Security

How it works

The demand for public key infrastructure security is creating a new marketplace for vendors who sell these products. Here's what every CIO needs to know when shopping for PKI.


If you’ve bought something online, chances are that you have plugged into a public key infrastructure (PKI).

And it was probably so simple and transparent that you never knew it. That’s because someone else handled all of the hassles of creating the public-private key pairs, issuing certificates, and guarding the systems that manage the process. (See the sidebar to the right on “How it works.”)

If you are a CIO whose board has just decided to implement a corporate PKI system, however, you are going to have to wrestle with some of these issues yourself.
This is the first of a two part series on PKI. In this article, we’ll look at the technology and the market for PKI vendors. In part two, we’ll discuss the history of the technology and why the critics said it wouldn’t work.
The suppliers
It’s easy when you buy books and CDs online because your Web browser comes stocked with a number of certificates from PKI vendors such as VeriSign and CyberTrust. This makes it simple to do business with a Web site such as Amazon.com or the newly launched Web boutique, Violet.com, because both of these have hired VeriSign to take care of their PKI worries.

VeriSign is, in fact, the primary supplier of Secure Socket Layer (SSL) encryption.

“Most commerce sites use SSL encryption,” says Abner Germanow, analyst with International Data Corp. in Framingham, MA. “VeriSign is actually running a very-large-scale PKI. It means that commerce sites such as Amazon.com and Violet.com don’t need to buy a PKI; they just need to buy the certificate.”

But Germanow says that, while this works well for commerce sites, many companies want more control over their security systems.

“The biggest growth area in PKI will come from customers who need to do some subset of the following three things:
  1. Use certificates to authenticate users
  2. Create secure communication channels
  3. Sign content in a way that guarantees non-repudiation.”

The CIO charged with building such a system will almost certainly go to a PKI vendor. “The leading vendors in this space,” says Germanow, “are VeriSign, Entrust, Baltimore Technologies, and Xcert.”

An expanding market
In order to meet this demand (Germanow predicts the PKI market will reach $1.3 billion by 2003), these vendors are busy retooling their businesses.

VeriSign, for example, has recently launched OnSite, a product aimed at customers who want to build their own PKI systems.

“Originally VeriSign only offered a branded service as a certificate authority,” said Bob Pratt, OnSite product manager for VeriSign, “but OnSite is for customers who want more control over their PKI operations.”

London-based Baltimore Technologies came at the PKI market from the other direction. “Initially we sold PKI software and tools,” said Steve Kruse, chief evangelist for Baltimore. “We have recently announced our intention to buy CyberTrust, a subsidiary of GTE. This will allow us to compete more directly with VeriSign.”

CyberTrust, like VeriSign, got into the PKI space as a certificate authority. In other words, CyberTrust certificates are embedded in most Web browsers. So with VeriSign’s launch of OnSite, and Baltimore’s acquisition of CyberTrust, the two firms will be going head-to-head.

More choices
Dennis Szerszen, analyst with the Hurwitz Group in Framingham, MA, said all the PKI vendors are getting more competitive. “Baltimore and Entrust initially offered toolkits that allow you to do it [PKI] yourself,” says Szerszen. “But now those firms are getting into the certificate authority space to compete with VeriSign, and VeriSign, in turn, is starting to offer more in the way of PKI tools and services.”

It all means more choices for the CIO at the helm—a good thing, provided he or she keeps some basic issues in mind.

“The number one issue,” said Germanow, “is that PKI for the sake of PKI is worthless. Make sure you know which applications you want to secure. Supply chain transactions, for example, are very valuable, and it makes sense to want a PKI to support them.”

Germanow also said it is important to build your PKI platform with scalability and flexibility in mind. “Don’t get locked into a certain scale or set of standards. Try to make sure that your PKI products are modular.”

Baltimore’s Kruse also has some advice for those who would dare to tackle PKI: “Don’t get too bogged down in the encryption technology itself. Yes, there is some fairly sophisticated mathematics behind it, but those algorithms are becoming commodities. The real issue is how you build and manage the infrastructure.”
“It is easy to use public key encryption as a consumer with a Web browser,” said Dennis Szerszen, analyst with the Hurwitz Group in Framingham, MA. “Anyone who has bought a book or CD from Amazon has done this.”Here is how it works:You already have a number of public keys embedded in your Web browser. These come from certificate authorities (CAs) such as VeriSign and Amazon’s CA.You log into Amazon’s Web site. Amazon then sends your browser a certificate. Your browser decrypts this with the VeriSign public key. This authenticates Amazon for you, since the certificate was encrypted with the private key counterpart to your public key. VeriSign, as the CA here, is the authority that verifies Amazon is indeed Amazon. So now you have used a public-private key pair from VeriSign for authentication.One of the things the certificate from Amazon contains is Amazon’s public key. So now you also have Amazon’s public key along with your VeriSign key. If you buy from Amazon, your credit card number is encrypted with Amazon’s public key. This means only Amazon can decrypt your card number, since only Amazon has the corresponding private key. You have now used this second public-private key pair for confidentiality, to ensure that no one else gets your credit card number.It is all done under the covers, but without such a system you would not know for sure that, just because a Web site looks like Amazon, it actually is Amazon. And, furthermore, if your credit card number fell into the wrong hands, you would have even bigger problems than site identification.

Mark Leon, originally from Austin, TX, now lives in San Rafael, CA, where he writes about business, technology, and science. He has also published three science fiction novels with Avon books.

Do you have plans to implement PKI in your company? Would you like to read more about this technology? Click here and let us know.

Editor's Picks

Free Newsletters, In your Inbox