer (CO) <br />• Have physical keys to safe deposit boxes holding smartcards that activate the HSM <br />• ICANN cannot generate new key or sign ZSK without 3-of-7 COs <br />• Able to travel up to 4 times a year to US. <br />
  30. 30. Recovery Key Shareholder (RKSH) <br />• Have smartcards holding pieces (M-of-N) of the key used to encrypt the KSK inside the HSM <br />• If both key management facilities fall into the ocean, 5- of-7 RKSH smartcards and an encrypted KSK smartcard can reconstitute KSK in a new HSM <br />• Backup KSK encrypted on smartcard held by ICANN <br />• Able to travel on relatively short notice to US. Hopefully never. Annual inventory. <br />
  31. 31. CO <br />CO BCK <br />RKSH <br />Bevil Wooding, TT Dan Kaminsky, US Jiankang Yao, CN Moussa Guebre, BF Norm Ritchie, CA Ondřej Surý, CZ <br />Christopher Griffiths, US Fabian Arbogast, TZ <br />Alain Aina, BJ Anne-Marie <br />EklundLöwinder, SE FredericoNeves, BR GaurabUpadhaya, NP Olaf Kolkman, NL <br />John Curran, US <br />Nicolas Antoniello, UY Rudolph Daniel, UK Sarmad Hussain, PK <br />Paul Kane, UK <br />Robert Seastrom, US Vinton Cerf, US <br />Ólafur Guðmundsson, IS <br />BCK <br />Andy Linton, NZ Carlos Martinez, UY Dmitry Burkov, RU Edward Lewis, US <br />David Lawrence, US Dileepa Lathsara, LK Jorge Etges, BR <br />Kristian Ørmen, DK Ralf Weber, DE <br />João Luis Silva Damas, PT Masato Minda, JP <br />Warren Kumari, US <br />Subramanian Moonesamy, MU <br />
  32. 32. DNSSEC Status 2010<br />Signed root published 15 July, 2010<br />51 TLDs: asia. be. bg. biz. br. bz. cat. ch. cz. dk. edu. eu. fi. Fr. gi. gov. hn. in. info. lc. li. lk. mn. museum. na. nl. nu. org. pm. pr. pt. re. sc. se. tf. th. tm. uk. us. yt. <br />8 out of 16 gTLD registries are signed or in the process to be signed. (e.g. .net 2010, .com 2011)<br />Biggest change to Internet in 20+ years<br />Security applications built on DNSSEC<br />29<br />
  33. 33. 30<br />ICANN’s HSM Crypto requirements: <br /><ul><li>Generate, store and manage cryptographic keys to the highest level of assurance
  34. 34. Highest level of security (FIPS 140-2 Level 4) required
  35. 35. Never been compromised
  36. 36. High quality RNG
  37. 37. Keys can be backed up
  38. 38. Track record and customer credibility
  39. 39. 10 year support for products</li></li></ul><li>Types of HSMs<br />31<br />
  40. 40. Erase pinhole<br />10/100 Ethernet<br />V24 compatible diagnostics port<br />2x16 LCD<br />FIPS 140-2 L4 module inside<br />Status LEDS<br />Key switch<br />Fold up keypad<br />LAN LEDs<br />*10 yr battery life<br />*External PSU<br />*Rack mount option<br />ISO 7816 smart card reader<br />Restart button<br />Keyper Hardware<br />
  41. 41. Why Choose AEP Series K HSM?<br />33<br />
  42. 42. Why Choose Series K HSM?<br />34<br />
  43. 43. HA + Disaster Recovery<br />
  44. 44. Keyper Enterprise Performance<br />1200 Signing Transactions per Second (1024-bit RSA)<br />500 TPS (2048-bit RSA)<br />100 Million Signing Transactions per Day<br />42 Million TPD (2048-bit RSA)<br />Clustering up to 16 Load Balanced Keypers<br />1.6 Billion Signing Transactions per Day<br />700 Million TPD (2048-bit RSA)<br />Verisign signs 96 Million Domains under .com and 6 Million domains under .net with AEP Keypers.<br />36<br />
  45. 45. Series K Secures Internet DNS Root Zone<br />37<br /> “Security is a critical factor for ICANN’s DNSSEC deployment, so Keyper and FIPS Level 4 was an easy choice,” – Richard Lamb, ICANN<br />
  46. 46. If you want to be as secure as the Root of the Internet, then deploy what ICANN implemented for security, AEP Keyper<br />