Public Key Infrastructure could revolutionise the way companies do
business online - if only anyone would use it, says Danny
Bradbury
Public Key Infrastructure (PKI) is a security mechanism for
guaranteeing that on-line communications are authentic and private.
It is gaining recognition as a means of implementing secure
e-commerce, thereby combating one of the major concerns about doing
business online.
Where does it come from?
Although PKI has retained a high profile in recent times, its
history extends back over 30 years. It was originally invented at
GCHQ, the government's top-secret communications centre in the late
1960s. The US took it further and demonstrated PKI in the
mid-1970s. Since then, various commercial organisations have
adopted the technology and implemented it for profit.
How does it work?
PKI has two main goals: first to guarantee that the information
someone is sending you is private and can't be read by anyone else;
and second to ensure that the person sending you data across the
Internet is who they say they are. The way it works is based on the
exchange of software keys between individuals. Someone taking part
in a PKI system has two keys, one of which is private and the other
of which is public. If you have someone's public key, you can use
it to encrypt a message that can only be deciphered by applying
their private key.
That takes care of the first goal. The second goal -
authentication - is solved by using digital certificates, which are
issued by a trusted third party known as a certificate authority. A
certificate is encrypted using a person's private key and usually
contains the person's public key. You read the certificate to find
the public key and then use it to decrypt the message. If you trust
the authority that issued the certificate, then you can be sure
that the person sending you the message is who they say they
are.
Why is it important?
PKI is particularly significant in an e-commerce context because
people are worried about the security of online trades and the
privacy of information such as credit card details. It is
particularly significant in a business-to-business (B2B) context
because transactions in this space are often of a higher value than
consumer purchases. Companies are starting to examine PKI as a
means of non-repudiation - that is, proof that a transaction was
made by a specific party.
Who is doing it?
Various banks and financial institutions are starting to climb
on to the PKI bandwagon, propelled by organisations such as
Identrus. There are a few certificate authorities attempting to
promote PKI across the board. These companies include VeriSign
(www.verisign.com) and IBM.
What are the challenges?
The key issue here is to promote PKI among the end-user
community. Even now, with online trading having been around for a
good few years, the banks and financial institutions are only just
starting to get to grips with PKI. Your average consumer probably
won't even have heard of it, in spite of links to certificate
authorities built into desktop Windows applications such as
Microsoft Outlook.
Certainly, vendors and governments alike are trying to promote
PKI as a secure way to do business. The Electronic Communications
Act, passed by the UK government in May last year, finally made
electronic signatures legally admissible and defined key generation
and management as a contributory service to the generation of a
digital signature. Microsoft has also gone to great ends to
integrate PKI capabilities into Windows 2000 at the server
level.
But the end-user community is notoriously slow on the uptake
with regards to new technologies and it has proven difficult to
integrate support for PKI into applications, especially when they
are bespoke developments.
Will we see enhancements?
One thing that could help promote PKI to consumers is its
integration with smart cards - many of which could be manufactured
in key chain form. Rainbow Technologies produces a hardware key -
the iKey - with the ability to include PKI directly into the
hardware. Nevertheless, this doesn't seem to have captured the
attention of the consumer market yet.
Come together: Identrus
Identrus is a consortium of financial institutions that have
come together to create a system for universally-accepted digital
certificates. End-user customers using digital certificates issued
by Identrus-compliant financial institutions are able to trade with
each other securely. Some banks have already started rolling out
Identrus-compliant applications for B2B trading, although most
members are still in the development stage.