PKI… Why Go Through the Hassle?

As e-mail increasingly substitutes the use of letters and faxes (also to governmental bodies) and as commercial transactions on the web get more and more important to organisations, the need for secure communications equally grows, especially with spoof attacks, interception of transmissions and other hacking methods becoming more widespread and getting more “intelligent” every day. So, if the web is to achieve its true (commercial) potential, it is important that the right technological infrastructure is in place. Public Key Infrastructure (PKI) enabled by cryptography provides a secure basis. Digital signatures use public key infrastructure.

The European Commission has welcomed the adoption of a new legal framework guaranteeing EU-wide recognition of electronic signatures (European Directive 99/93/EC). The Electronic Signature Directive is a first example of the Commission’s flexible and integrated approach towards developing a European framework for the development of electronic commerce. In the past only hand-written signatures have been legally valid but this legislation extends that recognition to electronic signatures and applies the Internal Market principles of free movement of services and home country control to e-commerce. It constitutes an important element in the Commission’s on-going efforts to drive forward the rapid development of electronic commerce so as to capitalise on its potential to generate business and create jobs. This framework provides the security that the market for online transactions demands and strengthens the EU’s position in the face of international competition in this new global market.

Electronic signatures allow someone receiving data over electronic networks, via the Internet for example, to determine the origin of the data and to check that that data has not been altered. The Directive is not designed to regulate everything in detail but defines the requirements for electronic signature certificates and certification services so as to ensure minimum levels of security.

Its main elements are:

  • Legal recognition: the Directive stipulates that an electronic signature cannot be legally discriminated against solely on the grounds that it is in electronic form. If a certificate and the service provider as well as the signature product used meet a set of specific requirements, there will be an automatic assumption that any resulting electronic signatures are as legally valid as a hand-written signature. Moreover, they can be used as evidence in legal proceedings.
  • Free circulation: all products and services related to electronic signatures can circulate freely and are only subject to the legislation and control by the country of origin. Member States cannot make the provision of services related to electronic signatures subject to mandatory licensing.
  • Liability: the legislation establishes minimum liability rules for service providers who would, in particular, be liable for the validity of a certificate’s content. This approach ensures the free movement of certificates and certification services within the Internal Market, builds consumer trust and stimulates operators to develop secure systems and signatures without restrictive and inflexible regulation.
  • A technology-neutral framework: given the pace of technological innovation the legislation provides for legal recognition of electronic signatures irrespective of the technology used (e.g. digital signatures using asymmetric cryptography or biometrics.)
  • Scope: the legislation covers the supply of certificates to the public aimed at identifying the sender of an electronic message. In accordance with the principles of party autonomy and contractual freedom it does, however, permit the operation of schemes governed by private law agreements such as corporate Intranets or banking systems, where a relation of trust already exists and there is no obvious need for regulation.
  • International dimension: so as to promote a global market in electronic commerce the legislation includes mechanisms for co-operation with third countries on the basis of mutual recognition of certificates and on bilateral and multilateral agreements.

A key concept relating to digital certificates is “non-repudiation”, i.e. the person who places his or her digital signature cannot later deny that the matter being signed originated from under his own hand. Without this concept, digital signatures would carry little weight in the commercial world and their usefulness would be severely restricted.

Another important requirement for public key cryptography to be practically useful is the secure distribution of public keys. If you are dealing with a small group of people, you could exchange public keys directly, say using a disk. This is rarely possible in real life where you may need to deal with a large number of complete strangers and need to be sure of their true identities. This is where digital certificates come in. A digital certificate is an assurance provided by a third party (called a Certification Authority), e.g. GlobalSign, Verisign, etc., that a public key indeed belongs to the purported owner. A digital certificate contains a public key, the name of the person (or organisation) that the key belongs to, and the whole thing is authenticated with a digital signature.

Implementing the use of public keys on a large scale requires a lot of manpower as, technically, PKI is the combination of the technologies, infrastructure and practices needed to enable use of public key encryption and digital signatures in distributed applications on a significant scale. The main purpose of PKI is to distribute public keys accurately and reliably to those needing to encrypt messages or verify digital signatures. This employs digital certificates issues by certification authorities. PKI also covers certificate renewal, revocation, status checking and private key backup and recovery.

Organisations typically have two options:

  • go for an in-house PKI, whether or not assisted by a third party with experience in PKI implementations;
  • go for an outsourced PKI solution.

The latter option seems to be a new trend.

Even large governmental bodies such as the Belgian government have recently chosen for an outsourced solution. As part of an overall strategy to deliver e-government services to its citizens, the Belgian government defined the Belpic project, providing an electronic identity card to each Belgian citizen over a period of five years. The electronic identity card contains a photo, some basic identity information and a signature of the cardholder in visual and electronic format. Digital certificates stored on the card will allow secure identification and electronic signing.

The PKI market has not delivered on its promise because the implementation and maintenance of an in-house Public Key Infrastructure requires highly specialized internal staff. What customers such as the Belgian government want are digital certificates to secure their applications. They don’t want the hassle of implementing and maintaining a complex PKI environment. Some Managed Security Service Providers, e.g. Ubizen, offer such outsourced PKI solutions.

Infosecurity Europe is Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’s most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April – 1st May 2003. www.infosec.co.uk