Digital Certificates Take Hold in Ontario

Digital certificates are finding their niche in the e-business industry. Despite the U.S. government’s feuds with other nations and companies within its own borders over encryption techniques, stronger encryption is inevitable.

The move toward stronger encryption took another step forward in December. The government of Ontario, Canada's largest province, announced it will issue digital certificates to all 11 million residents for accessing online government services.

Digital certificates are strong forms of encryption that provide what many industry experts believe is a necessary advancement in electronic communications: authentication. The added security of digital certificates is provided by using the Public Key Infrastructure (PKI). The PKI is basically a two-part system. The first part is distributive: certificate holders deliver part of their encryption key to people or agencies that may want to reach them. High-level PKIs scramble sent messages from holders of one part of the key using 128-bit encryption and then wrap that data with 1,024 bits. It is virtually impossible to crack without the second half of the key. Once data is sent, the privately held second half of the PKI is used to decode it.

This technology could be useful with business-to-business e-commerce, says John Ryan, CEO of Entrust Technologies Ltd. (www.entrust.com), the company licensed to implement the Ontario system, as well as a 30-million-user system for all of Canada to be implemented in the future. He explains that businesses could issue each other digital certificates for use with their electronic transactions, eliminating some of the fears of corporate espionage or cracking.

Vic Wheatman, vice president of information security strategies at the GartnerGroup (www.gartner.com), says, "You want to make sure the companies you do business with are who they say they are."

One problem with digital certificates is that the data used to verify the certificate is stored on the desktop, so users couldn't use PKIs on multiple machines. Adding smart card technology, however, would permit users to go to a number of machines because the credentials residing on the desktop are also stored on the smart card. On an even higher end, security can be added by using fingerprint verification or voice-print identification.

Another problem with PKI is added administration. "How public and private keys work is not an intuitive thing to understand," Wheatman explains. Aside from the technological complications, administering this system would be similar to administering employee ID badges, a process typical systems administrators don’t want any part of.

Other large vendors of digital certificates include VeriSign (www.verisign.com) and GTE Internetworking (www.bbn.com). The technology can be used with unlimited key lengths within the United States but encryption stronger than 64-bit cannot be exported. Certain industries, however, such as banking and health care, have been granted some exceptions. Wheatman says that's just as well. Longer keys equal longer performance hits and there is minimal concern for intruder data decoding at 64-bits.

Entrust's Ryan says the real value of digital certificates is that businesses will feel safer putting all of their systems online. PKIs can secure e-mail, desktops, virtual private networks, Web servers and e-commerce applications. "People have very expensive operations that can move to the Web and save a lot of money," Ryan explains. "All of a sudden all you need is a computer with a browser."