Don't be put off by PKI
E-government security concerns are driving deployment
- By John McCormick
- Jun 07, 2005
Implementing a public-key infrastructure is a daunting task. It is a very expensive and complex project, in which many components have to be tightly integrated with an existing network.
Toss in encryption tools, and you have a large universe of hardware and software involved in a PKI. This guide includes the tools most likely to be of interest to agency adopters.
A 2003 Government Accountability Office report on the 89 PKI initiatives being undertaken by 20 agencies estimated a $1 billion price tag for the combined projects and uncovered a lot of problems.
Simply getting digital certificates to everyone and validating those certificates can be a major project in itself.
Many implementations also require portability. That means issuing smart cards to all qualified users and installing smart-card readers at all workstations, which makes everything much more complex than when you can simply rely on machine-to-machine PKI verification using servers and firewalls.
One reason agencies are concerned with PKI is the Government Paperwork Elimination Act, which requires federal agencies to use electronic forms, filing and signatures to conduct official business with the public where practical.
Another force driving the adoption of PKI or digital certificates is Presidential Directive HSPD-12, which requires agencies to establish a standard method of identifying federal employees and contractors.
PKI can also be used to secure enterprise networks and intranets, as well as Web communications.
Electronic signatures used to validate communications can involve PINs or even biometrics, but digital signatures are the most prominent technology used to date, and that means using PKI to ensure trustworthiness of electronic documents.
PKI isn't just a piece of technology; it includes every component necessary to verify the association between an asymmetric public-key encryption pair and a specific individual or entity. This includes technology, policies and people. The security of a PKI system is never stronger than its least secure component.
Minimally, a PKI includes:
- A security policy
- A certificate authority that issues and revokes certificates
- A registration authority to verify identities
- A repository that stores valid certificates and certificate revocation list.
For users, a PKI includes:
- Information about the certificate holder's identity
- The public key
- The associated algorithm
- The certificate's expiration date/validity period
- The identity of the issuing certificate authority.
PKI is generally considered to comprise all the services and protocols needed to manage public-key authentication, including certificate authorities and registration authorities; encryption and digital signatures provided to end-user applications; and cryptographic operations with the keys.
In some implementations, key recovery is also considered part of PKI; but according to RSA Laboratories, the research center of RSA Security Inc. of Bedford, Mass., PKI sometimes simply refers to a trust hierarchy based on public-key certificates.Challenges facing PKI adopters
The number of certificates needed for the government is likely to exceed 10 million, with another million or so for individuals and contractors.
Integrating PKI into an existing infrastructure can pose a massive challenge, so much so that several agencies have cancelled large PKI projects in recent years for funding or other reasons.
The 2003 GAO report listed some challenges faced by early adopters of PKI:
- Inadequate policies and guidance for privacy, key recovery and authentication
- Lack of common criteria
- Lack of implementation and cost models
- Long waits to get certificates validated online (sometimes hours, not seconds)
- Funding constraints
- Integration problems with existing security tools
- Interoperability problems
- Complex, difficult-to-use development tools and application programming interfaces.
- Lack of properly trained technical staff
- Inexperienced users
- Lack of qualified contractors
- Limited governmentwide planning
- Lack of PKI-enabled applications
- Inadequate performance or scalability'PKI causes increased traffic because every encrypted message and sign-on requires a certificate lookup
- The administrative burden of managing digital certificates, especially through third-party vendors.
Although progress is being made, especially in the areas of PKI-enabled applications and the ability to locate experienced staff or contractors, many of the problems GAO uncovered in its report were similar to those it found in a study four years earlier.
Thus, it is likely that any PKI project will encounter most or all of these same problems today.
The Defense Department is one department that's ahead of the PKI game.
A year ago, DOD's Directive 8500 mandated that vendors wishing to sell to the Pentagon obtain digital certificates, putting the Pentagon in the lead using PKI technology.
In addition, Defense employees and contractors who work inside department facilities are required to use Common Access Cards with embedded PKI credentials. About 90 percent of Defense users currently have a smart card.
DOD recently rolled out two PKI validation authority applications, one from Tumbleweed Communications Corp. and the other from CoreStreet Ltd., both of which address the substantial delays (up to an hour or more) that had plagued users.
According to a recent report, CoreStreet's Real Time Validation Authority has cut validation time to 65 milliseconds.John McCormick is a freelance writer and computer consultant. E-mail him at firstname.lastname@example.org.