Not any more

Canadian holds rare Internet security key

In Canada on August 1, 2010 at 19:32

Canadian holds rare Internet securty key

Norm Ritchie is the former CIO of the Canadian Internet Registry Authority.

Bruno Schlumberger/Postmedia News

Norm Ritchie is the former CIO of the Canadian Internet Registry Authority.

Lucas Timmons, Postmedia News · Sunday, Aug. 1, 2010

OTTAWA — Norm Ritchie of Ottawa is one of only a handful of people who have been deep into the Internet Corporation for Assigned Names and Numbers server facility in Culpeper, Va.

The computers in the buildings are the central traffic cops of the Internet, the core of the system that turns websites typed into a browser into routing instructions for data.

Earlier in July, those computers got an added layer of security, which is expected to be copied worldwide over the next few years.

In 2008, an Internet-security expert revealed weaknesses in the system that meant that a moderately skilled hacker could interfere with the routing system and invisibly substitute his or her own server for one an Internet user meant to go to. It’s a much subtler security risk than carelessly clicking a bad link in a spam email, one that would work even on people who carefully typed in the correct web address themselves.

Now, when you type in your bank’s web address to do some banking, these servers in Virginia are the ones that make sure you actually reach your bank’s computers and not somebody else’s.

The facility, carefully placed outside of the nuclear blast zone of Washington, D.C., has spared no expense in security. In addition to a three-metre earth berm around the buildings, United States Department of Defence anti-terrorism personnel monitor the facility constantly. It even has its own rapid-response security force. The security is necessary because the facility is a potential terrorist target.

Mr. Ritchie, a former Nortel worker and chief information officer for the agency that manages Canada’s “.ca” Internet names, joined six other “trusted community representatives” deep inside the ICANN centre after being selected as the best choices to hold a special key card. Together, those cards are meant to re-enable secure Internet connections after a disaster or terrorist attack that takes out not only the facility in Culpeper, but a sister centre in California.

Besides Mr. Ritchie, the six people with the keys are from Burkina Faso, the Czech Republic, China, Trinidad and Tobago, Britain and the United States.

“What struck me most was the security and protocols within the facility,” said Mr. Ritchie. “Many hosting facilities claim to be secure but are somewhat lax in practice. That is not the case here. There was certainly no shortage of security staff and they all looked and acted well trained and hardened. The facility itself is new and touts the latest in secure access devices and protocols with interlocking access doors, retina scanners, and access cards. So yes, I felt like I was entering the inner sanctum of some technological temple.”

A Queen’s University graduate in computer science and math, Mr. Ritchie moved to Ottawa in the 1980s to work for Nortel. Seeing the emergence of the Internet in its early days, he joined the Canadian Internet Registration Authority as chief information officer. Early this year he took a job at the Internet Systems Consortium, a non-profit group that develops the most widely used software that translates between website names and their locations.

Because of his involvement with domain name systems — the Internet “phone books” that translate human-friendly website names into IP addresses — Mr. Ritchie was a natural choice to be a key card holder. After persuasion from his friends and coworkers, Mr. Ritchie applied and was chosen by ICANN out of 60 candidates worldwide.

The “Domain Name Server Security Extensions” is a protocol that protects domain names. It makes sure that the website entered into a browser’s address bar is what actually shows up in the window. Before DNSSEC, unprotected domains were vulnerable to attacks where a fake page could be used to trick users into accepting viruses or providing personal information for identity theft or fraud. DNSSEC allows websites to use a computer-generated key to verify a site is real, making it harder for such an attack to happen.

Mr. Ritchie and his six fellow keyholders each have part of the code to generate that protocol key. At the meeting in Culpeper they generated the key and then handed out the cards before going their separate ways.

While DNSSEC is still in its infancy, full deployment is expected in the coming years. Mr. Ritchie believes it will change how business works on the Internet.

Banks or other financial institutions that verify identity will be able to use DNSSEC to offer more secure connections to their customers. If the DNSSEC devices were damaged or destroyed, it could shut down those services. It would be then that Mr. Ritchie’s key card would be used to generate the security key for DNSSEC anew.

Despite the great power that is shared through the card holders, Mr. Ritchie doesn’t envision having to use it often, if at all.

“They should rarely if ever need to be regenerated unless there’s a significant failure in the system,” he said.

The biggest threats of a “significant failure” in the DNSSEC system are physical, not digital. Natural disasters or terrorist attacks on both coasts at the same time, to take out both server centres at once, are the most likely scenarios.

“The chances of [both failing] is extremely rare,” said Mr. Ritchie. “However, the best practices for contingency planning and disaster recovery would mean that you would have to plan for those things that you don’t know about.”

Mr. Ritchie took on the responsibility of holding a key because he feels the Internet should be open and transparent. He says that DNSSEC keeps power for securing Internet connections with Internet users, not governments.

“I feel strongly that no single entity or single government [should have] too much control over the operation of the Internet,” Mr. Ritchie said. “The role and participation of the trusted community representatives embodies that principle.”

Along with Mr. Ritchie, Jiankang Yao of China, Moussa Guebre of Burkina Faso, Paul Kane of Britain, Dan Kaminsky of the United States, Bevil Wooding of Trinidad and Tobago and Ondrej Sury of the Czech Republic are also key card holders.

Mr. Ritchie expects the full deployment of DNSSEC to the entire Internet to be a turning point in the Internet’s history.

“I believe that the signing of the [key] will one day be viewed as a watershed moment in the history of the Internet.” he said. “It is an honour and privilege to be have been selected as a participant.”

Ottawa Citizen


Related Topics

    Get the National Post newspaper delivered to your home


    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    %d bloggers like this: