INTERNET SECURITY – PKI: your guarantee of secure commerce on-line

On-line trading has had a bad press recently and, despite the upbeat assessments published by a number of sources, the world of commerce remains distinctly nervous about committing to cyberspace. This is hardly surprising when the most recent attempts to allay the fears of the business community are hedged around with notes of caution. This is most obvious in public key infrastructure (PKI) technology. It remains, at best, half a step ahead of the opposition as the battle between the certification authorities and the hackers shows no sign of letting up.

But commerce has always been about taking risks. The trick is to recognise the degree of risk and to play the game accordingly. Even within those companies that have yet to develop an on-line capability, there is likely to be a nodding recognition of the need for some kind of e-commerce strategy in the coming years. It is not only a question of the speed with which dealings can be conducted over the internet and the consequent reduction in the cost of transactions – the internet is more and more the convenient choice.

“We used to have to fly down to Accra with a draft contract,” said Michael Walker, a director of Taysec, part of London-based Taylor Woodrow International, “and then drive up-country, through the bush, to discuss it. Now we just send the document back and forth over a secure internet link.”

Extreme though this example may be, it does illustrate the sort of problems that e-commerce has resolved. Over the next three-to-five years the limited reach of the internet to about a third of the globe will expand rapidly as broadband radio communications – including the new breed of global satellite telephones – mature. Such advances will provide the means to transmit huge amounts of data to those parts of the world that are currently beyond the economic reach of telecommunications, with a resultant increase in the size of the marketplace. Many face-to-face meetings and even more post will no longer be required.

Yet the nagging voice of caution still whispers to the off-line community. Developing an e-commerce capability is an expensive business and must meet the test of affordability in its widest sense. There have already been enough horror stories about the vulnerability of the world wide web – so it’s only natural if some FDs would rather their company didn’t have the opportunity to add to them. Indeed, there is every reason to suspect that the survival instinct has caused many victims to remain silent about their losses for fear of the resultant publicity. So it’s hardly surprising that a recent survey by the Giga Information Group in the US showed 27% of companies cite a perceived lack of hardware and software security as the main reason for not engaging in trade on the internet. Firewalls, passwords and the strict injunctions about the need for vigilance imposed on staff may cut the incidence of e-commerce crime, but these measures have not yet calmed company fears about internet trade.

If e-commerce is to expand and thrive in the way that is anticipated, it is clear that it must allow the accepted rules of trade to continue, albeit electronically, without any diminishing of the essential levels of trust that underpin any commercial transaction. The pivotal issues concern privacy; the degree of confidence that both parties have in the integrity of documentation; the authority of the other party to strike the deal; the issue of non-repudiation; and the authenticity of the source of the documents.

The recent relaxation of the rules on the export of encryption software by the US government and the about-face by the French authorities on their own rules about the use of encryption have considerably widened the scope and level of security provided by technology. There are now some extremely sophisticated algorithms available for use by the commercial world. The problem, of course, is that the moment the key to any encryption is made available to a customer, client or supplier, its use as a secure medium of transmission is compromised. Furthermore, the use of encryption will not, on its own, provide all the elements that make up a satisfactory deal. But establishing confidentiality, integrity and so on is what PKI technology seeks to do.

“Only about 20% of the PKI model is based on technology,” says John Hermans, chairman of the European Certification Authority Forum, an EC-funded body looking closely at all aspects of PKI. “The rest is the development of the business practices necessary to ensure that confidence exists in e-commerce transactions.”

At its core, the concept of PKI relies on the notion of a matching set of encryption keys, the use of electronic signatures and the employment of certification authorities. All of these elements are crucial.

– Encryption keys. Of the matching pair, one will be made publicly available while the other is retained by its owner. Embedded within the public key will be the details of its owner and an electronic signature binding the owner to the key. The public key will normally be deposited with a certification authority that will certify the identity of the owner to whoever should ask. The degree of protection afforded by the encryption software is entirely dependent upon the system chosen. A person using the public key is able only to encode (but not decode) a message which can then only be decoded by the holder of the private key.

– Electronic signature. This is a mathematical formulae which is encrypted so that it can be read only by the two parties involved. Any deviation is immediately apparent – so it proves the identity of the user. When coupled with a digital certificate, it operates as a personal identity card for e-business and therefore as a means of securely authenticating identities of people across the internet. It contains information describing the holder, a public encryption key, the validity period and operations for which the public key is valid. The current preference in Europe for storing digital certificates is to embed them within cryptographic smart cards to provide a hacker-resistant storage medium.

– Certification authorities (CA). Also known as trusted third parties, CAs play a central part in the PKI model. While the existence of a public key allows anyone to communicate with its holder, the holder has no means of checking the identity of the person/organisation sending the message. Nor can the holder reply to the message since the public key will not allow for decoding. The CA’s function is therefore to hold the public keys of both negotiating parties and be in a position to prove their identities and the authenticity of correspondence. It should be a viable commercial concern able to assume the fiscal and legal liabilities to which it may be subject as a result of its role as a trusted third party.

If the above process appears painfully complicated, it is hardly surprising. Any number of organisations have now set themselves up as certification authorities with their own proprietary software products. There is no global, regional or even national standard by which the compatibility problems can be addressed and such efforts as are in the pipeline are at risk of corruption by those with a different agenda. In the words of one source, “the whole thing is a mess with little or no interoperability between different systems”. There is, however, some hope that a standard may eventually be found.

In January, the European Forum for Electronic Business launched a two-year, EC-funded project called the PKI Challenge. Working with thirteen global organisations, the objective is to define and agree interoperability criteria for PKI products and certification service providers the world over.

Among the difficulties it faces are the differing requirements of contract law and evidential procedure around the world. While an increasing number of jurisdictions are prepared to accept digital technology in place of paper, many have not enacted the legislation.

“While it is no part of the remit of the PKI Challenge to produce a formal standard, it is to be hoped that we’ll create a best practice business model that may provide the outline for a future global standard,” says Hermans.

The business community is unlikely to be much troubled by esoteric arguments about PKI. The technology works well enough once it has been implemented and certification authorities can already, for instance, be set up within large corporations to provide secure communications between one part of the organisation and another. At a meeting in Amsterdam, last year, several companies, including Shell, Novartis, Siemens, Philips and Unilever, announced that they are in the process of setting up private CAs. Other models include “public” and “club” CAs. For example, a club CA can cater for an entire group of customers or suppliers.

“For the end user,” says Hermans, “the technology is invisible. The details of the public key will be included in the list of contacts on your PC. Your digital signature will be stored elsewhere. Sending a secure message or a draft contract will simply require two extra mouse clicks. One will add the electronic signature and the other will encrypt the data using the public key.”

What is more to the point for corporates considering PKI is whether there is any benefit to be gained from implementing an e-commerce policy that is expensive and time consuming. And, as Jim Dickson, a director of EEMA, the European Forum for Electronic Business points out, PKI is also little use if your business partners don’t adopt it.

However, as e-commerce becomes too important to ignore, PKI will become more popular. Research in the US, published last month, indicates that the number of companies that have some involvement in e-commerce will rise from 35% now to 75% by the end of next year. In Europe the value of on-line retail trade is, at EUR3.5bn, still a tiny fraction of the whole. In percentage terms, this represents about 0.2% of the total European market and lags some way behind the 1.2% of retail trade in the US. But some forecasts predict a huge increase in the volume of internet business over the next few years.

PKI is the principal available means of ensuring that the threats posed by on-line dealing are minimised. “Few businessmen will care whether or not the details of a contract or invoice can be read by unauthorised people,” says Hermans. “They do care if the message or the amount on the invoice can be altered or the other party is able to deny ever having received a contract. They also care about the authority of the other party to enter into a deal and his identity. PKI technology and particularly the model that we are developing through the PKI Challenge is intended to deal with these issues.”

Contacts: Jim Dickson, EEMA, the European Forum for Electronic Business, e-mail:; John Hermans, Chairman of the European Certification Authority Forum, e-mail: HOW PKI WORKS COMPANY A – approaches a PKI provider and obtains a PKI product – is given a matching pair of encryption keys – one private, one public – as part of the PKI product – deposits details of the public key, together with its digital signature, with a certification authority (also known as a trusted third party) – has its public key and digital signature attached to a certificate by the certification authority, declaring it to belong to Company A – invites potential clients/customers/suppliers to bid for contract or otherwise enter negotiations – informs all interested parties where details of the public key can be obtained, i.e. at the address of the certification authority – receives messages/letters etc from potential clients/customers/suppliers, all of which have encrypted the text using Company A’s public key, collected from the certification authority – unlocks (decodes) these messages/letters using its private key

COMPANY B which wishes to trade with Company A, deposits its public key with the same certification authority, This enables Company A to send Company B encrypted messages which Company B then unlocks (decodes) using its own private key

ENCRYPTION KEYS – the public key can only lock (encrypt) text – Company A’s private key is held only by Company A and it alone can unlock messages that were encrypted using its matching public key – use of encrypted data ensures confidentiality – even if it is intercepted on the internet – potential clients/customers etc are satisfied about identity, authenticity, integrity, authority and non-repudiation aspects of the deal with Company A since the public key is certified as belonging to it by the certification authority

CERTIFICATION AUTHORITY – must be a viable commercial concern – must be able to meet (or insure against) legal liabilities of its position as guarantor.

Related reading