Home » Inside SafeNet » Are You Sure You Just Ordered Pizza?
Are You Sure You Just Ordered Pizza?
November 30, 2010, 10:03 am EDT
By Steve Helm
The US-China Economic and Security Review Commission revealed the other week that for at least 18 minutes in April 2010 a significant portion of Internet traffic was hijacked and rerouted through China Telecom, one of the largest Chinese ISPs.
While the incident only lasted 18 minutes, the volume of rerouted traffic was in the terabytes. Even more alarming, China Telecom happens to be one of the few ISPs with the capacity to store large portions of rerouted data that passed though its servers, and reroute it without disrupting the speed of communication. Nobody outside of China can say with any real certainty what happened to the terabytes of data collected or what this data could be used for, but the significance of such a security breach cannot be understated.
Incidents like this only serve to highlight the importance of implementing solutions to secure the Internet. The good news is that some of the affected organizations had security in place. US Government agencies, for example, used a public key infrastructure (PKI) to encrypt their data. PKIs form the basis for the DNSSEC initiative.
So how does PKI and DNSSEC protect Web traffic? For a second, let’s think of how we interact on the Internet as if it were the same process as ordering a pizza. If you are like me, you likely will have a bevy of delivery menus close at hand that have been placed on your door or delivered with a recent order.
So, you pick up the phone and place a call to the pizza joint to place your order. Undoubtedly they will answer the phone with a standard greeting, “Hello, Joe’s pizza, can I take your order?” This confirms you have dialed the right number, and likely have reached the intended pizza place… or does it?
There are many things that could go wrong even this early in the process. Yet, many of us, with our stomach leading the charge, are willing to provide out credit card numbers over the telephone in pursuit of that pie based on a voice and greeting over the telephone. We easily could be giving this information to someone who will use it for their own gain, perhaps even to order their own, topping-laden pizza!
The Internet uses the Domain Name System to request a Web site based on something you know, like a URL or a link. This request will then be routed to an IP address that corresponds to the Web site you are seeking, but hackers could easily reroute you to the incorrect IP address. It’s likely that the appearance of the Web site will give you the confidence that it is authentic, much like the standard greeting at the pizza joint. However, in the same way a greeting can be mimicked, so can the appearance and functionality of a Web site.
DNSSEC provides a way to authenticate that the Web site you have reached is the one you intended. In the pizza delivery analogy, this could be achieved by using a riddle or trivia question. Imagine that the pizza menu you were given had been printed with a unique riddle or trivia answer that was numbered (public key). The instructions on the menu would tell you to state the number of the riddle and the person answering the phone would reply with the proper riddle question (private key), and the answer on your menu would match the correct answer to that question (certificate).
For example, you call to place your order, you say question 41, the answering the phone looks up question 41 in their riddle database and replies with the corresponding question “What is the airspeed velocity of an unladen swallow?” and the answer on your menu is “African or European?”
Now, you know with a high level of certainty, that you have reached the correct establishment, and can have the confidence that your pizza order will be taken and likely delivered (on time is another issue). DNSSEC works in much the same way. Your DNS lookup will be routed to a server that responds with the proper IP address and a public key, which can only be validated by a secure private key.
Hijackings like the one in April are complex, hard to detect and difficult to prevent. DNSSEC is not a silver bullet to all the security challenges of the Internet, but does offer a trustworthy and highly deployable first step towards Web security.
On second thought… I feel like Chinese food.This entry was posted in Digital Signatures, DNS SEC by Trisha Paine. Bookmark the permalink.
SafeNet October 6, 2011, 11:35 am UTC
SafeNet October 4, 2011, 03:03 pm UTC
SafeNet September 13, 2011, 04:40 pm UTC
SafeNet October 6, 2011, 11:35 am UTC