Lock, stock and barrel

Featured eBooks
Artificial Intelligence and Efficiency
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
The 2025 Local Government Budgeting and Planning Outlook Report
Presented By ClearGov
Download Now
Moving Government Finance from Complexity to Confidence
Presented By Workday
Download Now
By GCN

By GCN

|

The next frontier for many government agencies is electronic commerce, the'theoretically'unfettered exchange of information and services via the Internet.

By Pete LoshinSpecial to GCNThe next frontier for many government agencies is electronic commerce, the'theoretically'unfettered exchange of information and services via the Internet.Perhaps the biggest fetter holding it back is concern over security. That's where public-key encryption comes in, and with it administrators' hopes for unshackling agencies' efforts to expand online interactions.How does it work?Let's say you're using public-key encryption in your agency or department. Everyone, and maybe even every device, gets a public key. Everyone posts their public keys on a Web server somewhere and incorporates them on business cards and in e-mail.If you want to encrypt a message to your director, you use her public key; she decrypts it by using her private key. Public-key encryption is sometimes called asymmetric encrpytion because a message encrypted with a public key can only be decrypted with a related private key. With symmetric algorithms, the same key is used to encrypt and decrypt.But how do you know that the public key you use to encrypt mail to your director is actually the public key associated with the director?You don't, unless you've got some mechanism in place to keep track of who's who, and which public key belongs to whom. That means building a public-key infrastructure for distributing public keys and using a certificate authority, or CA, to sign all your users' public keys to create public-key certificates.Certificates are little more than simple statements digitally signed by some trusted third-party entity. These statements usually, but are not required to, contain data outlined in the International Telecommunications Union's X.509 standard: the name and other identifying information of the subject of the certificate, the subject's public key, and the digital signature of the certifying authority issuing the certificate. The CA's signature says, in effect, that the CA is vouching for the certificate holder: This person or entity is associated with this public key.Why use certificates instead of just public keys? You wouldn't really need a certificate if you distributed public keys by hand, with each entity holding a public key giving it to you in person. To avoid problems, however, you could never distribute keys any way but in person'hardly a practical method.Once you start e-mailing naked public keys, you risk a man-in-the-middle attack. If Bob sends a public key to Alice by e-mail, that key could be intercepted by Carol, who replaces her own key for Bob's key. Then, when Alice encrypts a message with what she thinks is Bob's key but is actually Carol's key, Carol can read it but Bob cannot.This is where certificates come in. With a certificate system, Bob gets his public key signed by a CA and sends the certificate to Alice. Alice can verify the CA's signature on the certificate, and, to the extent that Alice trusts the CA to have been conscientious about verifying Bob's information she can trust that the public key in the certificate belongs to Bob.Much of the attention certificates and CAs are getting arises from the importance of public-key cryptography in Internet commerce. Commerce servers need certificates so customers' browsers can encrypt sensitive consumer data. But government agencies can put certificates'and CAs'to good use for many other purposes. Most important, certificates are vital for any public-key encryption application, whether you are encrypting Internet e-mail or encrypting IP datagrams through a virtual private network.Sounds pretty good, you might say to yourself; we should use a CA for our public keys. But there are still some questions to worry over. Whom can you trust as the trusted third party? Should you try to do it in-house, to maintain control over the entire process, or should you contract it out to a vendor that specializes in such things? And what exact functions must a CA perform?The CA must issue certificates, respond to requests for users' certificates, and maintain a current list of revoked or invalid certificates. The products and services included in this Buyer's Guide all provide these certifying authority services.The bottom line is that you must also be able to trust that the CA cannot be subverted, whether the CA is controlled by a third-party service provider or internally within your agency. If someone gains control of the CA's private key, she can generate her own bogus certificates that would be indistinguishable from authentic certificates.Revocation provides a mechanism by which a compromised key can be taken out of circulation. When a certificate is revoked, the CA lists the invalid certificate as well as the date from which it was revoked, so illegitimate signatures can be flagged.If you opt for a CA service provider, you should carefully evaluate its security arrangements. You'll also want to review its policies for issuing and managing certificates, as well as what kind of documentation or identification they require to issue a certificate. Will the CA build policies specifically for your agency? What documentation is required to revoke a certificate? What liabilities and obligations will CA take on?If you opt to buy CA software and do it all yourself, you should have a qualified expert help. Expect to spend a lot of time working out the details of building your own CA. The Quebec-based PKI consulting firm Labcal Technologies Inc. offers '25 Steps to the Successful Implementation of a Corporate Public-Key Infrastructure' as a free download from its site, at www.labcal.com.Beyond certificate policymaking, certificate management and revocation are crucial day-to-day CA functions. X.509 certificates include validity dates, specifying when certificates are valid. But certificate revocation provides a mechanism by which a certificate can be revoked early'for example, if the certificate holder is compromised or leaves the organization.Vendors who offer CA services, such as Verisign Inc., Thawte Consulting and Alphatrust.com, would have you believe that a trusted third party means exactly that: an entity external to any of the entities using encryption to communicate.Others, such as Baltimore Technologies Plc., sell the software necessary to establish your own CA in-house. Still others, such as Entrust Technologies Inc., will tailor their service, whether it is for an in-house CA or a third-party CA service provider. Yet another option is just to use the Microsoft Certificate Server included in the Windows NT 4.0 Options Pack to generate your organizational certificates.Whether you go in-house or not, managing certificates and keys is far more complicated than simply signing public keys for the people, devices and systems under your control. Be sure to do your homework.XXXSPLITXXX-


Public-key encryption may be the answer to your e-commerce security concerns































System service


















































What to ask about PKI
'What is expected of the certificate authority, certificate holders and certificate users? What are their liabilities and obligations?
'How are entities identified and authenticated prior to receiving certificates? What kind of documentation must they submit?
'What are the operational procedures for the CA? What are the processes for applying for a certificate and revoking a certificate? How is the process audited? What records are archived, and how?
'What physical and procedural controls are to be used? Where is the system hosting the CA located? How is it backed up? Who has access and control of the system?
'What kind of clearance is required of CA system administrators and managers? What kind of training, experience, and qualifications are necessary?
'How are keys generated, delivered, and used? What cryptographic algorithms for encryption and digital signatures are to be used? What about network and system security?
'What information is to be stored in the certificates and the certificate revocation list? How is to be formatted?




















Pete Loshin, of Arlington, Mass., is the author of several books about networking, Internet protocols and encryption.

























































































































































VendorProductTypePlatformsSystem requirementsPrice
AlphTrust Corp. Dallas 214-290-1900 www.alphatrust.com AlphaTrust Network Digital ID Service Win 9x, NT 2000; Mac OS; Unix Netscape Navigator 4.04 or higher, Microsoft Internet Explorer 4.01 or higher, or any software supporting X.509 digital''certificates $39 registration,
$20 per year
Baltimore ''Technologies PLC Plano, Texas 972-516-3744 www.baltimore.com UniCERT 3.0 Software NT 4.0 Oracle, TCP/IP, Windows NT $5,000 base price;
typical configurations
$25,000 to $30,000
BCE Emergis Inc. Montreal 888-709-8759 www.emergis.com BCE Emergis'' PKI Hosting & Management Services Combination HP UX, NT Entrust PKI software About $6,700 to
$67,000 per month
CyberTrust Needham Heights, Mass. 800-362-7304 www.cybertrust.com Enterprise CA Version 3.3 SoftwareSunSoft Solaris, HP UXSun Ultra or HP 9000, 256M RAM, 2G hard drive $150,000, unlimited
certificates
Enterprise Hosting Services Service N/A Any Web browser $35,000 to $65,000, includes 5,000 certificates
Digital Signature ''Trust Co. Salt Lake City 888-294-7831 www.digsigtrust.com TrustExchange Service Any client that supports X.509v3 certificates Standard desktop PC with browser (or other client) $25 per base client
S/MIME certificate,
$299 per server SSL
certificate
Diversinet Corp. Toronto 800-357-7050 www.dvnet.com PASSport Certificate'' Server Version 2.0 Software NT 200-MHz processor, 128 RAM (256M'' recommended), 4G hard drive and CD-ROM drive $20,000, priced
by volume
Entrust Technologies Plano, Texas 888-690-2424 www.entrust.com Entrust/PKI 4.0 Software NT Server 4.0, SunSoft Solaris, HP-UX, AIX Windows NT Server 4.0 with Service Pack 3 or higher, 64M RAM (96M recommended), 166-MHz or higher Pentium; TCP/IP requires Entrust/ Directory or other LDAP-compliant directory $20,000
Entrust.site'' Web Server Certificate Service Any server Web server that supports X.509v3 certificates $299 for a one-year
certificate, $499 for a
two-year certificate
E-Lock ''Technologies Inc. Fairfax, Va. 877-893-9506 www.elock.com e-Lock PKI 2.1 Software NT MS Certificate Server Free software, charge
for consulting and
services
Microsoft Corp. Redmond, Wash. 425-882-8080 www.microsoft.com MS Certificate Server Software NT NT 4.0, NT 4.0 Option Pack Free download
Network ''Associates Inc. Santa Clara, Calif. 408-988-3832 www.nai.com PGP Desktop Security 6.5.1 RSA PGP Certificate Server 2.5 Software NT 4.0, SunSoft Solaris NT 4.0 with Service Pack 3 or higher, 128M of RAM,'' client browsers that support'' full domestic 128-bit keys $25,000 for 1,000
seats; volume
discounts available
RSA Data Security Inc. San Mateo, Calif. 650-295-7600 www.rsa.com/index. ''html Keon Certificate Server 5.0 Software NT Dedicated NT system'' (Windows or Server) with'' Service Pack 3 or higher, 233-MHz or higher PC,128M'' of RAM, 250M of hard-drive space, NTFS hard drive $25,000 for a 500-
user license; volume
discounts available
Valicert Inc. Mountain View, Calif. 650-567-5400 www.valicert.com Enterprise Validation Authority Version 3.0 Software NT 4.0, SunSoft Solaris Any client or server using digital certificates $19,995 and up
Verisign Inc. Mountain View, Calif. 650-961-7500 www.verisign.com OnSite 4.0CombinationNT 4.0 166-MHz Pentium, 64M of RAM, 1G hard drive$5,000 for a pilot implementation
Class 1 Digital ID Service Any client Any client that supports X.509v3 certificates $14.95 per year per client; volume discounts available

NEXT STORY: This updated standard expands remote monitoring's possibilities

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.