E-commerce security: An identity crisis

To meet the burgeoning security demands associated with agency electronic-commerce efforts, industry has begun to offer comprehensive software and hardware solutions that provide a vital function: the ability to establish or "authenticate" the identity of users involved in electronic transactions.

The problem that always has plagued e-commerce efforts in both the commercial and federal arenas is devising a way to provide the equivalent of a handwritten signature in paper-based transactions. Without such authentication, electronic transactions may not be legally binding.

There are three methods of providing e-commerce authentication: passwords and personal identification numbers, hardware tokens and the digital certificates within a public-key infrastructure (PKI).

Although government agencies still use passwords and PINs widely, most people realize that such methods are not very secure because passwords and PINs can easily be forgotten, stolen or guessed. Hardware tokens are devices that plug into a computer and generate a new user password every few minutes. Those devices are considered highly secure, but only a handful of companies manufacture them. And because they are based on proprietary technology tokens from different vendors, they cannot be used interchangeably.

Digital certificates—used either in software or on a smart card—are receiving the most attention from federal agencies as a secure method of ensuring users' identities. A digital certificate is an electronic document that, issued as part of a digital transaction, serves as a signature and a binding confirmation that users are who they says they are and therefore can sign-off on a transaction.

The PKI Revolution

Digital certificates are the core of PKI, a framework of technology and policies increasingly being used to secure electronic transactions. Though many companies in the past have tackled the market by offering only single pieces of the technology and services needed for secure e-commerce, many now are offering fully integrated, managed PKI products.

The Commerce Department's National Technical Information Service has partnered with Electronic Data Systems Corp. to provide end-to-end PKI services and products to other government agencies. NTIS is finalizing negotiations with four Cabinet-level agencies to provide those offerings, according to Sharon Grandle, NTIS program manager.

One of the agencies NTIS is talking to about PKI is the Federal Emergency Management Agency, which is searching for a way to authenticate the identity of employees communicating electronically from the field.

"In the event of a terrorist activity or a natural disaster, they would need to know that the guy sitting in the middle of the hurricane is who he says he is," Grandle said. "In the secure world, one guy is sitting out in the middle of the ocean...exchanging classified information. You want to ensure the security of that communication."

NTIS will provide PKI-enabled application development, World Wide Web hosting and program management, while EDS will provide a variety of PKI services, including issuing the certificates.

"If anyone is going out to purchase PKI, they can't just go out and purchase certificates," Grandle said. "There's got to be a way that it's integrated correctly...to guarantee the security. [Because of the technical complexity], a fully managed PKI...is the best route to go for government agencies."

GTE CyberTrust, Needham Heights, Mass., also has developed a comprehensive line of products and services designed to secure business-to-business transactions for government users. The company's offerings support both software-based certificates and smart cards that contain the certificates.

"There's a large market for software authentication using browsers," said Patricia Edfors, CyberTrust's director of government operations. "In a higher-assurance market...we do see the use of smart cards starting to increase. That token is a wonderful mechanism to provide that extra level of security."

Intelink, an intelligence system administered by the National Security Agency, is using GTE's CyberTrust Global Offering, which allows an agency to distribute certificates itself instead of using a third party. The product allows intelligence analysts from around the world to access data on the system securely via a network that uses a certificate to authenticate themselves.

In addition, the Defense Intelligence Agency distributes certificates to agency users to be authenticated before they can access an intelligence-threat system, Edfors said.

The Energy Department's Lawrence Livermore National Laboratory is maneuvering to use PKI by examining how it can be best integrated into existing services, said Frank Ploof, PKI project leader at the laboratory.

Since 1995, the laboratory has been using certificates to authenticate internal employees signing and sending electronic forms. Now the laboratory is beginning to use the technology for securing e-mail.

Complex Solutions

"PKI is fairly complex technology," Ploof said. "You need to have people that understand the technology and what it can be used for. You need to understand how PKI can be a service and how it integrates into services you already have. [For example], we have log-on IDs for software applications.... How can we use PKI for users to authenticate themselves [with these types of applications]?"

Entrust Technologies Inc., which has garnered several federal government customers including NASA, the Agriculture Department and the Energy Department, also is offering a fully managed PKI product that provides encryption, authentication and certificate management.

"We look at it from an application point of view," said Gary Moore, Entrust's federal technical adviser. "What [government agencies] are asking vendors...is, 'How do we implement a business infrastructure such that our customers...have an easy way of communicating electronically with the government?' "

For example, NASA is piloting an application so scientists can file grant applications via the Internet using a digital certificate to provide the space agency authentication of their identity. "In its paper-based form, they were taking upwards of 16 months to go through that cycle," Moore said. "They were taking longer to spend the money than their fiscal year allowed."

The electronic method cut the time to process the grant applications to seven months. In addition to this pilot, NASA is using Entrust's solution to launch an agencywide PKI, which it will begin to roll out in December.

The agency will use the technology for secure e-mail, secure Web access and as part of an overhaul of its entire financial management system, said Scott Santiago, chief information officer of NASA's Ames Research Center.

"What we're really going for is a common infrastructure that could be used for more than just a single application," Santiago said. "It's a way of getting a fairly wide-ranging solution for numerous problems...rather than a single focused solution that deals with only one aspect of the security. PKI is not something you can do on a project-by-project basis."

Although many companies have sprouted to offer integrated PKI product solutions, other companies, such as Digital Signature Trust Co., do not sell digital certificate products but provide outsourced management services, such as setting and maintaining policies that address who may receive digital certificates and what credentials must be provided before receiving them.

Keren Cummins, vice president of government services at the Salt Lake City-based company, said its focus is ensuring that citizens who are issued certificates to communicate with the government can use those certificates for numerous transactions. To provide those multipurpose certificates, the company is working with banks to verify users' identities and issue certificates.

"If banks will issue certificates to their customers...then you can issue a certificate at a sufficiently high level of authentication," Cummins said. "Banks already have a relationship with customers; it's not a transient relationship. It's fairly easy to spoof [assume the identity of] someone else in a transient relationship."

Lance Travis, services director at AMR Research Inc., Boston, noted that software digital certificates provide much stronger security than using passwords and PINs for authentication, but they are stored on users' hard drives and therefore are inherently vulnerable.

"It means I can only be me when I'm using my computer," Travis said. "If I go out to lunch and forget to log off, then you can be me."

Pick a Card

Security lapses, however, can be avoided by using a smart card with a digital certificate embedded in it for authentication. Though many agencies have shied away from this solution because of the additional cost of having to purchase a smart card reader, a Defense Department requirement is jump-starting the smart card-based PKI market.

DOD has required that all mission-critical systems operating via unencrypted networks must use certificates with a token by June 2000, said Bob Sturm, vice president of business development for EPI, a Reston, Va.-based company that offers procurement software solutions.

EPI, Entrust and NDS Americas Inc. in June announced eFed, which is a smart-card-based PKI solution designed to authenticate buyers and sellers in government procurements. Government buyers can insert a smart card that contains a certificate into a card reader and use the certificate to be authenticated to purchase from various governmentwide acquisition contract catalogues that eFed has loaded into its system.

The cards can be programmed so that after a certain amount of inactivity at a workstation has occurred, such as if a buyer takes a coffee break, the user must revalidate his identity.

"The certificate is portable," Sturm said. "It's just like having a passport to do things in procurement wherever you are."

Although government agencies are looking at the use of digital certificates in both hardware and software to secure e-commerce transactions, future use of the technology may include authenticating users by scanning their eyes or fingers.

In a public-key scenario, passwords and PINs are used to unlock the digital certificate stored on a user's computer. However, a smart cart containing a biometric identifier, such as a fingerprint, could provide much stronger user authentication, said Richard Guida, champion for security issues at the Government Information Technology Services Board.

In addition, AMR's Travis noted that more advanced authentication solutions will not only validate a person's identity but map that identity into specific security policies detailing a person's access privileges within a network.

-- Harreld is a free-lance writer based in Cary, N.C.

***

At a Glance

Status

Industry vendors are developing tools to fill a critical gap in electronic commerce: authenticating the identities of parties involved in a digital transaction.

Issues

Digital certificates have emerged as one of the best options. But the certificates usually are generated as part of a public-key infrastructure, which is a complex undertaking.

Outlook

Very good. The number of federal agency pilots, like the number of available digital certificate solutions, is on the rise. Once mastered, digital certificates are expected to provide the most viable option for securing e-commerce transactions.