Welcome Guest. | Log In| Register | Membership Benefits

InformationWeek Labs

June 14, 1999

Print this story
Print this story
In Keys We Trust

Public key infrastructure is emerging as the standard for user authentication and data security. Not all businesses need it, but those that do face significant challenges
By Jason Levitt

Related links:
  • PDF file:Accompanying illustrations and tables

  • Enteprise Mangement/Security Resource Center
    To view a PDF file, you must first have the Adobe Acrobat Reader.
    • And from our sister publications:
  • Computer Reseller News Start-up's offering aims to simplify PKI

  • Network Computing Enterprise Security--Defending the Enterprise

  • InternetWeek Secure Messaging Moves Forward
    • Trust is hardly the word that comes to mind when you talk about the Internet, but trust is exactly the issue that's keeping companies from transacting more of their critical business communications over public computer networks. While the brick-and-mortar business world can depend on signatures, credentials, certified mail, and phone networks to provide reasonable guarantees of message integrity and a sender's identity, there are few secure mechanisms in place on the Internet to verify the sender of E-mail or prove that E-mail messages weren't altered or read before they arrived at their destination.

    The need for secure E-mail is, in fact, one of the major reasons that many large companies are looking toward public-key cryptography techniques and implementing a public key infrastructure in their enterprise. So much critical business communication is going digital that a recent Gartner Group report suggests that up to 80% of large enterprises will test one or morePKI solution through 2003. If this seems like a long time to be in test mode, that's because public key infrastructure is complex, reaches deep into enterprise IT architecture, and must function reliably, or the results could be disastrous.

    Besides secure E-mail, PKI offers other critical security solutions. Companies want good authentication of senders and receivers from their external and internal Web services and verifiable identity credentials for users of their virtual private networks. Businesses wanting to lower costs by conducting enterprise resource planning over the public Internet have found PKI to be the most viable security solution.

    Digital Equivalency
    In the United States, PKI is getting a big boost by the possibility that the Digital Signature Act of 1999, part of the Millennium Digital Commerce Act, will pass Congress. If passed, the act will establish, among other things, an equivalency between pen-and-ink signatures and electronic signatures, including various forms of online signing, such as digital signature technology, that require PKI.

    The act will make properly signed digital documents (and digital procedures, such as clicking on an "I Agree" button) as legally binding as their paper equivalents and ensure that they are honored in all states.

    Though the Digital Signature Act doesn't specify particular technologies for strong authentication and data encryption, prosecution in a court of law for related offenses will require the kind of verification that a PKI offers. This is yet another reason why security-conscious businesses want PKI. The federal government, which has one of the world's largest IT departments--and one of the most anxious about security--is leading the way with its own PKI pilot program, the Federal Public Key Infrastructure Project.

    In the meantime, some vendors aren't waiting for laws to evolve--they're making PKI technology meet current legal standards for evidence and custody. Document Authentication Systems Inc. has a set of products and services based on PKI and a trusted-document store to essentially create a chain of evidence and custody that meets current rules of legal evidence.

    The software and services, called DocuGuard, use PKI for digital signatures. A workstation application provides access to the service, verifying the identity of the individual making a transaction and controlling (through administrator settings) which parts of a document are visible to him or her. The document itself is stored on a secure magnetic/optical storage server--documents can only be amended, not modified.

    PKI-Based Services
    The DocuGuard server is hosted by a trusted service provider. The server tracks who owns a document, limits actions based on the user's identity and access privileges, and essentially maintains a chain of custody for the document, creating a notice and receipt record for each document transaction.

    This makes the system well-suited to document-intensive E-commerce applications such as mortgage processing, leasing, drug development and regulatory processes, electronic prescriptions, medical imaging, insurance claims, and other traditional processes that involve much bureaucracy. Mortgage-processing companies, for example, could save 30 days in processing time for each mortgage package, reduce closing costs by $700 per loan, and lower administrative costs.

    The technology also creates opportunities to take those applications outside of their normal institutional barriers, creating opportunities for financial institutions to share information and partner on transactions in a way that was time-prohibitive before.

    continued...page 2, 3


    Back to Labs

    Send Us Your Feedback

    Top of the Page