Twice a year, two groups of people come together at one of two data centres facilities on the East or West Coast of the United States to participate in a ceremony that results in the digital signing of the cryptographic keys used to sign the contents of the Internet’s naming root.
These ceremonies are scripted, with materials available ahead of the event, and streamed live over the Internet during the event to allow for anyone who is interested to verify the workings of the process. Anyone wanting to attend in person can also do so by requesting access with enough advance notice.
Usually a routine affair, on occasion there is a need to perform additional tasks, as was the case at the most recent ceremony held last Wednesday, 7 February.
Being a digital process, several different electronic components come into play, one of them being what is called a Hardware Security Module (HSM). These are small computers designed with the sole purpose of generating cryptographic material and keeping it safe. One could argue that their use for the signing of the DNS root is an unnecessary complication given the mode in which they are operated. Nonetheless, they are currently part of the process and have to be managed.
Part of managing the HSM involves their renewal. Even though, for redundancy purposes, there are two sets of two devices, one at each facility, the fact that they were all purchased at the same time means they all potentially become redundant at the same time.
Each of the HSMs has a battery that is necessary for correct functioning. The manufacturer estimates the useful life of those batteries at between five and ten years. Even though it would be unlikely that all four would fail at the same time, once they enter the period where batteries may fail, it is wise to consider replacing them given the relevance of the materials they store. This is precisely what ICANN did in 2017— at the two ceremonies additional steps were agreed upon to copy materials from the old devices onto newly acquired ones and erase the information on the original devices.
The old, cleared, devices were kept in safes until a decision was finally made to dispose of them in 2018, with the first batch targeted for destruction last week.
In the days leading to 7 February, the Trusted Community Representatives, aka the people who are custodians of the keys that give access to the smart cards necessary to activate the HSMs, discussed the possibility of doing something more useful with the HSMs than simply destroying them.
HSMs are devices that are certified to protect the contents of the cryptographic tokens they store if there were to be an attempt to access them without authorization. In this case, the devices are certified to do so with a hardening certification known as FIPS 140-2 Level 4. Certification is carried out by specialized bodies for each device model because this is no trivial task — no one wants to trigger any of the self-defence mechanisms of the device as it would result in self-destruction of the data or render it inaccessible.
However, the current scenario has given everyone a unique opportunity to increase their trust, real or perceived, with the whole ICANN root-signing process by exploring ways to challenge these self-protection mechanisms using the HSMs that have been earmarked for destruction.
As a consequence of these discussions, ICANN agreed to the destruction of a single HSM device on 7 February, as well as a period to discuss possible tests that could be performed to illustrate the protection capabilities of the three remaining (and secured) HSMs in simple yet evident ways.
With regard to the destruction of the HSM that could not escape its fate, we had a bit of a learning curve with the process. Shredding of the device using special metal shredding machinery was initially disregarded as it may have generated potentially toxic dust in what was a small room full of people. ICANN opted instead to retain the services of a hard disk destruction company that was present during the last part of the event with a 12,000 lb pressure rod machine that punched the HSM’s cryptographic module — the little black box where the secrets reside.
Unfortunately, in spite of the spectacular views afforded by the process, the very localized nature of the pressure application yielded a result that, while rendering the device inoperable, does not guarantee the destruction of the information within. In particular, some of the chips had their core mostly intact after the process as can be seen in the accompanying pictures. As a result, ICANN will be evaluating different means of destruction in the future in order to gratify our inherent human appetite for demolition and closure. More to come…
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.