http://www.intelligententerprise.com/010130/cio.jhtml


The Burden of Proof


Public key infrastructure is paving the way for more secure transactions on the Internet


Cam Johnston
Matthew Manusco

If your organization is like most, you're busily engaged in putting Web-based solutions into effect. You're probably very clear on your objectives: reduce costs, increase sales, get greater market reach, improve customer relationships, and raise profitability.

CODE SHEET
The Elements Of Public Key Cryptography

Cryptography. Keeping a communication private between its source and destination, facilitated by both parties using shared secret keys to decipher the data. Cryptography relies on mathematical functions that are easy to perform in one direction and sufficiently difficult to perform in the opposite direction.

Public Key Cryptography. A cryptographic method that uses a two-part key (code) comprising public and private components. To encrypt messages, the published public keys of the recipients are used. To decrypt the messages, the recipients use their unpublished private key.

Public Key. One of two keys required in public (or asynchronous) cryptographic systems. The public key is distributed widely and is publicly available. A message scrambled with the public key can only be unscrambled with the matching private key and vice versa.

Private Key. One of two keys required in public (or asynchronous) cryptographic systems. The owner usually maintains the private key secretly. A message scrambled with the private key can only be unscrambled with the public key and vice versa.

Public Key Infrastructure (PKI). A system of policies, procedures, components, and technologies that encapsulate the authorization rules and processes into a delivery framework.

Digital Certificate. An identifier that contains a unique description of the user's public key, identifies its period of validity, and is digitally signed by the certificate authority that issued it. It enables correspondents to exchange information securely and privately.

Certificate Authority (CA). A function in a public key cryptography system that determines valid users and roles and issues keys and certificates accordingly.

But you shouldn't rush headlong into e-business without first taking a good, long look at your security. An individual making an unauthorized entry into your system can do a great deal of damage, by stealing sensitive information or even bringing down your system. So identifying and addressing all possible weak links as part of your overall business strategy and processes makes plenty of sense.

Protecting Business Transactions

As the world moves quickly toward e-business, you need to consider not only the risk of compromised information, but also other dimensions of security, such as the lack of system availability, processing capacity, or inability to maintain transaction integrity.

In the brave new world of e-commerce, people use the Internet in purchasing, leasing, negotiating, entering into contractual agreements, and sharing sensitive legal, financial, and personal information. In high-stakes transactions, you must establish and validate the electronic credentials that prove an individual's identity.

For example, when you send a bid on a sizable project over the wire, do you know if the recipient of that message was really your business partner's purchasing agent? Did an unauthorized third party, such as an unscrupulous competitor, hack into the system? Or perhaps the recipients were correctly identified, but were not really authorized to act in the capacity they claimed?

Even more important in e-commerce, businesses increasingly need to indemnify transactions - fix responsibility for certain actions or failure to act.

Assigning Responsibility

For example, assume that you agree with your supplier over the Internet that an order of critical parts worth hundreds of thousands of dollars will be delivered on a just-in-time basis. Who is accountable if the shipment arrives so late that it shuts down the production line, or doesn't arrive at all? What if the order was never captured, booked, or shipped? What dollar amount of liability is assumed? By whom? How can you prove the agreed-upon delivery terms with certainty? Can you prove the seller ever received the order?

When the validity of the identity of the parties is not certain, can you prove anything regarding that transaction in a court of law? Businesses are insisting upon an affirmative answer, based on positive identification.

Handling these serious concerns goes beyond simply managing PINs and passwords and hoping for the best. It inevitably leads to the more complex world of public key cryptography (see sidebar, "Code Sheet,").

One element of public key cryptography is public key infrastructure (PKI). A PKI includes the policies and procedures used for setting up a secure method for exchanging information within an organization, an industry, or any worldwide community of users. It includes not only the use of certificate and registration authorities, directory services, and digital signatures, but also the hardware and software used to manage the process, such as servers, protocols, and applications.

The certificate authority (in-house or outsourced, depending on your application or trust model) establishes the chain of trust by positively binding your identity to your electronic credential (for example, your public key). With a trusted identity, you can send "notarized" documents over the Internet using digital signatures or send private encrypted messages you can be sure will only be readable by the intended recipient.

Because information exchanged with PKI is secure, you can legally enforce the transaction, if necessary. The United States enacted digital signature legislation in 2000, and the American Bar Association has invested significant resources in its PKI Evaluation Guide, which supports many legislative efforts. Digital signature laws have been on the books of some states even prior to 2000. Enforceability generally should follow the pattern established by electronic data interchange (EDI), where numerous legal rulings favored the technology.

Digital Certificates

Digital certificates bind a user's identity with a public key and are vouched for, or "signed," by the authority that originally issued them. They are essentially a method for encrypting messages. Digital signing is the only resource currently available that is capable of delivering the level of protection and legal standing that many organizations demand now - and all will expect in the future.

Using digital certificates, organizations can attribute authentication, which means you can match sign-off levels to the owner of the digital certificate. Users successfully validate their identities based on the certificate, the business rules established, and knowledge of the password needed to validate the certificate. Sign-off levels can be carried in the attribute extensions of the certificate itself or referenced in a separate secure database.

Another key element made possible by PKI is nonrepudiation. This standard industry term essentially means that a mechanism is present that prevents parties in a transaction from denying their role in it. Nonrepudiation proves the identity of the sender and the validity of the content of the message.

Some of the risks that a PKI environment can help mitigate include:

  • System or reputation risk. The need to protect the reputation and credibility of the system against an event such as the failure or insolvency of one of the participants or the compromise of a root key
  • Authentication risk. The effects of inaccurate or obsolete information upon the system
  • Transactional risk. The effects of erroneous certificate verification and any potential claims in contract or tort law by the relying party usually a vendor seeking payment
  • Risk of no privacy of contract. The need to address the fine points of wording a contract to point out what recourse the injured party has if privacy of a transaction is violated.

First Things First

Electronic processes are moving toward the universal use of a robust authentication system (proving who you are), coupled with entitlements (establishing what you may do). PKI provides a secure mechanism that lets individuals request or grant access based on entitlements. Leveraging these frameworks effectively requires that it be done over the short term and medium term. The long-term payoff is preparing your organization for a fully integrated position in e-commerce in the future.

The initial step is taking an in-depth look at your available resources, the community of people involved, and any special needs in your value chain.

We find that having a strong business case to implement a PKI is more important than the technical justification. Actually, when we look at the totality of the task, we estimate that the technology consumes only 10 percent to 20 percent of the resources used, while agreeing on the business rules takes up another 40 percent. The remaining 40 to 50 percent of the effort involves the organizational aspect - where you determine how you will deploy those involved and make sure they understand their roles and responsibilities. In the final analysis, internal deployment is typically much more difficult than external aspects like understandings and relationships with trading partners.

Often, the business managers (typically nontechnical) become enamored with the technology because it's the fun part. Under these circumstances, they may start deploying the technology immediately, while more demanding and time-consuming tasks, such as putting the business rules and policies in place, remain undone.

Early in the progression of events, you must establish and commit to writing several necessary business rules, which include:

  • The certificate policy and practice statements, including a
  • detailed description of the process of identifying and authenticating
  • certificate holders
  • Procedures for revoking and renewing a certificate and handling
  • certificate expiry
  • Procedures for managing public and private keys
  • Methods for distributing certificate status information, such as
  • certificate revocation lists, to relying parties
  • Procedures for backup and disaster recovery
  • Formulating a relying party agreement
  • Rules for dealing with subscribers and customers
  • Establishing liability constraints.
  • The finished process should fulfill four basic specifications:
  • Identifying and minimizing risk
  • Addressing business, legal, and technical considerations
  • Enhancing trust with all constituents
  • Establishing seamless connectivity to your core business
  • applications that enhance value.

Benefits of PKI

For many organizations, PKI provides the basis of entering into digital commitments and contracts. Without authentication, digital signatures, and nonrepudiation, the risks of Internet transactions would simply be too high. For these organizations, the value of PKI in letting them take their traditional business model to the Internet is priceless.

Companies in a variety of industries have already experienced the benefits of implementing a PKI:

A large national financial institution replaced hardware encryption devices with a PKI solution and saved approximately $1 million. A major leasing organization adopted the electronic approval and signing of applications and reduced averageapproval time from 42 days to five days. A telephone utility incorporated the digital signing of expense forms and achieved ROI in three months. The ability to validate a customer's identity beyond a shadow of doubt and authorize access to confidential pricing and inventory information enables a large multinational manufacturer to reduce the cost of a sale from 10 dollars in a call center to five cents over the Internet. The window of service is also now 2437.

Adopting PKI can be expensive, but when complete, it is well worth your investment. In terms of system availability, reliability, confidence, better customer relationships, and secure access to the Internet, it is hard to imagine a business that will not benefit immeasurably.

Cam Johnston (cam.f.johnston@ca.eyi. com) is a partner in Ernst & Young's E-Risk Solutions practice. He has an extensive background in business commerce solutions using intranets and extranets that incorporate PKI, single sign-on, virtual private networks, and meta-directories.

Matthew Mancuso (matthew.mancuso@ ey.com) is an Ernst & Young partner and national director of Security Implementation Services. He is also the lead technologist for the firm's alliances in e-commerce and Internet security, with more than 20 years experience in PKIs, directory services, enterprise security architectures, and security technologies.

 

Return to Article