Imagine, one fine morning, you are browsing the Internet. All on a sudden you got an email from your bank. The mail says you have to update your password for security reasons. You updated it. And guess what? Pheww! All your money just vanished into thin air! Like, David Copperfield vanishes things on the stage.
But, that necessarily does not happen because some extra-talented people care about the Internet like a baby in a mother’s womb.
Controlling the Internet is very easy. Whenever my mother has to say something important to her offspring, she turns off the WIFI router. And, we all siblings rush to the router room. Lifehack strikes! Kidding, Ha Ha!
Hope your mother will do the same after reading this.
Now, let’s have a deep dive —
The Saga of ICANN
There is a group of nerds called ICANN- The Internet Corporation for Assigned Names and Numbers. So, ICANN can easily say,
I can stop the Internet. Hold my beer, fellas!
ICANN has handed out seven keys to seven individuals spread across the world. With those special keys, you can shut down and reboot the whole internet system.
Now, usually, here I am gonna tell you some bad jokes and call them stuff like the fellowship of the keys, Key-I-Joes or You key and Dupree.
But, I know you don’t have time for that. To get this, you need to understand a bunch of complicated terms. At first, they were very confusing for me to figure out…
Starting with
DNS
In case you don’t know what DNS is, I will explain.
All computers that make up the Internet are identified via long numbers called IP addresses, aka Internet Protocol addresses.
But when I go to, for example, Facebook. Because, I want to scroll through an endless mix of hotcakes, anger, product placement, and videos of Kanye West saying complicated things. But, then it turns out that he is a cake.
I don’t want to type 176.13. 69.63, which is the IP address of one of the servers that host facebook.
I want to type www.facebook.com. And, then I might be taken there so I can see the photos of people partying during Covid-19 induced a panic attack.
So, my computer has to translate www.facebook.com into the right IP address. And, it does that first by asking a whole long line of things.
First, of course, it asks Clippy. But, Clippy doesn’t know.
So, instead, it asks your operating system. Your operating system may know.
Even if your operating system doesn’t know, it asks something called a recursive name server.
After that, guess what? If the name server doesn’t know, it asks the world’s thirteen root servers. The root servers send you to the top-level domain server.
In this case, the one that runs all the dot coms who sends you the right authoritative name server.
And then, it is like- Oh, yeah! Facebook is 176.13. 69.63
But, you need someone to administer the whole system. The administration, first of all, makes sure None can hand the IP addresses willy nilly. And, most importantly, they keep everything secure.
So, people can come in, and mess with it saying, ‘Hey! Check it out. This IP address for money.gov is this IP address called free-money-just-give-me-all-your-cash-totally-legit.com.
I do hope that clarifies all.
ICANN and DNSSEC
So, the ICANN authority authenticates DNS through a system called DNSSEC.
And, I promise we are going to get to the mythical keys soon.
Before that, you need to understand how DNSSEC works.
The first important idea asymmetrical encryption, It involves a private key and a public key. These keys are long numbers that are linked mathematically.
The public is a number everybody can know. But, the private key is very secret. And only one entity holds this key.
The private key is the most important thing. With that private key, you can make something called a digital signature over a document.
Someone can even be looking at the corresponding public key can say,
‘Oh, man! Based on what this public key says, I know that the person made that signature with the corresponding private key.’
Authentication
In this way, ICANN authenticates DNS. The information, saying facebook.com is 176.13. 69.63 is signed by twitter using their private key. And, then my computer uses facebook’s public access. It looks at the signature and says, ‘Yes, this signature is made using facebook’s private key. So, the information must be accurate and legitimate.
The problem is, we have to be sure that facebook’s public key, of which I am basing this analysis, is legit too.
So, facebook’s public key is signed by a higher authority — the top-level domain server running all dot coms using their private key. And then I use their public key to be like, ‘Yup, this signature was made by the dotcom people.
But to know that the public is legit. It’s signed by an even higher authority, up and up and up until ICANN signs it off. It is a non-profit organization I mentioned earlier. They use a single private key.
ICANN’s single public and private keys secure every available website’s IP addresses. These keys are called trust anchors.
I know ICANN’s public key, it is like: 9852366412587103256985
I should not say that anyway. Their private key is a super-top-top-top secret securing the whole internet system.
I just wanted to show my swagness
Hardware Security Modules
Now, the numbers that make up the private key that secures the whole DNS are stored on hard drives inside physical boxes. They are called hardware security modules, or HSM’s for short. And, they are four of them kept in ICANN’s stations.
2500 miles apart. One in Culpeper, Virginia and one in El Segundo California.
What to face if you want to go there
Once you get past the armed guards, pin pads, card scanners, biometric security stops and at last some sword fighting bears to get into those HSM boxes that hold that secret number, you need several smart cards. And, the authority keeps those smart cards other containers. Physical keys can only open these boxes.
And, only seven people in the world hold these keys.
The keyholders are not world leaders. But, they are security experts recruited by ICANN. And they are-
Dan Kaminsky (USA)
Jiakang Yao (China)
Moussa Guebre (Burkina Faso)
Bevil Wooding (Trinidad and Tobago)
Ondrez Suri (Czech Republic)
Norm Ritchie (Canada)
I know, not that exciting. But, I wonder what will happen if these people get mad at their children!
If the DNS has to be maintained, five of the seven key holders will have to go to an ICANN facility. They use their keys in a key ceremony.
Get a detailed description of this key ceremony by James Ball
Then they get the smart cards. After that, they use those smart cards to physically open the box with ICANN’s private key in it.
With those keys, they can shut down, reset or whatever they want to do with the Internet.
Some people say the keyholders are the most influential people in the world. Yeah, it might be because this article is even brought to you by those seven people.
But there is another one: the eighth one- a grandma who once shut down the entire country’s Internet.
I drafted this article before publishing. My ISP asked me what I was doing. I replied, ‘I am writing an article on the people who can stop the internet’.
Then, they be like- include our name, or you know what is going to happen.
