Академический Документы
Профессиональный Документы
Культура Документы
www.elsevier.com/locate/csi
a
Department of DSC and MIS, Miami University, 309 Upham, Oxford, OH 45056, USA
Department of Information Management, National Chung Cheng University, Ming Hsiung, Chia-Yi, Taiwan, ROC
Received 25 March 2003; received in revised form 25 March 2003; accepted 30 March 2003
Abstract
The Internet has increasingly been used for communication between people. Most users have no problem relaying messages,
which do not contain confidential information, over a network. Yet, for it to be accepted as a medium of conducting monetary
transactions there will need to be a higher degree of confidence in the technologys reliability and security. No one will agree to
send his or her financial information over the Internet if there is any doubt in the security of that medium. Likewise, companies
involved in E-commerce must have a means to verify the customers using the Internet to order goods and services. Public Key
Infrastructure, PKI, attempts to provide the answer to the reliability question, as a method of digital security. PKI provides the
ability to verify the sender and the recipient of electronic messages, protecting against E-commerce fraud, corporate espionage,
and the theft of intellectual property.
D 2003 Elsevier Science B.V. All rights reserved.
Keywords: Cryptography; Digital security; Digital signatures; E-commerce; Electronic security; Encryption; Internet privacy; Public Key
Infrastructure, PKI
1. Introduction
As technology increasingly plays a key role in
how people communicate and do business, the
authentication and the verification of that information
becomes an important issue to consider. The Internet
is used to store, inform, communicate, and transact
data on an everyday basis. The security of that data
is essential to most companies and individuals.
0920-5489/03/$ - see front matter D 2003 Elsevier Science B.V. All rights reserved.
doi:10.1016/S0920-5489(03)00043-6
438
The following paper will examine public key infrastructure starting with an overview of PKI. The overview will define what PKI is and also discuss the
components, characteristics, and functions of public
key infrastructure. The paper then will examine the
internal factors affecting PKI. A third section will
look at the current developments of public key infrastructure; looking at its organizational, commercial,
global affects, and a case study of a Public Key
solution provider. The paper will then discuss the
future implications of PKI, detailing the obstacles to
its adoption as well as the legal implications that it
offers.
2. PKI: an overview
For a means of communication to be accepted, it
must offer the reliability of traditional methods,
such as sending a letter or making a phone call.
Likewise, in order for that new technology to be
accepted as a method of conducting business transactions, it must also be as reliable as traditional
means of purchasing: cash, check, or credit card.
There is no question that new technology and the
Internet can speed the delivery of information and
online transactions. Yet, without the proper confidence in the medium, those advantages are lost.
Digital signatures, cryptography, and other forms of
electronic security strive to prove the reliability of
technology. Public key infrastructure is perceived
by many to do just that, provide reliability and
privacy to commerce and communication over the
Internet.
2.1. PKI: definitions
There are numerous characteristics that make PKI
unique. Listed in Table 1 are a number of characteristics, as defined by both the public and private sector.
Public Key Infrastructure is more than just a new
technology; it is a method of electronic security. PKI
makes it possible to verify the identity of the sending
and receiving parties involved in electronic communication [8]. The security method involves providing a
number of keys to Internet users. One set of keys is
made public while the respective individuals hold the
other set of keys privately. The public and private
keys are mathematically related and therefore offer
digital security. The keys are matched together, messages made with one can be read using the other. PKI
surpasses previous methods of electronic security by
Table 1
Characteristics of PKI
Year
Author
Characteristics
2000
National institute
of standards
and technology
(1) The information sender and recipient both will be identified uniquely so the parties
know where the information is coming from and where it is going (identification
and authentication);
(2) the transmitted information was not altered deliberately or inadvertently (data integrity);
(3) there is a way to establish that the senders identity is inextricably bound to the
information (technical non-repudiation); and
(4) The information will be protected from unauthorized access (confidentiality or privacy).
This functionality is included for completeness since public key technology and a Public
Key Infrastructure provide it; however, confidentiality and privacy concerns are not covered
in detail in this guidance.
Signer authenticationthe signature attributes the message to the signer
Message authenticationthe signature identifies the with far greater certainty than paper
signatures, verification reveals any tampering
Affirmative actusing the signature performs the ceremonial function of alerting the
signer to the fact that the signer is consummating a transaction with legal consequences
Efficiencyprocess of creating and verifying provide a high level of assurance without
adding greatly to the resources required for processing
Provide an electronic means of verifying someones identityused in conjunction with
encryption, digital ids provide a more complete security solution, assuring the identity
of all parties involved in the transaction
from www.verisign.com/repository/brwidint.html
American bar
association
2001
VeriSign
439
440
protected, and no longer viewed as easily compromised, they have little chance to be adopted by mainstream society.
The amount of Internet usage has dramatically
increased, as has the number of Internet transactions.
As a result, online regulations and standards are
needed. Subjects for these regulations include personal privacy, information security, business interoperability, and contract legality [4].
PKI has valuable potential in the e-commerce,
finance, legal, governmental, and nearly any other
field where secure information is sent electronically.
In addition, PKIs characteristics make it a possible
answer for many of the security and privacy concerns of wireless communications.
2.4. PKI: history and evolution
As the computer and the Internet have increasingly become ingrained into everyday life, network
security has played a larger role. The first security
measures primarily focused on the network itself, as
companies installed firewalls and gateways on their
networks in order to keep track of the traffic entering
and leaving the system.
Other security measures looked to assure that an
electronic message sent would get to the desired
location. Many Internet transactions, especially those
involving sums of money or confidential information, have relied upon the Secure Socket Layer
(SSL). The SSL secures the connection between
the Internet users browser and the server. The
Secure Socket Layer protects the information as it
is being sent across the Internet and provides assurance that the information is going to the correct
server [18]. However, SSL does not authenticate the
sender or the recipient of the information.
Dual key cryptography [8] was introduced in an
attempt to provide further protection. The two keys,
one to encrypt and the other to decrypt information,
allowed individuals to guard their information. Much
like PKI, one key was held privately, while the other
was made public. However, unlike public key infrastructure, there was no way to authenticate the holders
of the keys; there was no means to assign a digital
identity. Table 2 reviews the evolution of network
security and the rise of PKI. It must be noted that these
security applications look to protect different areas of
Table 2
Evolution of network security
ERA
Type
Function
Early
Mid
Firewalls,
gateways
SSL
Mid
Encryption
Late
Dual key
cryptography
PKI
Current
441
4. PKI: a micro-analysis
4.3. Involved parties
In order to understand Public Key Infrastructure, it
is important to look at the internal factors that come
into play. These factors include the hardware and
software, the system needed to properly implement a
digital security system, the involved parties to PKI
adoption, and related technologies.
4.1. Hardware/software
In order to successfully implement a PKI system
very little hardware is needed, other than that which
442
5. PKI: a macro-analysis
5.2. Commercial
Also important in understanding a Public Key
Infrastructure is looking at the external factors that
have been affected by the system and which have also
played a role in the systems adoption. The macroanalysis will conclude with a case study of VeriSign, a
leader in PKI. While the security system is certainly
not in a mature stage, some industries seem to have a
greater curiosity than others do at this present time.
5.1. Organizational
E-commerce is not the only industry with a need
for online privacy. Governmental agencies, the law
enforcement community, and high level researchers
all have a significant need for the protection of their
data. Indeed, any individual with a need for online
privacy and the protection of confidential information
will have a need for Public Key Infrastructure. One
example of how PKI has been used by organizations
443
444
8. Conclusions
At present, there is a need for a digital security
system such as PKI. As more data is being stored and
communicated electronically, it has become essential to
protect that data. The greatest impact can be seen in Ecommerce. For online transactions to grow in adoption,
companies and consumers must be comfortable with
the technology and at the same time have confidence
that the transaction information is secure. While it is
easy to see the growing comfort that the global population has with the Internet and its usage, it is also easy
to see the mistrust that much of that same population
has with conducting financial transactions online.
PKI has been highly anticipated over the years and
is still largely awaiting mass acceptance as a means of
digital security. Yet, it has received much interest in
the financial sector, with many banks and brokerages
already implementing Public Key Infrastructures or
looking to unveil their own systems. There has been a
global interest in the security system, seeing countries
from around the world passing legislation providing
445
References
[1] Anonymous, 1 in 3 Internet Users Banks Online, The Straits
Times, Singapore Press Holdings, Singapore, 2001 September
24, p. 8, Money.
[2] Anonymous, Digital Signature Guidelines, American Bar
Association, Section of Science and Technology, Information Security Committee, http://www.abanet.org/scitech/ec/
isc/dsg-tutorial.html.
[3] Anonymous, Electronic signatures, The Computer and Internet Lawyer, vol. 18, Prentice Hall Law and Business, 2001
September, p. 35, Number 9, Current Developments, Aspen
Publishers, ISSN: SS07421192.
[4] P. Alterman, The U.S. federal PKI and the federal bridge
certification authority, Federal Public Key Infrastructure Steering Committee, 2001 May 7.
[5] M. Benantar, The internet public key infrastructure, IBM Systems Journal 40 (3) (2001) 648.
[6] D. Birch, E-commerce: Sign on the Dot: from today, digital
signatures in the EC are as legally valid as handwritten ones,
The Guardian, Guardian Online, p. 7.
[7] B. Bobbitt, PKI policy pitfalls, Information Security Magazine,
2001 July, http://www.infosecuritymag.com/articles/july01/
features_pki.shtml.
[8] K.P. Bosworth, N. Tedeschi, Public key infrastructuresthe
next generation, BTexact Technology 19 (2001 July) 44 59.
[9] L. Cohen, Click on the dotted line: E-signatures come of age
and make the future of E-commerce a little brighter, New Jersey
Law Journal (2001 August 20) (E-commerce Law, American
Lawyer Media) access via LexisNexis.
[10] P. Dowd, J. McHenry, Network security: its time to take it
seriously, Computer (1998 September) 24 28.
[11] D. Fisher, Standards slow embedded PKI growth, eWeek
446
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]