In-Depth

The Security Behind Secure Extranets

• 12/01/1999

E-strategy is the method in which a company leverages Internet technology to increase shareholder value. No longer a separate element of business strategy, e-strategy infuses all strategy with new possibilities. Internet and extranet technologies allow firms to form closer links with business partners -- saving time, cutting costs, and generating new revenues.

Despite all its promise, Web technology presents serious security issues. In many cases, companies have chosen not to implement powerful online applications because of the perceived risk to sensitive information. The secure extranet changes all that by allowing companies to develop stronger relationships with their business partners and replicate best practices of the physical world, without jeopardizing the integrity or confidentiality of valuable proprietary information. Secure extranets redefine security from a defensive measure to a strategic, offensive move that companies can make to truly enable their businesses online.

At the heart of secure extranets is the digital certificate. A digital certificate is an electronic credential, like a passport, that welcomes business partners into territory defined by the certificate issuer and based on business privileges and existing relationships. Digital certificates give companies the power to define highly personalized user access, bind contracts through the use of digital signatures, mark extranet activities with a digital audit trail, and prevent "backing out" of transactions through support for non-repudiation.

Developed using public key technology, certificate-based authentication schemes are many times more secure than regular PIN/password systems. These highly secure systems are based on mathematical algorithms that would take even the most sophisticated computers and hackers years to break. The infrastructure established to support these systems is referred to as a public key infrastructure, or PKI.

This article covers the basic security principles that a secure extranet supports and, at a high level, explains how a PKI is set up and operated. It serves as a primer for companies and organizations exploring secure extranets and the technologies behind them.

To do real business online -- everything from linking vendors up and down the supply chain to sharing sensitive product specifications globally — there must be an infrastructure in place to mirror the time-honored ethic of trust.

This infrastructure must address the following issues:

Privacy -- In a network-based transaction, there must be reasonable assurances that information exchanged remains private between the sender and the receiver.

Authentication -- On the Internet, everyone can be anonymous. In order to engage in a business transaction, each party must be able to prove the other's identity.

Integrity -- Once a party signs a transaction, it must be protected from tampering or forgery. The integrity of a transaction is particularly important in sales where prices, terms and quantities are agreed upon as part of the deal.

Non-repudiation -- After a transaction has been made, it cannot be revoked. Neither party involved in the transaction can deny their role in the exchange. This provision makes it impossible for either party to make false claims about the offer.

In virtually all industries, the everyday exchange of goods, funds, or documents involves a corresponding exposure of private, confidential information. Any security breach could have serious consequences. These lapses in security must be averted at all costs, and the best way to ensure a transaction's privacy, authentication, integrity and non-repudiation is through a certificate-based secure extranet. In addition to supporting these basic security features, certificate-based secure extranets give companies the power to define highly personalized user access, bind transactions and create digital audit trails.

For example, a secure extranet would allow a supplier to download orders for the next day, while restricting that same supplier from seeing information relevant to any other supplier or business function. Likewise, a software company could use its secure extranet to speed the testing of a new release. Reviewers would submit ideas and respond to online questions about the new software, but competitors would not see and could not intercept any of this interaction.

Until today, PINs and passwords have been used to provide access to corporate networks, but these methods do not offer the strong proof of identity, data confidentiality or data integrity needed to conduct high-value commerce online. Nor do they provide an audit trail of user activities or other functionalities that mirror best-practice business processes of the physical world. Password/PIN provides a lower level of security, which may be adequate if the business being transacted is of low value, like buying a book, a CD, or even a plane ticket. But it is not adequate for high-value, business-to-business transactions. Also, it is a risky technology when securing highly personal information, such as medical or financial records.

What makes an extranet truly secure and unique is a set of technologies and strategic processes that address the shortcomings of today's extranet implementations. The digital certificate -- a passport to the extranet -- is installed in the browser or on a smart card and authenticates the certificate holder. It extends extranet access and authority to users based on their roles and business privileges, while ensuring confidentiality and integrity of the data users send, receive and access.

These secure systems are also more manageable than PIN/password extra-nets. Users no longer need to keep, recall and refresh sign-ons for each application or access. Enterprises no longer need to store and manage vulnerable PIN/password databases. Secure extranets provide a single sign-on containing all of the access and privilege information that defines the user's role, responsibilities and relationships to the business process. The certificate and the policies behind it, which managers can reconfigure as roles change, govern this sign-on. Digital certificates also make it possible for network managers to know who is doing business on the network and what they are doing, because certificates track user activity through a digital audit trail.

Digital certificates also enable companies to digitally sign documents, such as contracts. The value of such information is obvious when a company makes the purchase orders, payment systems and other highly sensitive information available to suppliers. Partners enjoy the benefits of doing business efficiently, while all parties enjoy the security that partners cannot refute or repudiate their role in making the contract. As Internet technology breaks down barriers among businesses, secure extranets foster the trust needed to enter into mission-critical partnerships and cement high-value deals online. The basis for this trust lies in a set of underlying technologies, relationships and policies referred to as a public key infrastructure, or PKI.

PKI, based on software and encryption technology, has been created to secure transactions over the Internet. PKI technology goes to great lengths to ensure that transactions are secured from the beginning to the end. This technology is the de facto standard to ensure safe business-to-business and business-to-consumer transactions using tools, such as certificate authorities, digital certificates and directories to create an enterprisewide security network.

The foundation of PKI is public key cryptography, an encryption method that uses a two-part key (code) that consists of a public and a private component. Messages are sent encrypted with a public key and then read by the recipients with their own private key. A public key is an encrypted code that is accessible to an established group, such as a company and its partners. A private key is also an encoded number set, but this key is only accessible to one person. When the right private key is used along with the corresponding public key, a message is unscrambled, thus enabling transactions.

Businesses can use public key encryption to protect the privacy of the information exchanged in an electronic transaction. For example, when placing an order for pharmaceuticals over the Web, the hospital buyer can use a copy of the pharmaceutical company's public key to encrypt the order. When the company receives the order, the information can be decrypted using the corresponding private key. As long as the pharmaceutical company keeps its private key secure, the encrypted information will remain safe.

A trusted party, known as a Certification Authority (CA), issues digital certificates and verifies the identity of the certificate holder. The CA can be compared to any organization that issues legal documents, such as the Department of Motor Vehicles, the Passport Bureau or a Public Administration agency. A digital certificate typically includes identifying information about its holder (such as name, address and affiliation), a public key, a validity period, a unique serial number and identifying information about the CA. The basis for trust in any security system is the Certification Authority, how well it performs its functions, and the degree that using parties accept certificates issued by the Certification Authority.

The trustworthiness of the CA and the viability of a CA solution are based on the following criteria:

The services provided by the Certification Authority could actually be performed by two entities, the CA and the Registration Authority (RA). Organizations have multiple options in how to deploy these services, depending on their organizational and geographic distribution, roles and responsibilities in the organization, and their particular security requirements.

Care must be taken in developing an RA solution because the RA performs the critical functions of authorization for certificate issuance and certificate revocation. An RA solution depends on many factors, including, but not limited to, who in the enterprise is authorized to permit access to resources, the level of automation required, where authorization information is stored, and what enterprise, industry and/or national security regulations are imposed on the overall system. The key is to implement a PKI that provides scalable and flexible alternatives for provisioning RA services. The following list provides an example of flexible RA services.

Web browser-based RAs. An authorized registration authority reviews and approves certificate requests, and revokes certificates from a Web browser. Ideal for organizations that require human interaction to approve certificates.

Database of pre-authorized users. In this model an organization supplies a database of users and a "shared secret" (i.e., information only the organization and individual users know). When they request a certificate from a browser, users provide this "shared secret," which is verified against the existing database. This allows real-time certification, generally without human intervention.

Automated authorization. Users request a certificate via a strongly authenticated secure electronic connection. Best suited for organizations with a significant database of end users. Similar to database of pre-authorized users, but the database of users is kept locally. A secure link is provided from the CA to your facility, then the database is able to manage certificate issuance and revocation.

Organizational RA (ORA). All certificate requests are routed to the RA, which forwards approved requests to the CA via a secure electronic connection. Allows complete internal control of approvals without sharing authorization information with the CA.

Custom RA solutions. The enterprise maintains complete control of the interfaces with the customer. A preferred solution in requesting certificates for specialized equipment or client applications.

Once the basic processes and components of a secure extranet solution are understood, a company must decide on a CA. Among the key factors in choosing a CA is the quality of its security architecture, including operational procedures.

A company must make sure that the CA they choose is committed to providing a secure environment for the key storage and generation facilities. In addition, the verification methods used to authenticate identities are important.

It is also important to choose a CA that has experience in managing security in a wide range of settings. The flexibility to support different user needs, including multiple certificate types and multiple authorization methods is also important. The scalability to respond to increased demands without major redesigns or service interruptions is essential in the smooth transition to a secure extranet.

These days, any organization not having an e-strategy based on sound security principles, including those found in a secure extranet, is falling behind and risking the health of the business.

About the Author:

Paul Paget is Vice President of Marketing at CyberTrust. He can be reached at paul.paget@cybertrust.gte.com.