Re: [dnsext] historal root keys for upgrade path?

[Brian Dickson <brian.peter.dickson@gmail.com>]

On Mon, Jan 31, 2011 at 3:23 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
> On Mon, Jan 31, 2011 at 1:22 PM, Brian Dickson
> <brian.peter.dickson@gmail.com> wrote:
>> The simplest bootstrap method would be to have a series of BSK
>> (bootstrap keys), created on a periodic basis (every N years), and
>> used as follows:
>
> If a compromise has occurred then the first thing to ask would be why.
> There are only three places where a compromise can logically occur - in the
> cryptographic algorithm, in the cryptographic hardware manufacturer or in
> ICANN,
> If its the algorithm then the whole series of BSKs is compromised.

I think it is helpful to use as explicit a form of language as
necessary, to clearly communicate ideas.

So, when I ask you to clarify this into particulars, it is with the
intent of understanding what you meant.

"If a compromise has occurred" - a compromise of what, exactly, are
you talking about?

It could be that there has been a theoretical weakness in the
algorithm, which makes it slightly more feasible to break, but that
the root zone key's private parts have not been exposed.

In which case, this is "theoretically weak".

On the other hand, it could be that the root zone key has had its
private parts found, in which case the term "compromised" has the very
real, concrete meaning in that someone has directly compromised its
security.

In both cases, the impact on another key, which is neither dependent,
nor whose security depends on, the root zone key, is non-existent,
other than that it implies that the other key is equally
"theoretically weak".

In other words, the BSKs might be "weak", but not "compromised", per
se - and using that term doesn't facilitate clear and rational
discussion, of something pretty darned important for a large class of
operational problems (bootstrapping).

As to the cost of compromising multiple keys:

If two keys share only the algorithm and key size, the expected effort
for both is equal.

If the required effort to discover the private keys for either key is,
on average, what would require six months of the combined effort of
10,000,000 zombie machines, then:
- it would take a botnet of 10,000,000 machines six months (on
average) to break the root zone key
- it would also take the same botnet six months (on average) to break
any single one of the BSKs
- combined, it would take a year of the whole botnet's combined
resources to compromise one BSK and the root zone key, which would
then create a theoretical ability to forge answers to queries for both
zones, for a small number of devices during a one-time, small window
when they bootstrap
- the BSKs are independent, so for N BSKs, it would take N+1 times the
total resource requirements, to have all the BSKs compromised

I'd suggest that the very large resource requirements, the very small
window of opportunity, and the requirement that both forgery attempts
succeed, for a one-time attack on one single device, puts the
likelihood of success sufficiently close to zero to discourage anyone
or any organization from making the attempt.

Brian