Forwarded From: phreak moi <hackereliteat_private> http://www.informationweek.com/698/98olkey.htm The Keys To Security Public Key Infrastructure is still evolving, but its security benefits for E-commerce and the enterprise are clear By Jason Levitt I'm counting the number of user-name and password combinations I need in order to use my desktop computer, and I'm not pleased with the results. In all, I have eight separate user-name/ password combinations that I need to install, and occasionally remember, for dial-up, E-mail, Web-site access, and groupware applications. In some cases, such as with POP3 E-mail, those user names and passwords are sent unencrypted over the Internet on a daily basis and are easy targets for villains with network sniffers and other types of nefarious tools. In the interconnected world of the Internet, as well as on the corporate intranet, it makes more sense to have a single secure, global "passport"-or "driver's license," if you will-for user authentication than multiple insecure user names and passwords. Digital certificates (sometimes called public-key certificates) are slowly becoming that driver's license for both corporate intranets and the public Internet. Used in conjunction with public-key cryptography techniques, digital certificates are used to securely identify people, servers, and other network-based entities. But though the digital-certificate standard, called X.509, has existed for some time, a management infrastructure for managing digital certificates, called Public Key Infrastructure, has been slow to evolve. A real driver's license can be obtained in nearly every city, has an expiration date, can be revoked, and is recognized across all state borders; a similar infrastructure must be in place in order to take full advantage of digital certificates over networks. Currently, the Internet Engineering Task Force is driving the standards for PKI through its PKIX (Public Key Infrastructure for X.509) working group. Though the group was chartered in late 1995, draft standards for PKI details are only now reaching fruition. Serious PKI deployments are not expected until sometime in 1999 at the earliest. There are plenty of benefits to be reaped from putting PKI in place and widely deploying digital-certificate technology in applications. For electronic commerce, the use of digital certificates allows a secure channel to be created between a client machine and an E-commerce server. Both parties can announce their identities by using certificates and can create an encrypted channel for communication. For financial applications, such as home banking and brokerage services, this kind of authenticated channel is a must. In the corporate intranet, the obvious application is the single sign-on. Digital certificates for employees can be stored and retrieved using a Lightweight Directory Access Protocol-compliant directory server. The user's digital certificate provides authentication for all PKI-aware applications on the desktop. For remote access to the corporate LAN, digital-certificate technology can be used in conjunction with firewalls and virtual private network technology to grant employees secure access to the corporate LAN by tunneling over the public Internet. Overall, with PKI implemented inside and outside the corporate intranet, total cost of ownership can be decreased by reducing theft due to security problems and by unifying the authentication mechanisms within the enterprise. Key Cryptography It's almost a given that any data going across the public Internet can be intercepted by villains, without the knowledge of either the sender or the intended recipient. Nevertheless, sensitive E-commerce transactions pass over the Internet every day. How is that possible? Modern encryption methods for public and private keys render sensitive data unintelligible to eavesdroppers before it is sent over the wire. Although a villain might be able to intercept the data sent over the network, only the recipient with the proper "key" can decrypt, read, and process the message. Digital certificates, digital signatures, and secure communications such as those provided by Secure Sockets Layer make extensive use of both secret-key cryptography and public-key cryptography methods. In secret-key cryptography, the same key is used to encrypt and decrypt a message. It's called secret-key cryptography because the key should be kept secret. Anyone who knows the key has complete access to the message. In public-key cryptography, two keys (known as a key pair)-a private key and a public key-are used. The public key is available to anyone and can be used only to encrypt messages. Similarly, the private key can be used only to decrypt messages created by encryption with the public key. If you want to send a secure message to me, you'd use my public key to encrypt the message. Since only I have the private key, only I can decrypt the message. A digital certificate, sometimes referred to as a public-key certificate, is a piece of digital data that contains a public key, the name of the key's owner, and other information such as the expiration date and the algorithm used for encryption. All of that information is digitally signed (encrypted) using the private key of a certificate authority. The certificate authority is the entity that issued the digital certificate and can verify that the user does, indeed, own the public key contained within the certificate. And that's the point of a digital certificate-to prove that the public key contained in the digital certificate actually belongs to the key owner whose name is contained in the digital certificate. Once the certificate is verified, a secure communication channel can be set up using the public key to encrypt messages sent to the certificate owner. In practice, public-key cryptography is slow, so it's often combined with secret-key cryptography. For example, an SSL connection, used extensively with Web browsers connecting to E-commerce systems, uses public-key cryptography to establish the connection-and then uses secret-key encryption to handle further data sent across the connection. Critical Step In the online world, digital certificates are like a driver's license-they contain all the relevant information to prove your identity. But just like a driver's license, they can be forged. A certificate authority is like a state's driver's license bureau. It issues certificates to individuals, businesses, and other online entities so that these entities can identify themselves in online transactions. Because of the ease of forgery in the digital medium, though, certificate authorities perform one further critical step: They can verify that a certain digital certificate really belongs to that entity (just as a license bureau can verify the authenticity of a driver's license it issued). In the physical world, we've learned to trust the driver's license bureaus. They form an infrastructure that stretches across the United States. In the online world, though, anyone with the right software can be a certificate authority. This can create problems because users need to trust the authority in order to trust the digital certificates it issues. In a business intranet, you simply trust your local certificate authority. On the Internet, the bulk of online certificate authentication is performed by VeriSign Inc., but over the next few years, many other organizations, such as the U.S. Postal Service, will also become certificate authorities. Netscape and Microsoft have included certificates from "trusted"authorities in their Internet Explorer 4.0 and Communicator 4.0 browsers. Although that's OK for Internet use in general, most companies would prefer to dictate which certificate authorities to trust. If one that's included in those browsers errs and issues a digital certificate to a rogue Web server, everyone running the shipping versions of those browsers will trust the certificate and create a secure connection with that server. Also, the browsers contain no logic to check for revoked certificates. In other words, if a server's certificate has been revoked, the browsers won't know that and will continue to trust it. Keys To Management Public Key Infrastructure is all about managing keys and certificates over their lifetime-and that can be a very long time. Although keys may expire and become outmoded because of new and better cryptographic techniques, in many cases, businesses and users will still have legacy data encrypted using old keys. Thus, one necessary function of PKI is that it must back up and maintain records of certain old keys. Of course, like any good driver's license bureau, PKI also issues digital certificates and maintains certificate revocation lists. Because certificates can be revoked at any time, applications will need to check those lists frequently to ensure that a user's digital certificate is still valid. In most companies, digital certificates are typically stored on an LDAP-capable directory server. Systems such as Entrust Technologies' PKI software can store digital certificates on many different LDAP-compliant directory servers, such as Netscape's Directory Server. In many enterprise settings, single sign-on will be the first major application of PKI. To gain access to their desktops, users will log in with a user name and password that unlocks their secret key, which is stored on their local machine. Using their secret key, users can send out a digital certificate that validates their identity to the various applications. In order for single sign-on to work, however, applications have to understand the PKI protocols, which are defined in the various requests for comment created by the IETF's PKIX group. Also, directory servers, such as Novell Directory Services and Microsoft's Windows NT 5.0's Active Directory, must be LDAP-compliant and have software that understands how to store and retrieve certificates in the directories. Unfortunately, because PKIX standards are just now maturing, PKI-aware applications are tough to find. Products such as Entrust's PKI software will be bundled with NetWare 5.0's NDS next year. Effective Solution In the physical business world, we learn to trust things we can see, smell, and hear. If we are a retailer, we can see the cash and trust that it has a certain look and feel, and that it's sufficiently hard to forge. Further, we can demand a driver's license and signature for personal-check or credit-card transactions to authenticate purchasers' identity and legally bind them to a transaction. In the virtual world of the Internet, it's not so simple. Digital certificates, combined with PKI, are currently the best bet to authenticate users and provide secure transactions over the Internet. The public cryptography methods are complex, but PKI will shield users from that complexity. "The secret is to make it transparent to end users. End users don't want to hear about it, see it, or touch it," says Brian O'Higgins, chief technology officer of Entrust Technologies. "It's too complicated a beast." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:41 PDT