Battling back with PKI

Nov 1, 2001 12:00 PM, By Jacqueline Emigh

As the threat of terrorist attacks continues, government agencies and the airlines are looking to public key infrastructure (PKI) security as a possible defense. The U.S. Department of Defense (DoD) is getting into the act through an initiative known as Common Access Card (CAC) that will issue PKI smart cards to military personnel. In Europe, pilots for Lufthansa Airlines are already required to use a PKI-based ID system each time their flight itinerary changes. New, more stringent airline regulations are looming in the U.S. Congress, too.

Although many people are hearing about PKI for the first time, the technology is not new. Major banks in the United States and abroad have been deploying PKI for several years to help secure online transactions. For government applications, the United States launched the Federal Bridge Certification Authority in 1999, to promote interoperability between multivendor PKI products. Outside of banking and government, other PKI pioneers have included the insurance, health care and telecom industries.

“Terrorist events of the past several weeks, however, have accelerated the convergence between physical access and computer security,” says Ted Kamionek, senior product manager at RSA Security, one of the three top vendors in the PKI business, along with Entrust and Baltimore Technologies. “Before, security was thought of as something nice to have. Now, PKI is becoming more of a necessity for many organizations. If a company is buying employee badges, for example, it also wants to be able to use those badges to help secure the company's computer system.”

Essentially, PKI is meant to provide an end-to-end infrastructure for computer security functions that include:

• authentication, to prove that “you are who you say you are;”

• confidentiality, to keep data safe from unauthorized eyes;

• integrity, to protect information from being manipulated; and

• non-repudiation, to make sure people can't disown or “take back” their previous actions online.

PKI can perform other computer security tasks, too, including single sign-on, digital signatures and digital time stamping. In single sign-on, employees can log on to all their authorized software applications with a single password.

Digital signatures and digital time stamping are newer technologies. Through federal legislation passed last year, electronic documents with digital signatures are now recognized as valid throughout the United States.

Meanwhile, the U.S. Patent Office has launched a Web site that digitally time-stamps patent applications submitted by inventors and patent attorneys.

Increasingly, PKI is also being integrated into smart cards. Through CAC, the DoD envisions issuing PKI-enabled smart cards containing military employees' names, ranks, serial numbers and blood types, along with their computer security permissions, Kamionek says.

A bank in New York City is already issuing smart cards that let employees “walk through the front door, go to the PC and digitally sign their e-mail messages, and then use the same smart card to buy food from the cafeteria,” he adds.

However, some experts say, PKI is not necessarily for everyone. “PKI isn't for the faint of heart,” notes Pete Lindstrom, director of security strategies at the Hurwitz Group. For one thing, the technology is extremely complex, encompassing elements that include the following:

• software-based digital certificates, for identifying end-users;

• public and private keys, a set of software components that are used together for encrypting and decrypting computer-based information;

• a hierarchical “trust” system allowing companies, governments and PKI vendors to vouch for users' rights and IDs; and

• PKI-enabled software applications.

According to its advocates, PKI is much more sweeping than most other security technologies. Still, organizations can opt to use other, less complicated technologies instead for some of the functions handled by PKI, including encryption, digital signing and single sign-on.

In terms of physical access, companies that decide on PKI need to set up rock-solid security policies for preventing digital certificates and keys from being tampered with or stolen. Certificates and keys are typically stored on either the end-user's PC or on a separate smart card. Some companies, such as Entrust, claim to automatically check digital certificates to make sure they are up-to-date and valid. Ideally, organizations use passwords and biometrics to add more security layers at the end-user level.

Public keys, on the other hand, are generally housed in electronic vaults, often under the protection of armed guards. “Physically, the big thing is the public key. If that becomes compromised, your whole PKI infrastructure gets messed up,” says Matt Smith, a security engineer at Sword & Shield Enterprise Security Inc.

According to Sword & Shield President John Goldstone, the company has been working with BWX2 (formerly Lockheed Martin Energy Systems) at the Oak Ridge national labs on a PKI system aimed at registering gun owners with the FBI.

Other federal agencies already using PKI include Entrust customers such as the U.S. Secret Service, Federal Reserve, State Department and Treasury Department.

Beyond the potential security advantages of PKI, experts point to cost savings. Single sign-on, for example, can cut down the hefty support costs associated with lost and forgotten passwords, says Ian Curry, Entrust's vice president of product management.

PKI technology, however, can carry large expenses of its own. “For some companies, PKI can actually be too much security, because it calls for such a big infrastructure,” Lindstrom contends.

The need for systems integration can also rear its head. Vendors have been working at product interoperability through industry groups such as the PKI Forum. “I wouldn't say that interoperability is perfect yet, but it's a lot better than it's generally perceived,” says Entrust's Curry.

However, experts agree, PKI-enabling older software applications can still be problematic. RSA Security, for instance, uses a software “wrappering” system to manage these legacy applications. The alternative is time-consuming manual software coding, according to Kamionek.

To get the most mileage from PKI, experts advise focusing first on using the technology to solve a single business problem, and then leveraging the new PKI infrastructure to support additional PKI solutions. “You should figure out what you need before you buy it,” Lindstrom advises.

“Where there's a success, there's a clear business reason. Where there's a failure, there isn't a clear business reason,” Curry agrees. “But PKI is also about scalability and leveragability. You should start with the application you can leverage most. When you move on to the next, you want to push ROI even further.”

For at least one RSA Security customer, a medical facility, single sign-on is indeed the “killer app,” according to Kamionek. “The nurses and doctors are using smart cards, together with authentication, to log in to a variety of different systems, all using a single PIN,” he says.

Other companies find digital signing most compelling. Customers in this group, though, might want to narrow down their focus. “It probably makes more sense to use digital signing for expense reports than for e-mail, for example,” Curry recommends.

One large mutual funds company, also an RSA customer, has decided to require digital signatures only on transactions of $200,000 or more.

On the other hand, New York Life Insurance, an Entrust customer, has outfitted all of its field salespeople with PKI-enabled laptops, for adding customers' signatures to electronic forms from directly inside the customers' homes.

Customers also need to decide whether to outsource functions such as systems integration and key management, or handle them in house. Some PKI outsourcers specialize in working with smaller companies in vertical markets. For example, Jury Cert, also an Entrust customer, employs an ASP-like model to deliver digital signing applications to law firms.

At the bottom line, PKI becomes a balancing act between costs and expected benefits, over the short and long haul. Obviously, some groups can expect to benefit more than others from an end-to-end security infrastructure, including those most likely dealing directly with terrorist attacks.

As one byproduct of new anti-terrorist regulations, debated this fall in Congress, it's quite possible that all passengers at U.S. airports will be required by law to use a PKI smart card before boarding a plane, Kamionek says.

For the record

About the author

Jacqueline Emigh is a 12-year veteran of technology journalism and a freelance writer for iSecurity.

About the companies

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article.

Baltimore Technologies — 90
Entrust — 91
Hurwitz Group — 92
RSA Security — 93
Sword&Shield Enterprise Security Inc. — 94

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue