We hear so many negative questions about Internet security. Is it strong enough? What will happen to my credit card number? What about hackers? Will I lose my privacy? The list goes on. Yet, the more important question may be “How will security on the Internet become the great Enabler of global commerce and also the great Enabler of personal freedom and privacy?” Before I address this question I would like to discuss what I believe are the relevant issues with regard to the aforementioned negative questions.

The holiday shopping season of 1998 showed that many millions of people are beginning to learn that putting their credit card number into a secure web transaction is safe. In fact more and more people are realizing that their credit card number may be safer on the Internet than it is when they give it to a total stranger over an 800# or to a waiter in a restaurant. With regard to the “strength” of encryption, the core technology for Internet security, the fact is that there is no known case of anyone “breaking” full strength encryption or even a good theory for how to do so. At some point in the future there may be some combination of people, networked computers, and schemes that will enable information encrypted with today’s technology to be decoded but by then the strength of the encryption technology will have advanced even further. The more important issues with regard to Internet security have to do more with policy and procedures. I spoke with a group of CEO’s recently and one of them asked me what a firewall is? I said, well that’s a specialized computer that stands between your company and the Internet, and it allows your employees to be able to go out to the Internet and see what’s out there. And it also allows the other 100 million people out there to come into your business, if it isn’t set up right. By the way I asked, do you know the state of the morale of the person who administers your firewall? A security study once showed that the most common password for operating the firewall is the word ‘password’. Technology issue or management issue? How seriously do we take it when an employees puts a stick on memo on their PC screen or under their mouse pad with their password on it? Is it condoned for employees to share passwords? Or do they get a slap on the wrist just as if they made a mistake on purpose on an expense account? In a universally connected world these management and policy issues become very important.

Let us turn back to the credit card issue again. It is true that large numbers of people are learning that encryption technology scrambles (encrypts) their credit card number in such a way that only the web server at the destination is able to unscramble (decrypt) it. An important question however is who is that web server on the other end? How do you know it really is the merchant or university or government agency that the server’s home page said it was? Answer? You don’t. It could in fact be a hacker who has “spoofed” the web sit; i.e. the site could be an imposter. Likewise the web site at the other end doesn’t really know for sure that you are who you say you are. What we are talking about here is authentication. It is one of the five key capabilities that are made possible by Internet security technology or more specifically by a Public Key Infrastructure, often referred to as PKI. The balance of this paper is about PKI and it will attempt to explain what it is, what it does, and why it is important.

To get into the subject a bit lets start by reflecting on what we use as a substitute for authentication on the Internet today — the login ID and password. We all use them every day but the problems with them are nontrivial. First is the password sharing problem which enables someone else to be you. Assuming you keep your password to yourself there is another set of problems. Since web sites have different rules for passwords and since your preferred ID, jjones, may already be taken you end up with lots of different IDs and passwords. There are basically two ways to deal with managing this problem and both of them are problematic. First is to devise an ID so unique, like j&jon#@s, that nobody else will have it and to similarly devise a password of just the right length and style that most any web site would accept it. On the surface your multipurpose universal ID/password seems to be a good idea until you realize that if one of your web merchants turns out to be a scofflaw he or she now has access to your bank account, brokerage account, and every other web site you have registered at! The other potential solution, which many people use, is to create a small database of all your IDs and passwords. Where to put it? On a piece of paper? Where to put that? Create a PC database of your IDs and passwords? Hmmm. Now you need a login/password database. Hmmm. Maybe you need a login/password for your login/password database? Any a backup and recovery scheme? Now you have become a database manager! In case you aren’t discouraged about IDs and passwords yet there is one more peril. Whatever your ID and password are, when you send them they are almost always sent “in the clear”. This means that an unscrupulous person might be able to “sniff” your ID and password from the Internet. They wouldn’t need to even know who you are. They just know they have a key to the all of your web sites. There has to be a better way. Fortunately there is.

Enter Digital IDs

In the near future I believe most people will have a smartcard or similar token which contains your digital ID. Combined with your fingerprint, face print, voiceprint, iris or retina scan, or other biometric match you have a link between you as a very unique person to your digital ID. At last you have the potential to really establish that you are who you say you are. Step one is to get a digital ID from someone that knows for sure who you are and that is trusted by others as a reliable source of authentication. And who would this someone be? The Certificate Authority, or CA, is the place. Over time there will be many CAs. Governments will operate them as will banks, companies, and institutions of all kinds. One of the first commercially operated CAs was Verisign. Another early example is the joint venture of IBM and Equifax announced in the summer of 1998. The important thing is for a CA to be able to be quite certain that you are who you say you are before they issue you a digital ID. In the case of Equifax, they have consumer credit information about 200+ million people. They know your name, your last few addresses, your phone number, and in many cases your mortgage balance! So when they ask you for certain information they can compare it to what is in their database and if there is a match the odds are very very high that they can indeed be sure that you are who you say you are. With this assurance you will be issued a digital ID. Now that you have a digital ID where do you keep it and how does it work?

There are two parts to your digital ID; a public part and a private part. The public part is something you want to make easily available to anyone. This will be described in more detail a little bit further on. The private part of your ID is something you will keep very very private and never share it with anyone. It can be stored on your personal computer or in a smartcard. Other forms of storing it may become popular such as a Java ring, an electronic token of some kind you keep in your pocket or around your neck, or perhaps in a PCMCIA card. Wherever you keep it, the digital ID is a very empowering thing. It enables the five core security capabilities alluded to earlier. Let’s now examine each of these.

Authentication (you are who you say you are)

First and foremost is authentication. Now that you have a digital ID you will no longer have to send your login ID and password over the Internet. Your password goes no further than your smartcard, token, or your PC. Instead you will use your password to enable an encrypted exchange of digital data between your PC (or information appliance) and the other party. The result of the exchange is that both parties will be able to confirm that the other party is indeed who they say they are. If you have also provided biometric data the person will know not only that it was your ID but that it was actually you who initiated the transaction and not someone who may have “borrowed” your login/password. Digital IDs are stored in a digital certificate (hence the origin of the certificate authority) and during the initial exchange of information you will see some of the data that is stored in the other party’s certificate. For example, you will see who issued the ID to them and you can use this information as an additional input to determine whether you want to trust the other party. Authentication is the beginning. Now that you have it you gain four other important capabilities.

Authorization (who can do what)

Now that you can establish who you are to various service providers (banks, merchants, etc.) they can authorize you to do various things. This might include reading a subscription to a publication, banking, investing at an on-line brokerage firm, establishing an account with a merchant so you can buy things without having to register each time you purchase something, or voting in local or national elections. Authorization goes deeper however. Since you are authenticated, you can be authorized to authorize others! Let’s suppose your company has an intranet application that allows you to enroll annually for various medical and dental benefits. Suppose you wanted to allow your spouse to do this for you. How would that work? In today’s world, unfortunately, many people don’t think twice about giving their password to a friend, colleague, or relative. In tomorrow’s world that is not a good idea. A digital ID gives each of us great power and enables us to establish our privacy at the same time. Sharing our password with others dilutes that power. An alternative approach is simply to have an application (web page) that allows a person to authorize someone else to do something on their behalf without giving up their own identity. You authenticate yourself and then you authorize your spouse to be able to enroll/change your medical and dental plan benefits.

Confidentiality (only the intended recipient can read your messages)

The killer application on the Internet continues to be email. Unfortunately of the trillions of emails sent each year most are sent in the clear. Think about writing your most sensitive personal thoughts about someone on a plain postal card and dropping it in a postal box or the slot at the post office. You would have no idea who might be able to read it, right? That is how it is with all the emails you send! When we all have Digital IDs there will be a better way. If you want to send Josef a very private message that nobody but Josef can read you will go to a Certificate Authority and get a copy of Josef’s public key. You then use your email program or other encryption software to encrypt your message to Josef. When Josef receives the scrambled message he decrypts it using his private key. Nobody has Josef’s private key but Josef so you and Josef both know that nobody but Josef can read the message. (

see Note 1

)

Integrity (you both know nothing got changed)

How do you know the email you got wasn’t changed on its way to you? A by-product of using the encryption keys is a function called “hashing”. A calculation is made based on all the characters in the message you create. This calculation is encrypted along with the message. After the decryption takes place, the calculation is compared to the one that was made at the time of the encryption. If they agree you and the recipient both know that the message was not altered.

Non-repudiation (no one can deny a conversation or transaction)

Have you ever been told, “you didn’t request that stock sale” or had to say “I did receive that confirmation notice “? If you receive an encrypted message from someone that is “signed” with their Digital ID (with their private key) and you are able to decrypt it with their public key and see their signature then you know that the message must have been signed with their private key. Only they have their private key so it must have been signed by them. They can not deny it. This works in both directions, of course.

So, does a digital ID mean we lose our privacy? No, quite to the contrary. By having a Digital ID you can establish not only who you are but what privacy preferences you want to stand by. If you choose to be anonymous you will be able to. The Platform for Privacy Preferences (P3P) will enable you to establish the degree of privacy you prefer and this preference will be communicated to the server you are talking to. If the server does not meet your privacy requirements you will be aware and have the choice to proceed elsewhere. Digital IDs are empowering to people and in a universally connected world that will be very important.

Note 1: Lotus Notes has had the equivalent of a public key infrastructure built into it for over ten years. It handles all five functions described in this paper automatically. Release 5 of Notes supports an Internet standard called S-MIME which enables these functions to be performed over the Internet. Another widely used approach to achieving the five functions is to use PGP.
Note 2: This paper has attempted to describe a significant role for Public Key Infrastructures. It is not intended to suggest that PKI solves all the security issues of the Internet. There are other issues having to do with data protection at the source of the data, backup and recovery, policy and administration, etc.

John Patrick
Vice President – Internet Technology
IBM Corporation
[email][email protected][/email]
johnpatrick.com