Perot Systems implemented PKI for enhancing authentication for remote access. Perot Systems soon found that PKI could be used to extend authentication to applications in order to enable email encryption for confidentiality, digital certificates for nonrepudiation, and eForms to eliminate paperwork and expedite processing.

Perot Systems used PKI to authenticate users and devices as part of the VPN network for server-to-server virtual private networking, Intranet, and Extranet, and client-to-server virtual private networking for remote access employees. Perot Systems’ PKI was also used with other directories and network resources to enable a greater level of identification for users and network devices.

Perot Systems learned many lessons from its PKI rollout. The company found that it was wise to:

• Choose recognized industry leaders as vendors.
• Set clear expectations for management and end users.
• Make sure PKI can be maintained.
• Ensure ease of rollout and use, supportability, and leveragability of resources.

The United States Patent and Trademark Office (USPTO) manages thousands of patent and trademark requests annually. The USPTO wanted to know with whom it is dealing online and wanted to provide secure communications. To provide this capability, USPTO chose to implement PKI. USPTO needed to:

• Implement confidentiality for information exchange.
• Ensure the integrity of the patent application.
• Authenticate with whom USPTO is dealing electronically.

USPTO implemented PKI to address all internal and external requirements for security, and nonrepudiation, authentication, and integrity for its eCommerce and electronic workplace initiatives. Implementing the PKI system helped build a trusted environment to successfully implement eCommerce. USPTO considered but rejected a password and PIN-based system due to the vulnerabilities of the system. The resources and cost-of-user support to reset forgotten passwords was not a cost that they could afford.

PKI provided the basis for implementing secure eCommerce patent applications and allowed USPTO to move from a paper-based system to an electronic one. The PKI system supported secure and authenticated communications and commerce with USPTO communities, attorneys, agents, international business partners, employees, contractors, and others with whom the USPTO does business. All of these entities require a guarantee of authenticity and confidentiality, and PKI provided that.

USPTO also implemented PKI for integration with its public key technology. This provided a single, scalable security infrastructure to support internal and external applications regardless of the risk level. The implementation provided security and authentication for a range of business applications as opposed to the separate security solutions that were previously used.

Achieving a single solution to meet the USPTO’s various needs was the benefit that USPTO saw in PKI. The agency realized that the capabilities achieved with PKI provided a solution that would reduce costs and provide the necessary security its customers and employees expected.

As much as it is important to understand how large organizations solve business challenges, it is also important to understand how protection can be put in place but not secured. The following is an example of a security breach associated with PKI and encryption.

In 2001, two digital certificates were issued to a virus writer who was posing as a Microsoft employee. VeriSign issued these certificates in Microsoft’s name. These certificates were necessary for consumers who downloaded software that they thought was created by Microsoft. Instead, the software was designed to deploy a virus onto systems on which it was installed. According to Microsoft, the certificates could have been used to sign programs, Microsoft Office macros, and other executable content.

VeriSign did not provide information as to how it validated the virus writer after receiving the request for the certificates. The company did state that human error was the cause of issuing the certificates incorrectly. Once VeriSign realized that the certificates should not have been issued, the company revoked the certificates. However, VeriSign did not have a way to determine who had downloaded the fraudulent software.

Microsoft released a bulletin to its users informing them that when the “security warning” screen appears regarding details of the signed software, they needed to click the Microsoft Corporation hyperlink to see if the certificate’s validity date is January 29, 2001, or January 30, 2001. If one of these dates matched, the software should be considered fraudulent and the software should not be downloaded.

This example shows how the PKI process failed because the CA issued a certificate without the appropriate verification. Although this is not a normal process and was caught immediately, it shows that any weakness in the system can provide disastrous consequences.