In-Depth

Digital Certificates Get Pentagon, Regulatory Boost

Once they seemed doomed, but public key infrastructure is taking off, driven by e-commerce servers, Pentagon requirements, and government regulations.

In the early days of public key infrastructure (PKI), many companies opted for PKI software, then floundered over its administration. Add the dot-com crash, high levels of hype, and scalability issues, and PKI seemed doomed.

Over the last few years, however, use of PKI has quietly grown. Even if it’s not often referred to as PKI, digital certificate use abounds—for e-commerce servers, as part of a new Department of Defense (DoD) requirement for secure, internal e-mail. Also driving PDI adoption: the need to comply with regulations.

To talk about what’s driving use of digital certificates, Security Strategies spoke with Phil Libin, president of Corestreet, which makes real-time credentialing hardware and software.

What are some common uses of digital certificates today?

[Take] the DoD Common Access card, which is meant to be used for all physical [and] IT access. Other commercial organizations are doing similar things—big companies like Fidelity, Boeing, Microsoft, and lots of others who have employee badges used for a variety of things.

Probably the most common uses today … [are] single sign-on, secure e-mail, and document signing. Those are widely used now among our customers and others. For example, all e-mail within the DoD has to be digitally signed now; it has been for several months now. So if I’m at the DoD and want to send an e-mail out, I have to sign it. Then when I receive it, I can use something like Corestreet to make sure that I can [verify the certificate].

Are there immediate benefits from securing all employees’ e-mail?

Well, for example, this phishing thing is really not an issue in the DoD, because you can’t fake an e-mail in the DoD. So even though I don’t think the Defense Department anticipated spam and phishing attacks when they started this five years ago, … I think we’ll see wider adoption and emulation of what the Department of Defense and other government agencies [are doing] … they were really the guinea pigs for secure e-mail.

How does the DoD handle a conduit with the outside e-mail world?

Well … I’m not going to get a fake e-mail from the DoD—it’s going to be signed. For internal use, obviously any e-mail, if you’re sitting in the DoD, is going to have this security. Any e-mail you get from the outside world, if it’s not digitally signed, it’s just like any other mail. The DoD is such a special case, that so many of the e-mails you receive are from internal people … the critical stuff is all from DoD people.

How does a distributed organization such as DoD handle global certificate verifications?

Whenever you put up any system that has to connect to a server, you have to ask, "Where is that server, and what happens when it goes down, and if I add users, how far do they have to go to get to it?"

We have many options now for what the responder can be. The responder is just the computer that all clients have to connect to, to get the validations back. Before Corestreet, that had to be a very heavy-duty computer, sitting in a vault with private keys and [physical] security. It could cost a couple [of] hundred thousand dollars per year to run. We came out with … software you deploy on any computer in your network.

Akamai has our responders baked into their network, so if customers (say, the DoD) are using Akamai, you don’t have to put any responders up, they’re automatically up and around the world … and Akamai handles requests … The idea with Akamai is, no matter where you are in the world, you can validate your connection … and the response is milliseconds.

What are the requirements for physically securing a responder?

You put it wherever you want, and you don’t have to worry about physical tampering or someone trying to hack it, because the whole point of the responder architecture is that they don’t have any secrets, they don’t have any sensitive data … So the only thing you could do is break it, or physically smash it into pieces.

Before Corestreet, responders had secrets in them, so if anyone hacked into a responder, or if there was a bug or buffer overflow or something like that, they could make the whole system lie, sign messages with the keys, change users’ privileges, add users or remove them.

Beyond DoD, how else are digital certificates being used?

Digital certificates [are getting issued] to federal employees; there are supposed to be 40 million digital certificates by 2007, going to every federal employee and federal contractor. It’s just an extension of the program that the DoD has, so when you get there, any e-mail you get from them is guaranteed to be secure … At the same time, it’s not just e-mail, but also document signing … [for example] Adobe [Acrobat 6] has the capability for document signing [PDFs] now.

Does this represent a shift in thinking about PKI?

It used to be that CIOs in IT organizations would decide, based on technology, that we’ll go with PKI or not go with PKI. I think today they don’t care if it’s PKI or not, they’re just choosing functionality—they just want a system for single sign-on, or digital document signing.

What about PKI and all of the negative publicity a few years ago?

Partially the digital certificate space getting the bad publicity was a part of the dot-com crash, just because so many companies invested in the space and made hype … before any applications being available and … it lost a lot of money, so there was a bad taste in people’s mouths, that was absolutely true.

Today there are a lot more digital certificates out there than people know about. In January, there was a hiccup at VeriSign and they had a hard time getting digital certificates out for a day, and a lot [of things] didn’t start—people couldn’t start Microsoft office, get antivirus updates, e-mail, or go to Web sites… all this stuff was powered by PKI.

Are regulations driving use of digital certificates?

There are compliance issues, so there’s the positive pull of people wanting to do positive things that will make their lives easier. Then there’s the push, with regulations … specifying minimum policies and procedures that you have to do which is basically impossible without credentials.

For example, I was in Japan recently and … the recent security fad that has just caught on was … they call it information leaking. There have been a few recent high-profile cases of personal, confidential information being stolen and … ending up [public]… So there’s all this legislation out there now in Japan to force companies to protect this sensitive data, and Europe has already gone through this with the Basel II Accords, and the United States with HIPAA …

Interestingly, the regulations don’t tend to distinguish between physical breaches and IT breaches … The mandate doesn’t care whether someone kicked down a door and walked out with an insecure filing cabinet, or hacked into the network. It’s the same thing.

So organizations in regulated industries, and proactive companies, are helping drive certificate use?

I think there’s both of them. E-mail is a great example. People say, "We want to do secure, validated e-mail." … Public e-mail is on the edge of being useless, spam and phishing attacks have gone up dramatically. Companies can’t communicate with their customers—they can’t send an e-mail. If they send a letter, it’s probably going to end up in the shredder. Really this method of communication people have taken for granted could [fail].

How much of a driver has HIPAA been?

HIPAA came out years ago. The health care field said this will drive a lot of new technology investment, but … it’s been a lot slower than people predicted … [So] instead of building these [security] services from the beginning, [some organizations] are using these legal forms and paperwork [such as patient waivers in the event information gets stolen] and doubling down on insurance.

Can health care organizations shirk their HIPAA responsibilities by making patients sign the equivalent of end-user licensing agreements?

That’s kind of the definition of an unenforceable contract. You didn’t have a choice—they wouldn’t treat you unless you signed it first … plus no one reads it anyway. It hasn’t happened yet, but I predict in the next year or two [a security-related lawsuit] will happen in that space.

Related Articles:

Digital Certificates Secure Web Services, Mobile Communications
http://www.esj.com/security/article.asp?EditorialsID=1079

ASN Security Issues Run Deep, Forrester Warns
http://www.esj.com/security/article.asp?EditorialsID=894

Q&A: Securing the Door as Important as Securing the Data
http://www.esj.com/news/article.asp?EditorialsID=718

Must Read Articles