|
Enterprises
bet on PKI
by Gohsuke Takama
In the past couple
of years, Public Key Infrastructure (PKI) has become a mainstream buzzword in
the computer security industry. Is PKI a silver bullet for all network security
problems? Not quite. Is PKI an e-commerce enabler? Might be. But there's a good
possibility that PKI will be able to provide sophisticated solutions for integration
and streamlining of enterprise network security.
For a paper document,
it is relatively easy to establish authenticity, confidentiality, integrity (have
the message's contents been modified?), and non-repudiation (making sure that
an engaged transaction is not to be denied later - key for e-commerce). But communication
via computer networks is quite different, and one of the challenges barring the
way to widespread e-commerce deployment is figuring out how senders and recipients
of messages (say, a request to transfer ¥75,000 from the sender's bank account
to the recipient's) can be sure that their communications are in fact authentic.
Hopping over
the Web
Internet e-mail messages, for example, hop over a multitude of servers, many or
most of which will be unknown to the sender or the receiver. Who knows if your
message has been intercepted by someone who is eager to interfere with your business
by surreptitiously altering its contents? How do you ensure that the person logging
onto your company network is really the same person specified in the authentication
list? PKI is a means to obtain certain answers to these and other security-related
questions. PKI relies on public key cryptography, which uses a pair of keys: a
public key and a private key. But don't think automobile or front door for these
"keys." They actually consist of special numbers based on prime numbers - numbers
divisible only by themselves and 1 (like 1, 2, 3, 5, and 7).
If Bob wants to
send Alice a private message, he encrypts the message using Alice's public key
(previously made available to anyone). No one, except Alice who has the private
key of her key pair, is able to read the message, regardless of the communication
path. When Alice sends Bob a reply, she signs the message using her private key,
and Bob verifies the message and signature by using Alice's public key, confirming
that the message really has been sent by Alice and has not been altered by anyone.
John Hancock
with bits
Public key cryptography provides two main features: digital signaturing and asymmetric
encryption. Digital signatures, in particular, perform an important role in the
public key distribution process. While it is simple to exchange public keys between
two individuals, when the number of people involved in the communication increases,
chances are someone might be able to impersonate someone else and proffer fake
keys to unwary recipients. This can be prevented if the key itself has been digitally
signed by a third person who assures the recipient of the authenticity of the
key. At its heart, then, the idea of the PKI starts with digital certificates.
PKI authorities
A PKI system usually has three entities: a Registration Authority, a Certificate
Authority, and a Certificate Directory. The Registration Authority receives requests
from users, confirms users' identity, and registers them into the directory database.
The Certificate Authority issues, revokes, and verifies certificates based on
the registration, and generates users' key pairs as well as controls network access
and authentication. The Certificate Directory stores and manages users' registration
data and certificates.
One of the benefits
of PKI is that the same type of certificate can be used for authentication of
both users and devices, such as PCs, smartcards, PDAs, firewalls, and Web servers.
There is growing demand for two-factor authentication, which is typically achieved
through a combination of a password and a smartcard-like device. This is especially
useful for the authentication process for Virtual Private Networks which connect
companies' branch offices or business partners with central networks.
But for implementation
of a PKI system, there are several factors to keep in mind, first of which is
cost. According to industry research, implementing a PKI system in a 5000-person
enterprise would involve costs of $90-160k for initial PKI investment, and $300-400k
for support and maintenance for a three-year period. Despite this initial barrier,
many large firms are actively pursuing PKI systems. Canada's Scotiabank spent
some $2 million to deploy an Entrust-based PKI system (including two Certificate
Authority servers) in 1997, and about half the cost went to servers and network
hardware (the rest went to software, testing, a new secure equipment vault, and
consulting fees). Federal Express recently implemented PKI to manage network access
and communications for its 150,000 employees worldwide.
PKI at an early
stage
Although PKI has attracted a lot of attention, it is still difficult to predict
if a boom in PKI usage will happen any time soon. Selling security infrastructure
isn't an easy business unless companies have achieved a "security" frame of mind,
and - other than those who have had their communications hacked or networks breached
- few have.
Gohsuke Takama
is an independent consultant specializing in computer security issues. Contact
him at gt@twics.com.
Back
to the Table of Contents
Comments
or suggestions?
Contact cjmaster@cjmag.co.jp
|
