Trust is hardly the word that comes to mind when you talk about the Internet, but trust
is exactly the issue that's keeping companies from transacting more of their critical business communications over public computer networks. While the brick-and- mortar
business world can depend on signatures, credentials, certified mail, and phone networks to provide reasonable guarantees of message integrity and a sender's identity, there are few
secure mechanisms in place on the Internet to verify the sender of E-mail or prove that E-mail messages
weren't altered or read before they arrived at their destination. l The need for secure E-mail is, in fact, one of
the major reasons that many large companies are looking toward public-key cryptography techniques and implementing a public key infrastructure in their enterprise. So much critical business communication is
going digital that a recent Gartner Group report suggests that up to 80% of large enterprises will test one or
more PKI solution through 2003. If this seems like a long time to be in test mode, that's because public key
infrastructure is complex, reaches deep into enterprise IT architecture, and must function reliably, or the results could be disastrous.
Besides secure E-mail, PKI offers other critical security solutions. Companies want good authentication of
senders and receivers from their external and internal Web services and verifiable identity credentials for
users of their virtual private networks. Businesses wanting to lower costs by conducting enterprise resource planning over the public Internet have found PKI to be the most viable security solution.
Digital Equivalency
In the United States, PKI is getting a big boost by the possibility that the Digital Signature Act of 1999, part of the Millennium Digital Commerce Act, will pass Congress (see column, p. 90). If passed,
the act will establish, among other things, an equivalency between pen-and-ink signatures and electronic signatures, including various forms of online signing, such as digital signature technology, that
require PKI.
The act will make properly signed digital documents (and digital procedures, such as clicking on an "I Agree" button) as legally
binding as their paper equivalents and ensure that they are honored in all states.
Though the Digital Signature Act doesn't specify particular technologies for strong authentication and data
encryption, prosecution in a court of law for related offenses will require the kind of verification that a PKI
offers. This is yet another reason why security-conscious businesses want PKI. The federal government,
which has one of the world's largest IT departments-and one of the most anxious about security-is leading the way with its own PKI pilot program, the Federal Public Key Infrastructure Project
(gits-sec.treas.gov/oofpkisteer.htm).
In the meantime, some vendors aren't waiting for laws to evolve-they're making PKI technology meet current
legal standards for evidence and custody. Document Authentication Systems Inc. has a set of products and
services based on PKI and a trusted-document store to essentially create a chain of evidence and custody that meets current rules of legal evidence.
The software and services, called DocuGuard, use PKI for digital signatures. A workstation application
provides access to the service, verifying the identity of the individual making a transaction and controlling
(through administrator settings) which parts of a document are visible to him or her. The document itself is stored on a secure magnetic/optical storage server-documents can only be amended, not modified.
PKI-Based Services
The DocuGuard server is hosted by a trusted service provider. The server tracks who owns a document,
limits actions based on the user's identity and access privileges, and essentially maintains a chain of custody for the document, creating a notice and receipt record for each document transaction.
This makes the system well-suited to document-intensive E-commerce applications such as mortgage processing, leasing, drug development and regulatory processes, electronic prescriptions, medical imaging,
insurance claims, and other traditional processes that involve much bureaucracy. Mortgage-processing companies, for example, could save 30 days in processing time for each mortgage package, reduce closing
costs by $700 per loan, and lower administrative costs.
The technology also creates opportunities to take those applications outside of their normal institutional
barriers, creating opportunities for financial institutions to share information and partner on transactions in a way that was time-prohibitive before.
The focus of PKI is on digital certificates, sometimes called public certificates or public-key certificates,
which are pieces of structured data (see illustration, p. 76) used to identify users, machines, and network
entities in electronic transactions. Public-key certificates are often compared with a driver's license: A
driver's license has a trusted authority that issues the license (the Motor Vehicle Department), it has an
expiration date, it can be renewed, it can be revoked, it can be replaced if lost, and it contains features (holograms, lamination, etc.) that keep it from being forged.
Similarly, a digital certificate is issued by a trusted authority, called the certificate authority. It has an
expiration date, can be renewed, revoked, or reinstated if lost, and uses public-key cryptographic techniques to avoid forgery. (For more information on certificates and public-key cryptographic techniques,
see "The Keys To Security," Aug. 31, 1998, p. 51; www.informationweek. com/698/98olkey.htm).
In the real world, the Motor Vehicle Department provides a straightforward infrastructure to issue and
manage driver's licenses. In the virtual computer world, though, the PKI necessary to manage certificates
may vary from business to business (see illustration, p. 76). It can be very complex, involving a hierarchy of
distributed certificate authorities and large directory servers, and require custom client-application
modifications in order to implement. Or it can be relatively straight- forward by outsourcing the certificate
issuing and management to companies such as VeriSign or GTE Cybertrust, and implementing only limited authentication and encryption service for, say, just E-mail and Web-browser applications.
A company considering implementation of an enterprisewide PKI will typically implement at least two basic
components: a certificate authority for authenticating and possibly issuing certificates, and a certificate repository for certificate storage and management.
A certificate authority is usually called a certificate server, and the certificate repository is usually a directory server.
Directory servers are used to store user information and associated security credentials such as certificates, so one of the big tasks for enterprises moving to PKI is to migrate user information (including
users' certificates) to directory servers so that security management can be centralized. Major directory-server vendors are launching PKI products. Netscape's Certificate Management System 4.0, which
rides on top of Netscape Directory Server 4.0, should be shipping by the end of this month.
Meanwhile, Novell Directory Services version 8 is shipping now, but a user PKI add-on isn't expected until
the fall. Microsoft has bundled its new Active Directory and Certificate Server in Windows 2000 Server,
which is expected to ship in October. Microsoft has also implemented version 5 of the Kerberos protocol in Windows 2000 to increase the performance of public-key authentication.
Setting up a machine to be the certificate authority and populating a directory server with users' security
data is the server side of PKI, but to make use of PKI, applications must know how to access these servers to authenticate users and decrypt data.
While newer applications, such as Internet Explorer 5.0, come PKI-aware out of the box, most applications
don't automatically use PKI. Applications can be PKI-enabled using third-party toolkits from companies such Baltimore Technologies, Entrust Technologies, and Xcert International.
Secure E-mail is typical of the way desktop applications interact with PKI. Security must be enforced the
moment the message leaves the sender's E-mail program until it arrives at the receiver's E-mail program.
S/MIME (Secure Multipurpose Internet Mail Exchange) is the de facto standard for secure E-mail, and it's
supported by the latest versions of Microsoft Outlook and Netscape Messenger. Microsoft E-mail shops can implement secure E-mail using S/MIME by using Exchange Server 5.5 with Service Pack 1 and the
Microsoft Certificate Server. In this case, Exchange Server acts as the user directory service.
Online Banking
Overall, business-to-consumer E-commerce isn't one of the most important areas for PKI. Especially for E-commerce Web sites, user-name and password protection combined with credit cards is relatively easy
to implement and scales reasonably well. But online banking is an area in which PKI can have rewards, especially when moving customers into other areas, such as online brokerage services. Here, the strong
authentication and data encryption services make it safer to offer access to internal banking infrastructure.
For Scotia Online, part of the Bank of Nova Scotia, implementation of its online banking system wasn't
easy, but the results were satisfying. "The major difficulties we faced were being able to find enough
knowledgeable human resources, and having to deal with the immature supporting technologies-operating systems, browsers, and firewalls," says Drew Brown, senior VP for commercial electronic banking.
Designed for consumer and small-business customers to access online banking and discount brokerage services, Scotia Online lets customers move money between accounts and pay bills, as well as handle
brokerage services. It uses ICL's X.500 directory server running under HP/UX to handle 95,000 active users,
with 250,000 certificates deployed. "As far as we know, we're the largest commercial PKI implementation in the world in terms of number of managed certificates," says Brown.
One of Scotia's implementation benchmarks was to make PKI as transparent as possible to users, for
which it relies on Entrust's Entrust/Direct public key client-management software. "Once users enter some
personal information, the certificates get downloaded onto their PC and they're not even aware of it. The
whole process takes 10 to 15 minutes, and it's easy to use," says Jamie MacDonald, a senior manager of
Scotia's electronic-commerce group. To further protect users on the public Internet, Scotia makes use of
anonymous certificates that contain no identification of the user other than special numbers recognizable only to the bank.
Criminals who intercept the certificate won't be able to find any identity information, but Scotia Online can
map the numbers in the certificate to a user's account. Anonymous certificates may become the most popular way for businesses to implement PKI on business-to-consumer E-commerce Web sites because
they add an extra layer of security.
Though secure E-mail is a priority for many large enterprises, the supply chain is where some businesses
are expecting lower costs and increased interaction by moving to PKI. The Home Depot Inc., which uses Sterling Software Inc. as its value-added network for electronic data interchange and uses direct frame
relay, ISDN, and ATM connections to its suppliers, sees the eventual need to add the public Internet to those connection options as inevitable.
"As there are more small vendors we need to deal with to keep costs down, we'll need to use the public
Internet. That's when the security issues arise," says Mike Anderson, VP of IS for the technology group at Home Depot.
The Atlanta company, one of the first to implement Lightweight Di-rectory Access Protocol-capable directory services across its enterprise in 1997, is expecting to implement a PKI solution in 12 months,
says Anderson. Internally, a focus of the Home Depot PKI will be its 850 synced directory servers running Netscape Directory Server containing the roles and authorization rights for the company's 183,000
employees.
Though Home Depot is looking at various PKI technologies, it declined to indicate which ones it currently
favors. On the client side, Home Depot is looking at several PKI toolkits to integrate into its applications to
make them PKI-aware. One that it was particularly impressed with was Baltimore Technologies' PKI Plus
toolkit, which does a good job of "hiding the muck" of PKI from developers. Home Depot also is interested in
a PKI single sign-on product. It already uses a custom single sign-on application that uses LDAP to
authenticate users on the Directory Server. "We'll probably go with whoever can work PKI into our single sign-on application," Anderson says.
Virtual Networking Success
Virtual private networks are saving businesses money by leveraging the public Internet as the transport mechanism for business transactions. But few VPNs come with both secure authentication of the user and
encryption of the tunnel.
At Chevron Canada Ltd., a pilot program is in place to use PKI with its virtual private network to provide both
strong authentication and encrypted sessions. Previously, Chevron Canada had used dial-up connections with Windows NT authentication. Later, it used Security Dynamics' SecurID, token-based authentication
utilizing a user ID and personal ID number. Although SecurID offers strong authentication, it doesn't encrypt
the session data, and the oil company wanted data encryption that would work transparently with all its applications.
The pilot program uses the IPSec security protocol for data encryption and digital certificates for user authentication. Chevron Canada uses a TimeStep Corp. VPN box that does hardware-based encryption and
decryption. On the client, there is a virtual IPSec driver for the IP stack. For its certificate repository, Chevron Canada is using an X.500 directory server by Control Data Corp.
Chevron Canada sees its PKI investment as paying off with future security implementations. "We put in the
PKI for a certain task: the VPN," says James Eaton, a network specialist with Chevron Canada. "But later,
if we add secure E-mail, secure desktops, and work with outside partners to allow them secure access to our Web servers, we can leverage the same infrastructure."
Challenges Remain
For most businesses, PKI presents a radical restructuring of security policies and fairly complex software architecture. Furthermore, key management introduces new problems in the area of data backup and
restoration.
For large companies that need strong user authentication and encryption of data, PKI is probably the only
reasonable standards-based path to take, despite the heavy up-front costs. Ultimately, PKI will become a
commodity item. Certificate services will be widely available and applications will use PKI right out of the box. For now, though, PKI is still a challenging implementation.
Copyright ® 1999 CMP Media Inc.
Go to: Next article,
Trust is hardly the word that comes to mind when you talk about the Internet, but trust
is exactly the issue that's keeping companies from transacting more of their critical business communications over public computer networks. While the brick-and- mortar
business world can depend on signatures, credentials, certified mail, and phone networks to provide reasonable guarantees of message integrity and a sender's identity, there are few
secure mechanisms in place on the Internet to verify the sender of E-mail or prove that E-mail messages
weren't altered or read before they arrived at their destination. l The need for secure E-mail is, in fact, one of
the major reasons that many large companies are looking toward public-key cryptography techniques and implementing a public key infrastructure in their enterprise. So much critical business communication is
going digital that a recent Gartner Group report suggests that up to 80% of large enterprises will test one or
more PKI solution through 2003. If this seems like a long time to be in test mode, that's because public key
infrastructure is complex, reaches deep into enterprise IT architecture, and must function reliably, or the results could be disastrous.