|
PKI REQUIREMENTS FOR PAKISTAN
|
|
By Dr. Syed Irfan Hyder
July 30 - Aug 05, 2001
This article briefly describes the role of public
key infrastructure, certification authorities and public and private
key encryption in dealing with security issues of electronic
transactions, especially in the business environment of Pakistan.
Traditionally systems have been using symmetric key
encryption i.e use of a single key for encryption and decryption to
ensure privacy, authentication and integrity of electronic messages.
For example, when ATM machines are used with a pin number and an ATM
card for banking transactions or when a teller logs in the computer in
a bank branch using password authentication, symmetric encryption is
employed.
There are certain attributes of these transactions
which are not present when a similar transaction is happening through
the Internet. (i) The employee or the customer was present in person
and was physically authenticated when the password or pin-number was
issued by the bank. (ii) The employee or the customer is physically
reachable and could be asked for any authorisation or authentication
using other forms of identities. (iii) The machine and the place from
where it is used for accessing the transaction is physically known or
managed by the bank or can be identified using caller line
identification, (iv) there is a well controlled and manageable number
of clients or customers for specific transactions.
Presence of these four attributes provide security
and comfort to the bank and enables it to provide electronic services
even though there is no e-commerce legislation in the country.
Similarly, Central Depository Company (CDC) allows its members to make
share transactions electronically. Some banks have already given
computer terminals to its trusted corporate and preferred customers
from which on leased lines they are routinely making bank
transactions. Even Customs has started receiving shipping manifests on
diskettes and is conducting limited type of transactions with
preferred customers.
The aforementioned four attributes are typically
not present in Internet based transactions. Internet digitally
separates the clients from the bank. In many cases, it may not be
physically possible for the bank to authenticate the client as for
instance if one opens a merchant account in some Internet bank in USA.
The place and machine of transaction are neither managed nor known in
advance to the bank. Anyone could potentially initiate the transaction
from anywhere or any machine.
It is here in these conditions that the symmetric
key system employing an identical key for encryption and decryption is
no longer helpful. It also poses some problems. First, if the secrecy
of key is compromised by any of the parties then the system becomes
open. The keys have to be periodically changed to avoid this problem.
Therefore it is vital to keep the key secret. Second, if some distance
separates the parties who wish to exchange messages, there is a need
to transport the key from one party to another prior to any message
exchange. For Key transportation some secure channel would have to be
used, other than the one that is used to communicate encrypted
messages, otherwise, the key itself will need to be encrypted by
another key, and this would regress infinitely. This problem was
overcome in the past by exchanging beforehand pads of one-time-use
only keys, or by installing software manually at the two ends or
employing other similar methods. These methods work well if the number
of parties involved is not very large and the distance separating the
parties is manageable, however in case of large number of parties that
may be widely separated some trusted third party provider of keys must
be involved.
Asymmetric Keys
These problems are solved using asymmetric key
encryption in which a pair of keys for every individual. One of these
keys is made public and the other one is kept private. A message
encrypted by one of these two keys can only be decrypted by the other
key of the pair. If A wishes to send a message to B, he will encrypt
the message with B's public key. This will assure A that only B will
be able to read the message because only she has the other key
(private key) of the pair. This means that the key for locking the
message is different from the key used for unlocking. The public-key
algorithm has made the digital signature application possible. But the
authenticity of digital signatures (dignature) depends upon the
confidence that the public-key used in the dignature is indeed owned
by the "signatory". So to make dignatures worthwhile we need
a trusted third party to certify that owner of the public-keys are who
they claim to be. This certification can be carried out electronically
by issuing digital certificates.
Prerequisites for the use of Digital Signatures
Paper signature usually have an intrinsic
association with a particular person because they are that person's
own handwriting. However, public-private key pairs used to create
digital signatures have no intrinsic association with anyone in
particular — they are nothing more than large numbers. When a
recipient obtains the public key actually for a digitally signed
communication, how can he or she verify that the public key actually
belongs to the purported sender? An impostor could have generated the
public-private key pair and entered that public key in a public
database under the purported sender's name.
The solution to this problem is to enlist a third
party, trusted by both the sender and recipient, to perform the tasks
necessary to associate a person or entity on one end of the
transaction with the key pair used to create the digital signature on
the other. Such a trusted third party is called a certification
authority."
Role of Certification Authorities
The trusted third party that issues these digital
certificates is known as a Certification Authority. A CA can be a
government agency or a commercial body. It is only a matter of trust.
An "electronic identity", issued by a CA, is proof that the
user is known by the CA. Before issuing a digital certificate, the CA
performs identity verification on the user or business entity. The CA
acts like a trusted electronic notary, telling everyone who the valid
users are and what their digital signatures should look like.
Therefore, through third-party trust, anyone trusting the CA can have
confidence in the user's identity.
Need for Cross-certification
Cross-certification is simply an extended form of
third-party trust. It is a process in which two CAs securely exchange
cryptographic keying information, so that each can effectively certify
the trustworthiness of the other's keys. From a technical perspective,
the process involves the creation of "cross certificates"
between two CAs. Therefore, users in one CA domain can implicitly
trust users in the other CA domain.
Since cross-certification extends third-party
trust, it is important that each CA domain, in addition to exchanging
cryptographic keying information, be completely comfortable with the
other domain's security policies and practices which it employs in
issuing certificates and in carrying out its operations.
Need for Public Key Infrastructure
It is reasonable to expect that with growth in
e-commerce, the number of CAs will also grow, just like the number of
ISPs has grown. With multiple CAs operating there will be a need to
establish chains or hierarchies of CAs to achieve the goal of cross
certification and certification of CAs themselves.
This infrastructure which binds all CAs together is
known as a PKI or Public-Key Infrastructure. It is the whole system of
digital certificates, certificate servers and CAs. PKI manages the
generation and distribution of public/private key pairs, as well as
the certificates used to provide confidence in the validity of the
keys. Although in principle public keys are available to anyone, it is
important that their authenticity and ownership be verified by a PKI.
A PKI provides: confidentiality; access control;
integrity; authentication; and non-repudiation services for electronic
commerce transactions, and for their supporting information technology
applications, and publishes the public key (along with the user's
identification) as "certificates" on open bulletin boards
(such as X.500 directories).
A Public Key Infrastructure (PKI) comprises a
number of services, which may or may not be provided by a single
organization. A PKI consists of the following: Certification
Authority, Registration Authority, Certificate Directories,
Certificate Revocation System, Management of Key Histories,
Timestamping, Root Cas, Other services may include: Key Backup and
Recovery System, Support for Non-Repudiation, Automatic Key Update,
and Cross-certification.
PKI is extremely beneficial where there are large
number of partners who are unknown to each other or where the number
is so great that it is difficult to manage their relationships as for
instance in e-Government correspondence among Federal Government,
Provincial Government and Local Government employees.
Need for Certification Authorities and PKI in
Pakistan
As seen from the above discussion, transactions on
the Internet require an elaborate public key infrastructure consisting
of legislation, certification authorities, repositories and
regulation. However, as argued in an earlier article "B2B and/or
B2C Infrastructure" in Pakistan & Gulf Economist, March
12-15, 2001, the potential for primarily internet based transactions
with consumers that are complete strangers to business firms is very
slim. There are not just enough internet enabled "C" in
Pakistan and internet enabled "B" retailers to make B2C
transactions feasible in Pakistan.
What is feasible in Pakistan is electronic linkages
of established communities of trading partners and converting their
existing paper based transactions into electronic form. This
automation effort is technically, economically and cost-wise
justifiable in our current state of economy. These well-known,
well-established communities exist in various industries and sectors.
For, example linkages of consumer goods manufacturers with their
established community of distributors can be justified on business
grounds. Similarly, linkages of oil companies with their dealers and
linkages of pharmaceuticals with their retailers is also justifiable.
Also linkages students fee transactions done by parents with schools
is another case with business feasibility. Pakistan Customs has a list
of established authenticated traders known as Gold Customers. In total
there may be about 800 volume exporters and importers whose
authenticity and other credentials have been verified by Customs over
the years who also contribute to more than 80% of the transactions and
with which Customs may be very interested in establishing electronic
linkages.
Transacting with these parties does not require a
national PKI but may require some trusted third party like a value
added service provider. Similarly, when an Oil company has to link up
with its dealer network; or where parents have to pay fees to a
school; or consumer goods manufacturers have to transact with its
distributors then in each of these cases the parties are known to each
other and are physically accessible for purposes of verification,
registration and authentication. These transactions can easily happen
through a trusted third party value added service providers which are
popularly known as B2B (Business to Business) exchanges. In such cases
the trusted service provider performs many of the functions of the PKI
and in fact may also use some kind of restricted PKI service or PKI-like
security mechanisms.
For many of these communities of trading partners
an involved national pubic key infrastructure may be an over-kill
given our current level of development. It may be more feasible
initially to use the traditional systems for physical authentication
and password protections to enable e-commerce using proprietary,
leased line or virtual private networks further enhanced by hardware
authentication. Later as the confidence grows and as the electronic
transactions become more widespread, and banks shed their
apprehension, the time would be ripe to introduce public-key
infrastructure at a national scale. There would then be commercial
reasons for asking prominent service providers like VeriSign or
Baltimore to develop national PKIs.
| 
