So, here we are in the year 2000. Some companies have implemented PKI and others are deploying pilot programs. Several countries in Europe already have digital signature acts, while the U.S. federal government recently approved the Electronic Signatures in Global and National Commerce (E-Sign) Act. This piece of legislation makes a document or contract signed with a digital signature as legally binding as a paper document signed with a pen. Experts say it and other laws like it around the globe are certainly big endorsements of PKI.

A great many of these same industry players also maintain that PKI is the only way to protect and authenticate data exchanged via the Internet, especially as it pertains to the legalities of e-business dealings. The question still remains, however. When will the year of PKI finally arrive?

What’s Up With PKI?
“For a while, PKI vendors were sitting around each year with clinched fists saying, ‘This is the year,’” says Jason Wright, network security research analyst with Frost & Sullivan. “The greatest driver is acceptance. PKI is taking off in a big way.” He predicts that the PKI market will grow by 100 percent this year and next.

All over the world, the network security market is skyrocketing, with PKI often noted as one of the fastest growing security infrastructures. According to Datamonitor Technology’s Global PKI Markets study, PKI will continue to grow over the next four years, and by 2003 revenues will reach $1.4 billion worldwide.

“PKI technology has been predicted to boom since 1997,” the study states. “However, so far this prediction has consistently failed to become a reality. Now, Datamonitor predicts remarkable growth for PKI over the next four years.”

And, while pilot implementations of the technology will play the dominant role up until “at least 2000,” the study predicts, by this year “solutions will be moving from pilots to full-fledged implementations.”
Michael Jannery, vice-president of product marketing for worldwide vendor Entegrity Solutions, says that there is definitely an obvious uptake of PKI technology, but it is not being deployed everywhere just yet. Ubiquity, he declares, does not apply here.

“We still see many companies who are looking for ‘good enough’ security, meaning less strong authentication than what you get with PKI. For these people, they are willing to go with ‘weaker’ authentication, such as user-names and passwords, if they get other things, like auditing and logging of events so they can do forensic analysis and possibly pursue breaches after the fact,” he explains. “Usually this is for the low financial risk-type activity.”

Despite the many companies that have not been sold on PKI solutions, the technology has been used with other applications for some years, says Patrick McBride, executive vice-president of METASeS.

“Lotus Notes, for example, has authenticated users with PKI since 1989, and PGP has used its own flavor of PKI for user authentication since 1991,” he says. “By today’s market-driven definition of PKI there are also some widespread, non-pilot PKI deployments where users [authenticate] themselves using digital certificates. Examples include Baltimore Technologies’ successes with the American Express Blue credit card and Hong Kong Post; Cylink’s adoption by the U.S. Postal Service for use with its Information Based Indicia Program (IBIP, i.e. print-your-own-postage); Entrust’s implementation with the Canadian Federal Government; and Xcert’s win with TeleCash Gmbh.”

He maintains that ease-of-use and transparency to the end-user will ultimately lead to widespread consumer adoption of PKI. “That’s been the key to success for quite a few of the above examples. To that end, web browser support of client-side certificates really needs to mature,” he adds. “At best, support today is bad to poor from a flexibility and usability perspective, depending upon the web browser being used.”
Still, Frost & Sullivan’s Wright says he is not looking forward to composing the next report on PKI because there are simply few or no restraints left to hold the technology up any longer. The restraints to which he is referring, he says, that vendors have addressed and almost completely overcome include:

• interoperability, as evidenced by the Identrus Forum, spearheaded by global financial institutions to spur e-business by enlisting certificate authority services;

• certificate revocation issues, tackled through CRL (certificate revocation lists) that are fragmented and OCSP (online certificate status protocol);

• scalability; and

• encryption speed through use of encryption co-processors and elliptical curve cryptography.

With these advances in the technology, however, there are still some experts who believe PKI is still a stunted reality.

“Some are actually saying that PKI is too complicated today and that the concept and definition of PKI needs to be revised,” explains Steve Samson, vice-president of wireless business development for NTRU Cryptosystems. “For example, the Gartner Group now claims that 80 percent of PKI deployments are only pilot projects and of the 20 percent of production deployments, a full 40 percent will fail within two years of implementation because PKI fails to provide measurable value. At a keynote speech at RSA 2000, Stratton Sclavos, CEO of VeriSign, told participants to think of PKI as a ‘utility.’ What he is signaling is that PKI is too difficult a technological concept to implement for the mass market and that for future success, vendors need to simplify the definition.”

The Antidote to E-business Ailments?
Charles Davidson, director of global marketing with PricewaterhouseCoopers, says PKI is a difficult technology to grasp. Calling it “pretty heady stuff,” Davidson explains that companies need staff members who completely understand information technology, along with theoretical math, to truly fathom all the workings behind PKI. “I think that’s inherently frightening to people,” he adds.

The acts of enterprises actually adopting and deploying PKI have less to do with the technology itself, and more to do with the steps behind implementing it, he goes on. When building a PKI, a business must find the brain power to do it. Unfortunately, there is a great shortage of IT experts, generally speaking, much less those well-versed in the intricacies of PKI.

“There’s sort of an artistry to it,” he adds. “Any idiot can write code. It takes an expert to write good code.”

Bill Bialick, technical director for Maryland-based SPYRUS, explains that there is much confusion about the technology, especially in regard to ensuring that it has a legal effect “and truly offsets liability.” How certificate authorities stand behind the company’s certificates, for example, is a key issue to take into account. Certificate policies, practices and statements are integral to deploying a strong PKI.
“So deployment is not a hard thing, but deploying [PKI] in a meaningful way, such that it actually means something, is another matter,” Bialick says. “You’re going to find the devil in the details.”

As a result of these and other complications, Davidson says many companies are beginning to contemplate the idea of outsourcing PKI. A large international client came to his company asking that PricewaterhouseCoopers build its PKI. With the advent of various technologies being offered by service-providers and this request being made, PricewaterhouseCoopers jumped into the service-provider fray with its beTRUSTed offering. Service packages through this outsourcing program include software, hardware, training and documentation needed for a company to begin using digital certificates for a smattering of applications. Web and secure email, virtual private networks and customized applications can all be enabled to use certificates.

For the past two years, says Bialick, there have either been pilot implementations of PKI or companies have simply outsourced their needs, rather than fully expediting their own. Through whatever means, either outsourcing or construction of PKI with one of the many vendor solutions, Davidson adds, the market will take off eventually – perhaps in two months or two years.

PKI offers security, confidentiality and authentication for too many of today’s business practices not to, says Joe Krull, vice-president of Aladdin Knowledge Systems, Ltd. PKI allows for authentication to a company’s network, encryption of data or transactions, defined access to an extranet and much more.

“You don’t want to develop a PKI to use only internally,” he says. “You want to use it with the rest of the world.”

And governments, as confirmed by the various legislative acts they are passing, understand this need. President Bill Clinton just signed the E-Sign Bill and the European Union Commission is basing the Digital Signature Act, to be used as a standard for all of Europe, on Italian and German digital signature laws already in place, he says. Additionally, he adds, 16 countries have PKI in legislation.

“It’s an evolving process. It’s not going to happen overnight,” Krull says. Right now, many companies are testing and piloting PKI, but the “dam will burst loose in 2001. In 2001, you’re going to see billions of dollars in business with PKI.”

Especially, in the business-to-business market. Brian O’Higgins, chief technology officer for Entrust Technologies, says PKI is definitely the “killer technology” for protecting and authenticating business deals over the Internet.

“No other technology has so much bang for the buck, and no other technology can duplicate the power of digital signature… organizations are using PKI in various capacities, ranging from online banking and brokerage, to internal government departmental use, to business-to-business e-commerce between internal business units and third parties,” he says. “PKI technology is also being used to secure business relationships in the emerging B2B e-markets arena – a space which Gartner Group has predicted to grow to $7.3 trillion in electronic business by 2004.”

Who’s Using PKI?
While some experts believe PKI will fully come into its own next year, there are those who maintain it is happening now.

“It is no longer limited to early adopter organizations within the financial services and government markets,” says Entrust’s O’Higgins. “PKI is now establishing itself in healthcare, as the need to protect patient information grows; telecommunications, with VPN and remote access driving the wave; and the pharmaceutical arena, protecting patents and drug submissions to the FDA; as well as providing auditable e-business trails.”

He continues that PKI will only spread beyond this year. Legislation throughout the world, such as the U.S. HIPAA regulations for the healthcare industry, is helping to drive the need for PKI.

Then there are “pure business problems, such as securing email communications, providing digital signatures on e-forms or any transactions, and communications (business relationships) over the web – whether it’s between businesses or inside organizations in this increasingly digital and environmentally-friendly world,” O’Higgins explains. “In the next few years, PKI will be deployed in wireless devices, as these (cell phones, PDAs, etc) will be used in increasing number for Internet transactions.”

With the promises that PKI makes to these industries, however, some say the technology still hasn’t caught up with the reputation proceeding it.

PKI Problems
Though Frost & Sullivan’s Wright maintains that the PKI industry has addressed or is quite close to overcoming some of the faux pas that hindered the technology’s acceptance in the past, there are those who say some issues remain.

Mike Rothman, co-founder and executive vice-president of SHYM Technologies, says that the formation of standards, from the outset, was not a problematic exercise. “Very early on, all the vendors agreed on terminology,” he explains. “Unfortunately, the technology backing the terminology is still lacking. The standards offer some variability in how the PKI vendors implement, which creates the interoperability problems. The PKI Forum is working to ensure interoperability, and that’s a good thing because it will be one less obstacle to widespread PKI deployment.”

Yet, maintains Entrust’s O’Higgins, the ambiguity surrounding interoperability is too often misunderstood. “Many would like to believe that there are interoperability issues holding the deployment of PKI back,” he says. “However, the right standards are in place to make truly interoperable, multi-vendor PKI a reality.”

Although, he explains further, his company has always been quite supportive of open industry standards, there are companies that don’t follow suit, “hence there are still some companies whose standards, implementations or interpretations can cause interoperability headaches.”

To add to the problems of incompatible solutions curtailing the full endorsement of the technology are a host of other unresolved uncertainties. Bill Crowell, chief executive officer of Cylink, says that companies find problems when trying to deploy PKI to use applications that were once password protected. There are often issues when attempting to utilize digital signatures with existing and new applications that drive business operations. Additionally, scaling the PKI to make it part of the infrastructure can prove challenging, while transparency to the end-user is another tricky obstacle to overcome, he explains.
“The payback is very large if deployment is carefully planned and managed, and if the products chosen minimize training and obscurity that [can be] introduced to the user,” he says. “This is difficult stuff. It is detailed and in need of careful consideration.”

There are still a number of other problems that can arise with the implementation of PKI, says NTRU’s Samson. “The biggest unresolved issues hampering mass market adoption of PKI include revocation and directory use, cross-certification and interoperability, certificate portability and scalability issues,” he explains. “Private keys are managed according to varying CMP [certificate management practices] and directory implementations. Smartcards will resolve some of the issues of protecting private keys, but will create new issues such as embedding smartcard readers in PCs and devices.”

Even more of a main sticking point regarding certificates is certificate revocation checking to discover if a certificate has become invalid before its published expiration date, says Martin Hummel, product manager for a newly-formed information security unit of Internosis. There is a major problem in this category due to the lack of seamless integration between different vendor’s implementations, he explains.
AppGate’s Todd Radermacher, director of sales and marketing, says that even further questions abound regarding key escrow. “Should keys be stored so that encrypted files can be restored by someone other than the owner of the key? This raises all sorts of Orwellian visions…” he says.

Cost, too, is often cited as an impediment to adoption of PKI as an enabling technology, but that is not an accurate assessment, says O’Higgins. “We have documented business cases that prove there is a phenomenal return on investment in PKI,” he says. “For example, Mackenzie Financial [was] recently studied by the Hurwitz Group [see Cost Questions Answered on page 26] who determined that there is significant return on investment to be gained from a PKI investment.”
Then there is the puzzle of wireless PKI, says NTRU’s Samson. If there are so many conundrums needing resolution in the wired world, there will most definitely be problems in the wireless one.

“We already expect and know that migrating existing PKI concepts into the wireless environment will be like shoving an elephant through the eye of a needle,” he says. Why? In the wireless world the same unresolved issues of PKI will be compounded by bandwidth limitations in transport (i.e. latency issues), processing limitations (i.e. scalability issues), memory limitations (i.e. device issues). Again some analysts are coming to the conclusion that the very technological foundation of wired PKI (i.e. cryptography based on RSA technology) could be the Achilles’ heel in the wireless environment. More to the point, RSA does not migrate easily or well to wireless environments.” Vendors like his own, Samson continues, can come into play here by creating solutions specifically for wireless PKI.

Prospects for PKI
A main driver of PKI technology is the world’s ever-growing dependence on the Internet and all it has to offer, says Internosis’ Hummel. At least for the near future, he expects PKI will play a large role in securing all types of e-business activities.

“A large part of this is due to the evolution of the Internet – it was never designed with security in mind. Improvements, such as IPsec, are now being introduced to help in some regard, but it [affects] the network layer only and its universal adoption will probably take some time. If the average home-user is already using the Internet to make online purchases with his/her credit card, they are more than likely already using PKI (via security sockets layer) behind the scenes,” he explains. “Making the process of digital signatures and other elements of PKI transparent and simple for the end-user will ultimately be the key for success in the consumer market.”

As far as the corporate world is concerned, a business problem has arisen today and many believe that PKI is the means to solving it. It is not the silver bullet to rectifying all the woes of e-commerce, experts warn, but is an enabling technology, an infrastructure, that will authorize people and protect data.

“The technical piece of PKI is very simple,” concedes Luther Martin, senior PKI engineer of Cylink’s PKI division. “PKI is a glorified messaging system. The hard part is making it work with your business effectively. The business process questions are very difficult. It’s not a technical issue. It’s a business issue.”

Andrew Morbitzer, vice-president of marketing for Baltimore Technologies, explains that PKI is the accepted technology to construct the infrastructure that will provide companies with the capabilities to engage in e-business, internal company security and other business activities just now being thought of.

“PKI is becoming to corporate infrastructure like routers and switches are – without it, you won’t have an infrastructure,” he explains. “Many of the PKI pilots of the last few years are not turning into very large deployments… However, these major deployments are just now starting to happen. The next months and years will see tremendous growth in PKI deployments as mainstream enterprises employ applications dependent on PKI.”

The bottom line, he adds, is that any user with a browser who goes to a secure web site is already using PKI in some fashion without even knowing it. “If they use a mobile device for wireless Internet connectivity, they are already using PKI,” he says. “If they have a bank account, their bank is most likely using PKI behind the scenes. Anything that we do that needs even a small amount of security in the future will be PKI-based and, thus PKI has a very bright future.”

There’s been much talk in the past few months about encryption key vulnerability in web servers. A security vendor recently touted a discovery about the ability to attack encryption keys in web server environments – as if it was new news. There was some backlash about publicizing this type of vulnerability. Some viewed it as blackmailing users into purchasing a security product from the vendor who propagated the security problem to begin with.

Regardless of the merits, or guerrilla marketing tactics involved, the use of hardware to protect critical keying data in any secure environment, warrants discussion. And the issue of key vulnerability extends well beyond web servers.

The risk of storing keys in software and leaving them vulnerable to all kinds of attack should be understood by anyone considering setting up an e-commerce site or a public key infrastructure (PKI). To truly bolster confidence in e-commerce, e-business and digital certificates, the underlying method in which digital keys are managed must include hardware protection.

All encryption keys generated and stored in software are at risk of being compromised. Software alone is vulnerable to viruses, inadvertent erasing, system failures and hackers. Hardware key management is a secure, dedicated method of generating, issuing, signing, storing and backing up keys on a secure physical device. The best way to mitigate the risk of keys being attacked is to store them in hardware at the outset.

Hundreds of financial institutions worldwide are already using hardware key protection products as part of their e-business strate

gies. Our company has devised a formula for best business practices for key protection, which has in turn been supported and outlined in a white paper, Certificate Authority Root Key Protection: Recommended Practices, by Deloitte and Touche Security Services.
Included in the Deloitte and Touche research are these general guidelines for key protection best practices:

• all keys must be generated in hardware;

• all keys must be stored in hardware at all times, never in software;

• all keys are backed up from hardware to hardware, never touching the host hard drive;

• all certificates are brought to the hardware to be signed, keys never leave the hardware and are never passed into the host’s memory;

• all access to the hardware is done through a trusted path, never through the host keyboard;

• all hardware has Federal Information Processing Standards 140-1 Level 3 validation.

If the hardware security product chosen does not meet these criteria, then the encryption keys are still vulnerable to internal and external attacks, system crashes, and viruses. Moreover, by using hardware key protection from the beginning of deployment, an organization can achieve the highest security at the outset. The inherent risks associated with software are mitigated because the key will always have been stored, generated and protected in trusted hardware.
That being said, the sky may not fall tomorrow, and you may never even experience a security breach when using a software-only e-business solution. Taking that chance leaves you open to compromise, though. Enabling the ultimate trust for e-business means good enough security just isn’t good enough anymore.

Steve Baker is president and CEO of Chrysalis-ITS, based in Canada. The company develops system and semiconductor products to enable trusted e-business.