SECURITY CLINIC: Channelling the PKI revolution
- 01 August, 2001 10:55
The effective deployment and use of Public Key Infrastructure (PKI) can help unlock the benefits of a truly secure electronic world, by transferring the fundamentals of doing business in the physical world - security, trust and identity - to the electronic world.
PKI is moving from an elitist technology to an integral component of any e-business.
PKI primarily addresses the "who" element of security. It is all about authentication - "Who am I dealing with?" and non-repudiation - "Where's the signature?" But it also provides two other elements for free; integrity - "How do I know nothing has been changed?" - and confidentiality - "How do I know other people can't read things?"
Modern cryptographic systems use a pair of keys. One is a securing key and the other is a de-securing key. One key is kept private while the other can be made public. There are several ways these keys can be used. One way is though digital signature - the sender secures a package with their private key and the receiver unlocks it with the sender's public key. The other is encryption - the sender secures a package with the recipient's public key so only the receiver can unlock it, using their private key. Both techniques have an element of trust involved - both the sender and receiver must trust that the public keys they are using really belong to their correspondents.
A public key infrastructure provides safe public keys. A PKI issues digital certificates. These contain the public keys used to protect transactions. As long as the sender and recipient of a transaction trust the PKI has validated the identity of the certificate holder and has followed the correct procedures to issue the certificate, the system can work.
Why should the channel get involved in PKI?
According to a recent report on PKI by analyst group Datamonitor, the PKI market will grow from $US1.8 billion in 2000 to $US6.7 billion by 2006. Giga Group says a PKI is probably the most critical information security investment a company will make in the next three years.
The support for PKI is also
abundant. Microsoft's Windows 2000 fully supports PKI. International
and Australian legislation, such
as The Commonwealth's Electronic Transaction Act passed in 1999, encourages digital transactions facilitated by digital certificates. Early-adopter industries such as banking and finance are already implementing PKI with initiatives Identrus and Angus. Identrus is a global framework of trust for B2B e-commerce and 46 banks have joined so far, including ANS,
CBA, NAB and Westpac. The Australian Payments Clearing Association has set up a root CA for the entire Australian clearing industry and the ATO has embraced PKI for the online lodgment of individual tax returns, GST statements and payments, as part of the government's ongoing program of tax reform.
The PKI momentum is building. The channel needs to get in now to get a piece of the pie.
By Mike Jeffries, PKI Product Marketing Manager, APAC Baltimore Technologies