DNSSec Workshop explores future air transport usage

The air transport community increasingly relies on the Internet to transmit business messages, yet the risk that a message will be altered when passed between servers ranks high among the top security challenges faced by the Internet's domain name system.

This is one of the conclusions made in a pre-publication issue of  Signposts in Cyberspace , a new study from the US-based National Academies Press1. The same study recommends that the Internet community focuses on implementing DNSSec. This protocol was born of the need to keep Internet navigation safe for the transmission and communication of sensitive and critical data and as a means of avoiding many (but not all!) of the vulnerabilities facing the current DNS infrastructure.

The extent to which DNS is rising in the political agenda was also evidenced recently by the announcement of the US Government's new Federal Plan for Cyber Security and Information Assurance Research and Development. Issued by the White House Office of Science and Technology Policy, the Plan provides a blueprint for coordination of Federal R&D across agencies that will maximize the impact of investments in this key area of the national interest. A preprint, available at www.nitrd.gov/pubs/csia/FederalPlan_CSIA_RnD.pdf, notes the expanding role of the domain name system, and with it,  an increased need to assure the authenticity of DNS responses and an increased possibility that the DNS itself will be targeted for attacks.

While DNSSec still faces a level of skepticism and resistance, some community sectors and governments in particular are working on DNSSec deployment schemes to handle more effectively fraud threats that might undermine consumer trust in electronic transactions. DNSSec is expected to become a vital Internet security infrastructure component, a cryptographic key management mechanism for many security solutions &ndsh; for example to reduce e-mail spam and to deploy dynamic virtual private networks.

As in so many other cases, a new technology will generally be adopted more quickly if it can do more than address general threats. Adoption usually starts around a number of small, clearly defined scenarios, where benefits are clear and solutions can be designed with a minimum level of investment and with very practical results. For example, an airline using data received via the Internet to maintain its aircraft needs to be sure that the data is appropriate for the aircraft, has not been modified in transit and comes from an authoritative source, such as an authorized employee of the manufacturer or OEM.

October Forum Dates

To help customers understand the technology better and identify cases specific to air transport, the .aero team, together with SITA and ARINC (both members of Dot Aero Council), are arranging a workshop as a part of the digital security stream at the US Air Transport Association's (ATA) annual e-Business Forum from 18-20 October in Louisville, Kentucky.

The workshop will focus on two subjects:

• building awareness among airline and aerospace IT experts about the technology and its potential, primarily based on examples from other industry sectors; and

• determining where and to what extent this technology can help create cost effective security solutions in the air transport community – and how that fits with digital security standards currently under development within the ATA's digital security working group.

The .aero team has invited  representatives of the DNSSec deployment initiative &ndsh; organized under the auspices of ICANN's security and stability committee and supported by the Science and Technology Directorate of the US Department of Homeland Security – to participate in the workshop. They will explain and demonstrate the technology, and discuss how it may impact deployment of Internet-based technologies across the air transport community.

Solving problems

One essential issue currently preventing faster deployment of Internet-based technologies within air transport is the lack of a cost-effective and flexible mechanism to distribute public keys. On the other hand, DNSSec introduces cryptographic material in the DNS and allows for the addition of other ( non-DNS) keys.

A solution based on DNSSec in a controlled domain name space could well help address this issue. Such a facility, used in conjunction with other, existing, technologies for end-to-end authentication, could greatly enhance productivity, efficiency and the flexibility of community systems. The need for such solutions has already been recognized – for example an "Identity management" presentation from Jim Homer at Lockheed Martin (to be found at www.tscp.org) concludes that "Each namespace approach (DNS, LDAP) can offer part of the total solution". In short, the biggest potential of this technology for our community is in its promise to simplify distributing public keys between members of ATI. Whether or not this is a real promise will be the subject of discussion during the workshop.

The workshop is also open to SITA IT summit attendees. For more information, please contact  marie.zitkova@sita.aero.

1 Signposts in Cyberspace, The Domain Name system and Internet Navigation, National Academies Press 2005 (ISBN 0-309-54979-5), www7.nationalacademies.org/cstb/dns_prepub.pdf