Public Key Infrastructure could revolutionise the way companies do business online - if only anyone would use it, says Danny Bradbury
Public Key Infrastructure (PKI) is a security mechanism for guaranteeing that on-line communications are authentic and private. It is gaining recognition as a means of implementing secure e-commerce, thereby combating one of the major concerns about doing business online.
Where does it come from?
Although PKI has retained a high profile in recent times, its history extends back over 30 years. It was originally invented at GCHQ, the government's top-secret communications centre in the late 1960s. The US took it further and demonstrated PKI in the mid-1970s. Since then, various commercial organisations have adopted the technology and implemented it for profit.
How does it work?
PKI has two main goals: first to guarantee that the information someone is sending you is private and can't be read by anyone else; and second to ensure that the person sending you data across the Internet is who they say they are. The way it works is based on the exchange of software keys between individuals. Someone taking part in a PKI system has two keys, one of which is private and the other of which is public. If you have someone's public key, you can use it to encrypt a message that can only be deciphered by applying their private key.
That takes care of the first goal. The second goal - authentication - is solved by using digital certificates, which are issued by a trusted third party known as a certificate authority. A certificate is encrypted using a person's private key and usually contains the person's public key. You read the certificate to find the public key and then use it to decrypt the message. If you trust the authority that issued the certificate, then you can be sure that the person sending you the message is who they say they are.
Why is it important?
PKI is particularly significant in an e-commerce context because people are worried about the security of online trades and the privacy of information such as credit card details. It is particularly significant in a business-to-business (B2B) context because transactions in this space are often of a higher value than consumer purchases. Companies are starting to examine PKI as a means of non-repudiation - that is, proof that a transaction was made by a specific party.
Who is doing it?
Various banks and financial institutions are starting to climb on to the PKI bandwagon, propelled by organisations such as Identrus. There are a few certificate authorities attempting to promote PKI across the board. These companies include VeriSign (www.verisign.com) and IBM.
What are the challenges?
The key issue here is to promote PKI among the end-user community. Even now, with online trading having been around for a good few years, the banks and financial institutions are only just starting to get to grips with PKI. Your average consumer probably won't even have heard of it, in spite of links to certificate authorities built into desktop Windows applications such as Microsoft Outlook.
Certainly, vendors and governments alike are trying to promote PKI as a secure way to do business. The Electronic Communications Act, passed by the UK government in May last year, finally made electronic signatures legally admissible and defined key generation and management as a contributory service to the generation of a digital signature. Microsoft has also gone to great ends to integrate PKI capabilities into Windows 2000 at the server level.
But the end-user community is notoriously slow on the uptake with regards to new technologies and it has proven difficult to integrate support for PKI into applications, especially when they are bespoke developments.
Will we see enhancements?
One thing that could help promote PKI to consumers is its integration with smart cards - many of which could be manufactured in key chain form. Rainbow Technologies produces a hardware key - the iKey - with the ability to include PKI directly into the hardware. Nevertheless, this doesn't seem to have captured the attention of the consumer market yet.
Come together: Identrus
Identrus is a consortium of financial institutions that have come together to create a system for universally-accepted digital certificates. End-user customers using digital certificates issued by Identrus-compliant financial institutions are able to trade with each other securely. Some banks have already started rolling out Identrus-compliant applications for B2B trading, although most members are still in the development stage.