Computer security experts call Public Key Infrastructure (PKI) the "panacea" for
PKI is a catchall term for the infrastructure required to manage digital certificates and highly secure encryption. It encompasses a great deal: industry standards, software and hardware systems, business processes and security policies - even human resources within a company responsible for carrying out various "trust processes."
But the purpose of PKI is simple: to let companies and organizations conduct business on private networks and the Internet with the same level of trust we had in the old paper-based world. PKI has two main components:
1. Digital certificates: software "credentials" that verify who people are - much like passports or driver's licenses (but stronger in several ways).
2. Data encryption: a method of scrambling data as it moves across networks to hide its content and prevent unauthorized use.
Private and Public Keys
Data encryption has been around for a long time. But combined with digital certificates within a PKI framework, it is much more secure.
PKI employs a sophisticated mathematical process using two pairs of "public" and "private" keys (strings of numbers). The system uses those keys to encrypt and decrypt e-mail documents, and authenticate the people who send and receive them.
Why Digital Certificates?
Most people know why encryption of data is so important. But digital certificates are fairly new to the United States. (Europe has been using them for quite a while.) The reason for certificates is that even if someone uses a password to log on to the network and sends an encrypted message, you still don't know for sure who that person is. Digital certificates make it possible to identify and authenticate the people with whom you are doing business. If someone were to steal someone's ID and password, the thief could alter records and the owner would never know who the guilty part was. For safety and trust in e-business, customers need PKI to authenticate exactly who is sending and receiving documents.
Stronger than a Passport
Digital certificates are issued by a company set up to be a certificate authority (CA). Examples of such companies are Equifax and Verisign. Before issuing a certificate, the CA may verify the background, employment history, credit, and other information about a certificate applicant. A good CA also guards authentication data with Mission-Impossible zeal -- so it can't be altered or stolen. For those reasons, a digital certificate often is a stronger form of ID than a license or passport - documents which people easily can forge today. When a person uses a digital certificate to send e-mail, it's like signing the document with a personal signature. With the proper PKI infrastructure, a digital signature is even more secure than a handwritten signature. Some large companies, such as banks, may decide to issue their own digital certificates. In that case, the banks become CAs themselves, establishing rigorous procedures to ensure the trustworthiness of the registration process.
Who Needs PKI?
For years, government intelligence agencies, military forces and the banking industry have used encryption technology. In today's e-commerce rush, all businesses are starting to realize the benefits. A comprehensive PKI infrastructure is expensive, so large companies are the first to make the investment. Banks, telecommunications companies, information technology enterprises -- any kind of business that works online -- can benefit from PKI. PKI allows consumers to make purchases on the Internet more securely. It also permits safe business-critical transactions online -- such as stock purchases, merger and acquisition negotiations, large manufacturing orders and all types of contracts. The top professional services firm Deloitte& Touche LLP, for instance, offers an Internet-based litigation support system that relies on one of IBM's PKI software products, IBM Vault Registry. The system gives a high level of security to people working together on legal documents. (For more information, see http://www.software.ibm.com/security/registry/news/1999/pr_0119_dt.html
In another example, IBM is helping a large bank implement a PKI infrastructure to service thousands of customers. In addition to setting up the bank to issue its own digital certificates, IBM is helping the company make the best use of the certificates in its business applications. The PKI solution will greatly advance electronic banking -- allowing customers on the Web to conduct digitally signed transactions such as transferring money between accounts, authorizing payments on credit cards and paying bills. Even for medium-size businesses, PKI can be the ticket to e-business growth -- reducing risk, driving cost efficiencies, and opening new avenues of profitability. IBM currently is helping a mid-size legal services firm extend its business functions to the Internet. The company provides a variety of services to insurance companies, corporate law departments and law firms. With PKI, it will be able to allow customers to exchange, digitally sign and authenticate legal documents on the Web. Whether a company is large or small, they shouldn't put a PKI infrastructure in lightly. But a PKI saves money by reducing risk and opening up new avenues of profitability. Once there is trust, extraordinary business can be done.
What's IBM's role?
IBM is heavily involved in PKI standards committees, which are working on a variety of issues. One emerging standard, for example, will ensure that digital certificates issued by one authority can be recognized by another authority - like the same restaurant accepting Visa and MasterCard. One of the biggest challenges of PKI is integrating it with corporate applications. IBM's state-of-the-art PKI software solutions and services meet that challenge. They include:
- SecureWay Trust Authority: Using the latest standards of PKI, Trust Authority integrates the functions that help to apply, issue and manage digital certificates. This is a quick start-up solution for enterprises wanting to use digital certificates. It has an advanced registration facility to automate certificate management and ensure interoperability and investment protection. Trust Authority is available as a standalone offering, or as part of IBM's complete security solution, SecureWay FirstSecure. FirstSecure powerfully combines authorization and authentication in a complete solution that is cost effective and easy to manage.
- SecureWay Vault Registry:Like Trust Authority, Vault Registry integrates the main components needed to apply, issue and manage digital certificates and a PKI infrastructure. It is a heavier duty solution fulfilling the needs of commercial certificate authorities and complex enterprises.
- Trust Authority/Vault Registry Solutions:For Trust Authority and Vault Registry customers, IBM's robust services provide PKI planning, installation, configuration, integration, and training. Services focus on four business operations: secure e-mail, Web access, virtual private networks, and non-production projects to help companies get started with PKI.
- PKI Services: In addition to the product-specific solutions and services above, IBM provides a broad set of enterprise PKI consulting and integration services which will help customers plan, design and build PKI capabilities around their IBM and non-IBM applications.
IBM is committed to using PKI standards throughout its product and service offerings, including Lotus Notes, Domino, SecureWay Firewall, and Global Sign-On applications, and the AIX, OS/2, OS/400 and OS/390 operating systems.
Where's PKI headed?
As e-commerce grows, PKI systems will develop broader and more interoperable compliance to standards. Emerging security technologies such as biometrics (the use of fingerprints and other human measurements for identification) will complement and integrate with, the PKI framework.
Electronic Originals
For example, IBM is working with a major client to extend the PKI framework and address an emerging issue: "electronic originals." Electronic originals fill an important gap in PKI - giving documents the same level of trust as personal identities. Many believe that electronic originals will someday replace paper originals of contracts, letters of credit, even birth and death certificates. Electronic originals will allow companies to securely create and verify such original documents online. Like paper originals, IBM's electronic originals carry a unique watermark that is difficult to forge. "We've created a very effective visual effect through the use of digital watermark technology, providing the recipient of a document with a visual cue of a document's source and authenticity," says Patrick Howard, managing principal of Integration Services for IBM Global Services in New York. "There is a visible watermark on the document that provides assurance about the source, and an invisible watermark embedded in the document that permits us to test originality. If the document is altered, we can detect it." Currently in pilot with a large IBM customer, the electronic originals technology will depend on PKI for secure signing and transmission of the documents. Click here for a look at IBM's digital watermark - you may be seeing it on one of your next contracts.
Contract Law
New laws also will shape the future of PKI. U.S. states are in the process of adopting Uniform Commercial Code legislation that regulates the use of digital signatures and electronic documents. The laws will enforce business agreements made online such as bids and contracts. The courts may rely on PKI to verify who agreed to what.
Beyond e-Commerce
Meanwhile, the impact of PKI digital certificates transcends electronic commerce. Governments may eventually use certificates to distribute benefits and allow citizens to vote online. Courts will begin to allow electronic legal briefs and depositions as evidence in legal cases. Security firms will store digital certificates on smart tokens to control physical access to secure buildings and areas. The future is wide open for PKI. But right now, IBM is ready to help your company harness PKI's power to conduct safe and secure e-business.
