- CNET NETWORKS UK BUSINESS SITES:
- atlarge.com
- BNET UK
- silicon.com
- SmartPlanet.com
- ZDNet.co.uk
To print: Click here or Select File and then Print from your browser's menu
This story was printed from silicon.com, located at http://www.silicon.com/
Story URL: http://comment.silicon.com/0,39024711,10002785,00.htm
Through the fog... Public Key Infrastructure
Want secure email? Read on...
By Quocirca
Published: Thursday 06 February 2003
Demystifying another often heard and often misunderstood acronym this week is Quocirca analyst Jon Collins. Get to know PKI...
Security is a strange phenomenon in IT. Like a Will O' The Wisp, it's elusive. And so we are faced with the promise and the reality of Public Key Infrastructures (PKIs) – such a useful, powerful technology, coupled with near total apathy on the part of the user community to implement it.
That's a bit of a generalisation. Public key cryptography is in common use. In fact, every time you see the little golden key in the status bar of your browser, that's PKC at work. However, it's a point-to-point thing. What has never quite caught the imagination of the wider world is the implementation of digital certificates for more general use.
If this has been gobbledegook so far, it might be worth defining some terms before we move on. Encryption is a well-known way of protecting data from being seen by the wrong people. The tricky bit is letting people know how to decrypt information when it arrives. The encryptor needs to send a suitable key and if this falls into the wrong hands (or even the right ones) what's to stop another person using the key and passing themselves off as the encryptor?
To solve this, the eggheads came up with 'public key encryption', which uses two keys. A message encrypted with the first key can be decrypted with the second key, and vice versa: one of the keys is kept private, and the other is made public. This enables a number of uses, for example:
- if you want to send me a message that only I can read, you can encrypt it with my public key, knowing I will be able to decrypt it with my private key. - if I want to send you a message and I want you to be sure it came from me, I can encrypt it with my private key, and you will be able to decrypt it with my public key."
This simple scheme has other advantages. Because it ensures the originator cannot be impersonated, it can be used as a mechanism to guarantee the origin of any information, encrypted or otherwise, as the information can be 'signed' (provided with an encrypted header) with the originator's key. In security circles this is known as 'non-repudiation'. Finally, there is the knock-on benefit of data integrity. It is impossible to tamper with the facts while they are encrypted.
Powerful stuff but simple can very quickly get complicated. Should everyone want to use public key encryption, then everyone would need to manage everybody else's public keys: this is neither a pleasant nor a likely scenario. In its wisdom, the industry has defined a framework known as the Public Key Infrastructure (PKI) as a management mechanism for public keys. Managed by a 'trusted third party' known as a Certification Authority (CA), PKIs can issue, store, release, revoke and otherwise control public keys, providing a useful service for both the originators and recipients of encrypted or signed information.
So for people who want to ensure the privacy of the information they send, public key encryption is highly appropriate. As mentioned, web browsers do it every time they access a secure page using the secure hypertext transfer protocol https. Software downloads, typically for browser plug-ins such as Macromedia Flash, are digitally signed and you can view the certificate and verify its CA for extra personal comfort. In other words, you are using PKIs already, albeit in a limited way.
Today's ecommerce, still alive and kicking despite the dot-com crash, could not function without public key encryption, as it gives businesses and their customers confidence in transmitting vital information over the wire.
Despite all this, there seems to be a singular lack of interest in taking such facilities any further. Have you, personally, set up an encryption facility on your own computer to transmit sensitive personal and business information (for example, via email)? Of course you haven't, or if you have, you are in the absolute minority.
Rather than whipping yourself about it, you could ask one of two questions. First, why have you never received a single email, from your colleagues, superiors, business and customers, which requires you to decrypt the message or verify the identity of the sender? Second, why is your organisation not doing anything about it? After all, if no one else is doing it, and nobody is enforcing (never mind requiring) it, why should you be any different?
Despite the obvious threats of fraud and privacy, companies and individuals still appear to a pretty relaxed attitude to the security of the web. Viruses and worms exist that re-send random emails from your outbox to random recipients from your address book – the possibility of sensitive corporate information arriving in the lap of a customer or a competitor seems quite real.
At the same time, the lack of a comprehensive security framework for the web is cited as one of the main factors why companies are slow to adopt the internet as part of their infrastructures. Something has to give.
Security vendors such as RSA and Entrust have been baffled for years as to why the take-up in PKI products has been so small. There are many factors that have hindered adoption in the past:
- PKIs have remained expensive despite several initiatives (such as Identrus for the financial industry).
- Both sender and recipient need to agree to use public key encryption in their transmissions. As PKIs are not yet ubiquitous, this leads to a Catch-22 where everybody waits for everyone else to start using public key encryption first.
- CAs such as VeriSign developed a bit of a reputation for letting anybody create an entry in their directories (go to VeriSign's web site https://digitalid.verisign.com/ and search for Mickey Mouse, for example – there are at least 50). This has not helped the 'trusted third party' cause.
- The interoperability of PKI implementations has been flaky. Again, initiatives (such as the PKI Forum interoperability framework) and creation of standards such as XKMS for key management exist to counter the problems.
- Finally, the security of the Certificate Authorities themselves may be at risk. Organisations such as ECAF in Europe are building policy frameworks to which CAs will have to comply but at the moment many countries do not have trust policies for CAs.
All of these factors contribute to a 'not yet' policy on PKI. The technologies required for PKIs already exist but the world is not yet using them and maybe never will - knowingly. There are more pressing problems to be solved, particularly as - like disaster recovery - confidentiality and non-repudiation only become a priority following a problem.
Regardless of the current apathy, perhaps PKI really is a problem to be solved by the infrastructure providers – not only the ISPs but also the Ciscos and Microsofts – and not by end-user organisations. The management of the key handling part of the infrastructure can, and maybe should, be outsourced. Plenty of companies believe the latter, including EDS and IBM.
More recently, in December last year, fledgling web services standards were enhanced to incorporate PKI-based security mechanisms. Many applications in the future will require the internet as a backbone and hence most will need to leverage the enhanced security that a PKI can support.
Once PKI is delivered as an integral part of the application, and is managed as an outsourced service, it will be used – likely with a sigh of relief by many businesses, who can only benefit as a result.
**Quocirca is a leading, user-facing analyst house known for its focus on the 'big picture'. For a full summary of its activities see www.quocirca.com, or reach the company's founding directors by emailing quocirca@silicon.com.
Also in this series: Through the fog... Vendor-channel relationships Through the fog... What future photo messaging?
For Quocirca's 'What's the fuss about...?' series for silicon.com, see this page
And for their earlier 'Surviving the Recession' series, see this page
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
