Public Key Infrastructure
Have you ever bought anything online or otherwise engaged in some sort of electronic commerce on the Internet? Most likely, you saw the little lock in the corner of your browser window that told you that this was a secure transaction. With what you have learned so far in this book, do you honestly believe that?
The little key or lock in your browser means that you are on a website (server) that uses a Secure Socket Layer (SSL) certificate, so you can rest assured that they are who they say they are. Go ahead—buy and enter your credit card number!
Note
The little lock means that an SSL connection has been engaged. Anyone can cause a secure connection to take place, so be careful even when you see a little lock.
Have you ever noticed that, while you are conducting e-commerce, the http://.... changes to https://...? The presence of the “s” means that you are using HTTP over SSL to communicate back and forth.
Ultimately, what is actually occurring is that your web browser is taking in the SSL certificate, contacting whoever certified it to ensure its validity, and then proceeding to communicate in a secure mode with the server so that you can complete your transaction in complete security. Do you still believe that this is a good system?
Did I mention that this SSL certificate session is 40 bits in length? Certain aspects of the certificate that reside on the server are 1024 bits. Compare this 40-bit length to an IP address, which is 32 bits in length or 3DES encryption at 128 bits. You should never feel 100 percent secure when conducting e-commerce at this stage in the Internet’s evolution because the security is not there yet. As the use of e-commerce continues to rise, the level of fraud is increasing even more. This includes forging certificates that may use valid certificates from the “lock” perspective that encourages man-in-the-middle attacks. This trend is taking a toll on the growth and confidence in e-commerce and online transactions of all kinds. Of course, none of this is ever talked about in polite sales and marketing circles. Not to fret—an advance in securing e-commerce is coming in the form of PKI.
Public Key Infrastructure (PKI) is an evolving technology that will eventually become standard. The goal of PKI is to provide a foundation for a system that supports a variety of security services, such as data integrity, data confidentiality, and nonrepudiation; thus preventing destruction, alteration, and disclosure. PKI can provide this through a combination of hardware, software, procedures, and policies so that users can communicate and exchange information securely, regardless of location.
This system involves the verification and authentication of each side of a transaction over a network. Consider for a moment the impact that online credit-card fraud has on people and businesses. At this time, everyone is losing when fraud occurs—the people because they had their credit card or identity stolen, and the businesses because they are trying to provide a service while remaining profitable.
PKI provides for authentication through the use of advanced digital certificates and certification authorities and subordinate certification authorities to verify and authenticate the validity of each side of a transaction. This transaction could be something as sensitive as an online Internet purchase or as straightforward as exchanging sensitive information via email. PKI is going to be the next step in the evolution and enablement of secure communication and e-commerce.
You can find additional PKI resources online at the following locations:
PKI’s Limitations
In researching PKI, I began to think this was a great next step in security—even more so when my identity was stolen—see, no one is safe or perfect! Of course, I did the right thing and called the police; I was amazed at the lack of concern shown by our law-enforcement agencies. The ease with which people dismissed the crime was amazing, not to mention that businesses felt it was just a risk whose loss they had to absorb. Trust me, preventing loss is where you should spend your time! Certainly then, PKI would be a good step; however, there are some serious challenges in its future:
• E-commerce is working and flourishing on the Internet, regardless of the occasional risks involved.
• Serious laws in states like Utah and Washington are on the books, saying that if someone were to crack your key or illegally use it, you are still responsible for the debt they created. Having seen the bills created by the theft of my wife’s identity, this is extremely worrisome to me if I am ever forced to use PKI!
• Security is today, and it is likely to continue to be under PKI, the responsibility of the certificate holder. Thus, you must trust that they have taken all the necessary precautions without exposing new vulnerabilities. PKI is coming; however, there are still some questions in my mind about it.
• PKI does not support a single login infrastructure (single sign on), so users will need to log in and authenticate multiple times to access different resources; this is a recipe for disaster. Users will find ways to “simplify” (that is, defeat) the security PKI provides, and mistakes will happen.
So, is a technology such as PKI good or bad? That is difficult to say because PKI is not mature enough to be fully vetted. However, PKI does provide for increased security that could help in many areas. The verdict on PKI is still up in the air and is subject to the whims of the PKI vendors and how they listen and evolve their products. Of course, organizations then have to choose to spend money on PKI to correctly implement it; PKI’s adoption will take some time. The following section looks at some methods currently available for authenticating access to the network.