Previous | Table of Contents | Next |
David Litwack
For businesses to embrace open systems such as the Internet as a means of conducting commercial transactions, methods of ensuring security must be more fully developed. This chapter proposes ways of confirming sender and recipient identities, protecting confidentiality, and date and time stamping in an effort to develop a trusted network infrastructure for electronic commerce.
The use of internetworking applications for electronic commerce has been limited by issues of security and trust and by the lack of universality of products and services supporting robust and trustworthy electronic commerce services. Specific service attributes must be addressed to overcome the hesitation of users and business owners to exploit open systems such as the Internet for commercial exchanges. These service attributes include:
To support these service attributes, an organization or entity would need to provide:
These service attributes could be offered singly or in various combinations. The service attribute provider would have to be recognized as a certificate and postmark authority. The following sections describe how a service attribute provider should work.
Although public key encryption technology provides confidentiality and confirmation of identity, a true trusted infrastructure requires that a trusted authority certify a person or organization as the owner of the key pair. Certificates are special data structures used to register and protectively encapsulate the public key users and prevent their forgery. A certificate contains the name of a user and its public key. An electronic certificate binds the identity of the person or organization to the key pair.
Certificates also contain the name of the issuer a certificate authority (CA) that vouches that the public key in a certificate belongs to the named user. This data, along with a time interval specifying the certificates validity, is cryptography signed by the issuer using the issuers private key. The subject and issuer names in certificates are distinguished names (DNs), as defined in the International Telecommunications Union-Telecommunications Standards Sector (ITU-TSS) recommendation X.500 directory services. Such certificates are also called X.509 certificates after the ITU-TSS recommendation in which they were defined.
The key certificate acts like a kind of electronic identity card. When a recipient uses a senders public key to authenticate the senders signature (or when the originator uses the recipients PKS to encrypt a message or document), the recipient wants to be sure that the sender is who he or she claims to be. The certificate provides that assurance.
Exhibit 1. The Registration Process.
A certificate could be tied to one individual or represent an organizational authority that in turn represents the entire organization. Also, certificates could represent various levels of assurance from those dispensed by a machine to those registered with a personally signed application. Additional assurance could be provided by the personal presentation of a signed application along with proof of identity or by the verification of a biometric test (e.g.,fingerprint or retina scan) for each use of the private key.
Exhibit 1 shows a possible scenario for obtaining a certificate. The registration process might work as follows:
Exhibit 2 illustrates how a digital signature ensures the identity of the message originator. It shows how a message recipient would use an originators digital signature to authenticate that originator.
On the Web, authentication could work as follows:
With this service, the authentication authority could either attach an authentication message verifying the digital signatures authenticity to the originators message or provide that authentication to the recipient via a publicly accessible database. Upon receipt, the recipient would either acknowledge the originators authenticity via the attached authentication message or access the public key and certificate from the publicly accessible database to read the signature.
To provide such levels of assurance, the certification authority must establish proofing stations where individuals and organizations can present themselves with appropriate identification and apply for certificates. The authority must also maintain or be part of a legal framework of protection and be in a position to mount an enforcement process to protect customers against fraud.
Previous | Table of Contents | Next |