|How PKI works |
Public key infrastructure (PKI) serves two security purposes for many companies: to confirm that senders of messages are who they say they are (authentication), and to encode messages so that they cannot be read by anyone who illicitly intercepts them (encryption).
Suppose a company has implemented PKI. When users first visit the company's Web site to do business (#1 in diagram), they are referred to a certification authority (CA) (#2). The users apply to the CA for digital certificates that will identify them to the company (#3). Assuming the users meet the CA's criteria for positive identification, the CA issues certificates (#4), which are then installed on users' machines.
Once a user has obtained a certificate, software on the user's computer automatically sends a copy of the certificate whenever the user communicates with the company (#5).
The certificate identifies its owner to the company's PKI system and tells the company when the certificate expires. If the user's signature is authentic and the certificate is still valid, the PKI system gives the go-ahead for the user and the encrypted message to pass through the company's firewall (#6).
That's how PKI works, in broadest outline. The details of public key infrastructure are byzantine. Here's the minimum you need to know if you're thinking about implementing PKI.
A critical element in any PKI system is the digital certificate, an electronic document that follows International Telecommunications Union standard X.509. Each certificate includes the user's digital signature. The recipient's software uses the public encryption key, also contained in the certificate, to check the signature for authenticity. Anyone may use a public key to encrypt a private message for secure transmission. But to decode and read the message, both the public key and a private key are required. Only the intended recipient possesses the private key.
Web browsers and e-mail programs are the most common applications that support digital certificates. Browsers like Netscape Communication Corp.'s Navigator (now owned by America Online Inc.) and Microsoft Corp.'s Internet Explorer use Secure Sockets Layer (SSL) to manage digital certificates. E-mail packages like Microsoft's Outlook or Qualcomm Inc.'s Eudora with Secure MIME (S-MIME) also support certificates.
Companies using a PKI must create and manage digital certificates. These functions are performed by a certification authority, which may be a hired third party or an in-house department. The CA has various responsibilities; it creates the digital certificates and keys, and sets policy on what identification users must produce to obtain a certificate and how that identification may be presented. Some CAs accept a phone request from a user for a digital certificate; others require faxed identification such as a driver's license; still others might demand an in-person application. In some implementations, the CA passes identification information to the company for approval.
To maintain security, the CA must flag invalid certificates by building a revocation list and checking it each time a certificate is used. The CA invalidates certificates when unauthorized people get hold of private keys, or when a person leaves a job that required a certificate, for example. The CA also maintains a repository of keys in case one is lost. --E.S.
St. Joseph's uses Novell Directory Services (NDS) on its own Novell servers. In addition, the hospital uses OutReach from IDX Systems Corp. of Boston, the vendor of its hospital information system. (This is the hospital equivalent of an ERP system.) OutReach makes the patient data available on the Web and integrates it with the rest of the system.
"You can't have a PKI without a solid directory because you can't scale," says Greg Shanton, director of the Information Security Lab at the AMS Center for Advanced Technologies, a division of consulting firm American Management Systems Inc., Fairfax, Va. "If you have one or two geographic locations and five to 10,000 [users], LDAP [lightweight directory access protocol] is fine. But if you're going to have locations throughout the world, then an LDAP directory won't cut it." For worldwide coverage, an X.500 directory is the best option.
There's another vulnerability in most PKI implementations: The digital certificate resides on the end user's computer. This means that anyone using that machine will appear to be the person described by the certificate. Digital certificates can be encrypted, requiring a PIN number for their use, as St. Joseph's and Safety Insurance's certificates do, but this extra security is worthless if users give out their PINs. And according to experts, hackers can crack encryption PINs by trial and error, because they're made up of very short strings of characters. In fact, there are PIN-cracking utilities available for free download from the Internet.
And so much depends upon the end users. Wells Fargo Bank of San Francisco has a thriving credit card business. The bank was building Web-based services for businesses that use its credit card processing services and wanted strong authentication. Because Wells Fargo had previous experience with digital certificates, its biggest difficulty was with the people using the certificates.
"The level of sophistication of the merchants requesting these certifications varies. Things that we thought were clear weren't," says Tim Knowlton, Wells Fargo vice president of business development and technical products. For example, customers would ignore repeated warnings that their certificates were about to expire. The bank was also surprised at how often the encryption keys were inadvertently erased by glitches in the merchants' hardware or software. "You really need to make sure you have customer services in place, [that] you have multiple contacts [at customer sites], and [that you] constantly look at the types of issues customers have. It's an evolutionary process."
In short, PKI can offer enhanced security benefits to businesses. "We feel more confident [about security because of PKI]," says St. Joseph's Pelton. "Eighteen months ago, there was a great deal of fear in the health care world about using the Internet with patient information. [There has] been a fairly significant transformation of the industry in a relatively small period of time."
However, it is easy for management to lower its guard and expect the technology to do more than it can. "The thing that bothers me about PKIs is that they have two main purposes in life. One is authentication, and that's digital signatures. The second one is just the distribution of... keys for encryption," complains AMS Center's Shanton. "And we have to put this huge infrastructure in place to manage it all. I would think we could come up with a better way to do all this." //
Erik Sherman is a freelance writer and photographer living in Marshfield, Mass. His new book, "Home Networking: I Didn't Know You Could Do That!" will be available from Sybex in the fall. He can be reached at email@example.com.