Ever since EFTPOS was introduced in the 1980s businesses have been conducting financial transactions electronically. Customers nowadays expect to be able to use credit and debit cards at the point of sale and have funds electronically transferred in real time to the merchant's account. Basically, a credit card carries a small amount of information that when matched with a signature verifies a person's identity and their right to a set amount of credit to pay for their transactions.
Building a credit card-like system that was secure enough was the quandary that faced the people behind Project Gatekeeper - the Federal Government's plan to provide a secure system of business-to-government and government-to-government e-commerce - when it was created in late 1997. No-one seriously suggested that the government was going to embark on e-procurement strategies armed with credit cards; however, they did need some way of securely verifying the legitimacy of online transactions.
So Gatekeeper was established to create a strict standard, using public key technologies, for business-to-government and government-to-government transactions. It had to cover more than simple funds transfers. It had to provide a standard for ensuring the validity of a range of electronic documents using digital signatures.
Governments - federal, state, territory and local - wanted to adopt e-procurement systems that would not only deliver considerable cost savings but open government purchasing to a wider range of businesses. It was, and is, a potentially win/win situation for a lot of government agencies and channel operators.
But before anything could be done there had to be a secure way of doing business and even more importantly a reliable method of verifying the identity of the parties doing business online.
Now, after four years of work Gatekeeper is up and running.
But Gatekeeper is not a product - it is a strategy and a standard developed in conjunction with various pieces of legislation to create a climate in which government can do business online. The last piece of legislation, which came into effect earlier this year, legitimises the use of digital signatures in electronic transactions.
Now that the legislation is in place and Gatekeeper is operational, almost any business can apply for a digital certificate issued by a Gatekeeper-compliant certification authority. The certificate will provide them with all the necessary digital identification and encryption required to do business with government.
While Project Gatekeeper has had considerable publicity over recent years because of the e-commerce opportunities it is seen to be opening up, a second project has been underway that is equally important. Project Angus was established by the four major banks to create a similar certification standard that would be acceptable to banks and businesses around the world and which uses similar criteria to Project Gatekeeper.
The Project Angus certification scheme has been designed specifically for business-to-business and has been linked to Australian Business Numbers. The ABN-DSC (Australian Business Number Digital Signature Certificate) has just come into effect. Apart from the security, and confidence, it provides for B2B transactions, its major benefit is that the Government says it will accept ABN-DSC holders as Gatekeeper-Federal compliant. State and territory governments have also agreed.
The digital certificate scheme being implemented by the banks is part of the global Identrus electronic trust and payments scheme, meaning that certified businesses will be recognised by any financial institution around the world that is part of Identrus. Conversely, any financial institution operating in Australia that complies with the Identrus terms of eligibility is able to become an Angus member.
To date there are only four authorities approved to issue Gatekeeper digital certificates - the Australian Taxation Office, Baltimore Certificates, Australia Health eSignature Authority and eSign Australia - but only eSign is authorised to issue both Gatekeeper and ABN-DSCs. However, at least 17 other organisations have applied for accreditation to issue Gatekeeper digital certificates.
Gregg Rowley, managing director of eSign, says Gatekeeper is a standard for organisations that provide digital signature certification services and is a bit like an ISO 9000.
"If you are a company or a government agency and you want to use digital certificates to provide to your clients or employees to allow them to sign online contracts, you will go to a Gatekeeper-accredited agent. It is a bit like the banks when they issue you a credit card. They not only like to use a very credible supplier who produces the card which stores all your information, they also need to follow standards for how they validate who you are. Gatekeeper does the same sort of thing."
Rowley says the use of digital certificates is going to save a lot of time and paperwork.
"One good example of this is the Transport Accident Commission in Victoria, which is an insurer of last resort in that state. It has a tremendous paper load - something like 10,000 pages per year per staff member - and they want to eliminate it by doing things online. It has to be able to communicate directly with the likes of hospitals and electronically sign the rehabilitation plans and approvals, and so they use Gatekeeper digital certificates, which saves having to generate huge volumes of paper documents."
He says the certificates authenticate the parties and their online documents to make the electronic transactions legal.
But how do Gatekeeper and Angus digital certificates work?
To get a digital certificate in the first place, people have to validate themselves, which means providing various forms of identification similar to the 100 point check system used by banks when you open a bank account. In the case of Angus, that also includes an ABN.
The digital certificate is a small piece of software - a small file comprising strings of ones and zeros, which is encrypted and includes your details and has been signed by the issuing authority. It can be used with applications such as Lotus Notes or Microsoft Exchange that have the ability to take the certificate and use it as a digital signature.
The certificates use a higher form of authentication than just a name and password.
The Gatekeeper and Angus systems are based on two forms of cryptography: symmetric and asymmetric.
Symmetric encryption includes a publicly-known algorithm and a key that consists of a string of ones and zeroes. The key goes into the algorithm along with the text to be encrypted and the result appears as gibberish.
To decrypt it, the same key is used in reverse. The problem is getting the key from one person to the other because if someone intercepts it they can decrypt the text.
The solution is asymmetric encryption, invented by the British Secret Service in the 1950s. It uses a two-key system, one of which the user keeps secret and the other of which is known as their public key. One key is used to encrypt the data and the other to decrypt it.
It means that the user can give their public key to anyone on the Internet who can then use it to encrypt a message or document to be returned to the user. But the user is the only one who can decrypt it with their private key.
The problem with asymmetric encryption is that it is extremely slow compared to symmetric encryption, so the system uses a combination of the two. Asymmetric encryption is used to encrypt and send the shared symmetric key from one person to another. Once each party has the shared key they can use symmetric encryption for the rest of the transaction.
For example, if you want to do some online banking, your browser will grab the public key from your bank. It is contained in a digital certificate which is there to prove that the public key being taken is the bank's and no-one else's. The browser then creates a shared key, encrypts it using the bank's public key and sends it to the bank which decrypts it using its private key.
Having established a secure link, the transaction can proceed using symmetric encryption.
Once the transaction begins, there are further authentication procedures to ensure that any encrypted document has not been interfered with during transmission.
While it sounds complex, it takes just seconds and is almost impossible to intercept.
Gatekeeper and Angus can be used for transactions with overseas organisations and have been recognised as world-leading technologies. Not only do they provide security, they provide confidence in e-commerce, which until now has often been missing.