The Advent of the Internet and wireless networks has challenged many fundamental assumptions regarding communications and commerce, particularly in the area of security.
The Internet`s and wireless networks` weakness is also its fundamental strength. Its openness makes it the ideal platform for global commerce. But because it is open, transactions across these networks are inherently difficult to secure.
What is missing is the mechanism to guarantee the integrity of information and provide the relationships of trust which are the foundations of any commercial infrastructure. If you want to do business over the Internet and wireless networks there are four major security services that must be in place:
- Authentication (Identification)
- Confidentiality (Privacy)
- Integrity
- Non-repudiation (Signatures)
The Internet`s economic potential will not be fully realised until service providers can deliver guaranteed security for e-commerce and m-commerce transactions.
Enter public key technology, which is emerging as the cornerstone of the future business infrastructure.
Public key encryption (i.e., public and private encryption keys, digital certificates, digital signatures, key-management protocols, and certificate authorities) is a basic technology which can deliver security throughout the Internet.
Initial applications for public key technology have already emerged. These include virtual private networks (VPNs), secure e-mail, and Web-based secure transactions using the SSL (Secure Sockets Layer) protocol.
By using a pair of keys - one private and one public - public key security provides an ideal architecture for authentication and authorisation on the public Internet. A user can publish his or her public key, which anyone can use to confirm that user`s digital signatures or encrypt a message to them.
Certificates augment public-key cryptography by providing the means to validate the public key. A certificate is a digital document which binds a public key to the identity or another attribute of its principal. It can also contain policy information, such as the authorised uses of the key (signing or encryption, for example).
A certificate authority (CA) creates and signs the certificate with its own private signature key, vouching for the authenticity of the key and the identity of its owner. Thus, people can use the key with confidence according the certifying authority.
But public key encryption and certificate generation alone are insufficient to provide the level of global trust required to ensure secure e-commerce transactions. What`s required is PKI (Public Key Infrastructure) - a set of applications, policies, practices, standards, and laws which will serve as the arbiter of security and trust on the Internet.
PKI provides mechanisms for establishing trust and binding commitments which are actually superior to accepted business practices. Over time, electronic commerce tools based on public key technology are likely to replace established "commerce archetypes" such as paper contracts, personal signatures, and currency.
But there are problems: the manageability of PK - and thus the cost of deploying it - is a significant variable. Deployment and maintenance of a PKI system requires a high level of expertise. Indeed, the primary PKI challenges lie in management and policy, not cryptography and systems.
Other challenges include a fragmented security market structure, poorly developed metrics for measuring security, government moves to control access to encryption and decisions about who should, or should not, be a CA.
In addition, there`s the issue of standards.
RSA`s Public Key Cryptography Standards (PKCS) define many essential PKI components. Under the auspices of the Internet Engineering Task Force (IETF), the Public Key Infrastructure working group (PKIX) has created a set of proposals that provide a well-rounded definition of an interoperable public-key infrastructure.
But the process of sorting out global PKI standards has not yet been completed, and support for the various standards which do exist is inconsistent.
And then there`s people - the ultimate users of PKI. Forget about the mathematical complexity of public key encryption. The public key infrastructure is about much more than technology. Writing code and building systems is easy, the hard part is establishing new business practices and consumer behaviours
The rate of change in human behaviour will ultimately define the rate at which the PKI is accepted. However, acceptance is inevitable because of PKI`s superiority in securing communications, validating identity, and confirming transactions when compared to legacy business practices.
All of these issues are important to the long-term success of e-commerce. Therefore, it`s not a question of if, but when everyone involved in e-commerce will face the issue of PKI implementation.
It`s equally clear, however, that PKI is far from being a no-brainer. In fact, PKI poses potentially huge problems for would-be users because the infrastructure for using public-key systems and certificates is only just emerging. In short, significant questions concerning the manageability of PKI remain.
Share
