The PKI payoff

Public-key infrastructure is a complex technology that is a burden for agencies to implement.PKI is a powerful technology that can enable a wide array of agency applications and services.Both of those statements are true, but focus on the second one. By anticipating PKI at your agency, and implementing the technology properly, you can create the foundation for many useful applications.With PKI, a third-party entity vouches for the bona fides of two interacting parties. Those parties might be a bank and its card-carrying customer, or an agency and its smart card-carrying employee. The vouching is in the form of digital certificates ' actually large numbers ' issued by a certificate authority to the trusted parties.Think of PKI as learning the secret handshake of the Loyal Order of Antelope. Once you know that secret handshake, you can:Although PKI certificates from different vendors are generally equivalent, agencies have many options to consider before choosing a provider. Agencies might be looking for a supplier of smart cards. They may need hardware, such as card readers, or software, such as personnel tracking systems, to work with PKI.Consulting services can help integrate PKI with existing systems. Indeed, combinations of consultants with different expertise could be necessary to implement different agency applications and services. Technical support and maintenance services are always important considerations.Because PKI is associated with secure and possibly vital agency applications, it's important to determine the disaster-recovery features that different vendors offer. Bulletproof PKI applications are not going to help you if the certificate authority goes down. You might also prefer vendors that are geographically close to you or, alternatively, far away from you. The former might be a benefit if you need assistance. The latter might help ensure survivability if there's a regionaldisaster.'Management has to organize itself and lead,' said Dr. Peter Alterman, assistant chief information officer for electronic authentication at the National Institutes of Health. Alterman is chairman of the Organization for the Advancement of Structured Information Standards' Federal PKI Policy Authority and a member of the OASIS IDtrust Steering Committee. As with any new implementation, there will be resistance to change.In addition, although a PKI digital certificate might just be numbers, the infrastructure itself ' hardware, software, services ' is not cheap. 'The actual PKI technology is trivial compared to the budget and management issues,' Alterman said.An agency also needs to decide who will be administering the PKI system ' the agency itself or an outside entity. 'IT needs to ask whether they really want to take on the physical security responsibility,' Alterman said. This could involve coordinating information technology, human resources and building security to a greater extent than usual. The trade-off is better security for greater responsibility. Shifting responsibility for physical security to another entity could simplify management ' or not ' but might also affect overall security.From what we've covered so far, implementing PKI probably seems like manageable drudgery. However, PKI is a powerful and exciting technology that can enable some attractive and useful agency applications.'PKI is like an electrical outlet,' said Vijay Takanti, vice president of security services at Exostar. 'Once you have it, you can plug all kinds of apps into it.' Put another way: Because you're going to implement PKI anyway, why not take advantage of your investment to get everything you can out of it?For example, there are many state and local agencies that federal agencies have to work with on an ongoing basis or in an emergency situation. The Homeland Security Department might partner with state and local law enforcement; federal health agencies could exchange information with hospitals or public health authorities; money might flow between federal, state and local agencies. It would be convenient to be able to identify trusted people, exchange confidential information and allow secure transactions. Unfortunately, state and local agencies can't use shared-service providers. So even though these groups have to work together, they can't use the same PKI system.However, they can still use PKI to solve their problems. Providers such as CertiPath offer bridge services for just this purpose. If you want the Antelopes to recognize members of the Benevolent Lodge of Beavers, you come up with a new secret handshake both groups know. Then Antelopes and Beavers can work on their joint projects without interfering with Antelope-only or Beaver-only business.CertiPath, jointly owned by ARINC, Exostar and SITA, cross-certifies entities to a common standard, while CertiPath is directly cross-certified with the Federal Bridge Certificate Authority.Interagency cooperation is just one bonus of PKI technology. 'Agencies need to consider making changes to their ways of doing business,' Alterman said. In particular, agencies need to think about ways to re-engineer their business processes to take advantage of PKI. Prime candidates for PKI include:PKI's potential in securing e-mail is one use agencies find attractive. The Defense Department and the United Kingdom's Ministry of Defence already have such systems. PKI certificates encrypt e-mail on the sending end and decrypt it on the receiving end. The process is transparent to users and makes for a new level of secure communications.Encryption is an obvious application of PKI, but not enough agencies appreciate what PKI-encrypted files can accomplish. An encrypted file is not only unreadable by outsiders but also essentially stamped as belonging to your agency. Establishing such ownership credentials is valuable.Digitally signing a file is similar but doesn't involve encryption. A digitally signed file ensures that its ownership is incontestable. The file is also tamper-resistant: People can read it but not alter it. This is very important for agencies that need to circulate agreements or other documents they don't want marred by deliberate or inadvertent changes.As these examples show, agencies need to approach PKI applications as a two-step process. First, they must identify the PKI-based applications that interest them. Then they need to figure out the integration implications for each of these applications.It's possible, for example, that the agency applications of interest only run on a particular operating system. The agency must ensure that the corresponding PKI software will run on the same operating system. Most PKI providers support Windows and other operating systems, including Novell NetWare, Linux and Mac OS. Some operating systems support PKI themselves.Finally, because each agency probably has its own PKI solution provider, interoperability between providers is important. This is simplest if the providers use nonproprietary technology. Some engineering of the infrastructure may be required for applications and PKI to interoperate well.PKI-based agency applications will attract users and grow larger and more popular. That's why you want to ensure that PKI solutions scale well. If you anticipate deploying solutions at multiple locations, make sure the product can handle that.Although most agencies will begin by using SSP or managed services, at some point many will want to spread their wings and fly under their own power. In the PKI world, that means becoming a certificate authority themselves, with the ability to create, distribute and manage certificates. Ideally, providers should have programs to transition agencies from managed services to in-house responsibility.The next iteration of PKI is called a public-key environment. For example, if an operating system and several software applications all offer PKI-compatible capabilities already, you have a PKE. It's far simpler adding new PKI-based agency applications within such an environment because so much support is available.Many software vendors are quietly adding PKI support to their products. They know that PKI is only going to get bigger.