Digital Credentials Kick Off New Commerce Procedures

August 1999
By Maryann Lawlor
E-mail About the Author

Public key infrastructure unlocks the door to secure transactions on Internet avenues.

The company that created the secure sockets layer to manage network message transmission security, and today opens the Internet to tens of millions of people around the world, is now collaborating with the U.S. Defense Department to secure cyberspace communications and transactions.

Industry and government information technology experts agree that the World Wide Web’s wellspring of opportunities has yet to be tapped. However, they also concur that the potential of the Internet as a medium for command, communications and commerce is limited by the capability to assure authentication, validation and nonrepudiation.

Despite the relative immaturity of some technology developments, the Defense Information Systems Agency (DISA) recognizes the benefits of expanding secure connections. The agency is establishing policies and procedures while concurrently working with Netscape Communications Corporation, Mountain View, California, as well as other companies to begin the rollout of digital protection measures. The result is faster implementation of information assurance methods that will enable service members to electronically conduct business with confidence that the data cannot be compromised.

The introduction of public key infrastructure (PKI) and the auxiliary components squelches these apprehensions by allowing clients to encrypt and decrypt messages, verify a message sender’s identity, and distinctively document transactions. These capabilities will enable the Defense Department to aggressively pursue its goal of increasing the number of paperless transactions.

Public key cryptography involves issuing a private key and a public key to an individual. It provides encrypting and decrypting codes and authentication certificates. Only the owner holds the private key, while the public key resides in a directory that all parties can access. To transmit a confidential message, the sender uses the intended recipient’s public key to encrypt the information. This data can only be decrypted with the recipient’s private key. Upon receipt of a message, the addressee uses the private key to read it.

Although this process ensures that an intercepting party cannot read a message, it does not assure the receiver of the sender’s identity. To provide this additional verification, a digital certificate is used to authenticate the identity of the message sender. This “electronic card” establishes the sender’s credentials, comparable to a driver’s license or passport. It is issued by a certification authority and generally contains the owner’s name, serial number, expiration dates, copy of the owner’s public key, and the digital signature of the certificate-issuing authority.

To assure a recipient of both the integrity of the message and the identity of the sender, the person conveying the message uses his or her private key to encrypt the digital certificate and the recipient’s public key to encrypt the message. The receiver then uses the sender’s public key, acquired through the directory, to decrypt the certificate, and his or her own private key to decrypt the message.

PKI is a system that enables users of unsecured public networks to securely and privately exchange data by employing these public and private key pairs. The infrastructure includes the certificate authority that issues digital certificates as well as directory services that store and revoke them. PKI also comprises a registration authority that verifies the identity of an individual to the certificate authority and a certificate management system.

Although this technology was developed several years ago for use in the scientific community, recently a number of companies have designed PKI products and applications that make them useful to a broader audience. Netscape Communications Corporation is among a growing number of companies that have pursued this information security technique. In 1997, the Defense Department signed a licensing agreement for Netscape client and server software. The company’s products, the Communicator and SuiteSpot servers, offer security capabilities that meet the U.S. government’s federal information processing standards publications (FIPS PUBS) 140-1 security requirements for cryptographic modules. In December 1998, DISA, using the integrated computer-aided software engineering (I-CASE) contract, completed a purchase from Netscape for Communicator and several other specific server software items.

Earlier this year, the Defense Department outlined its objectives in pursuing medium assurance security measures by employing current public key infrastructure technologies. Acknowledging that PKI is still an immature technology and is rapidly changing, the Defense Department chose to move ahead and adopt the security approach while actively working with industry. This government and industry collaboration was established to gather the detailed technical understanding needed to specify requirements, resolve standards issues and accelerate industrywide convergence to a purely standards-based, interoperable capability that does not rely on specific vendors or technologies, DISA officials claim. The December purchase included products that will be used as part of a medium assurance PKI pilot program in support of the defense travel system as well as to employ secure protocols in both the global command and control system and the global combat support system.

In general, an organization’s acceptance of new technologies follows a four-step process. The pilot, or proof-of-concept stage, demonstrates the abilities of the product. This is followed by the policy development phase during which the organization determines required control procedures, develops an implementation plan and addresses additional details of measures that will be followed. The implementation of the program is the third step. This is followed by the actual rollout of the technology into the user arena.

According to Richard Andrews, senior systems engineer, Netscape Government Group, Bethesda, Maryland, farsighted DISA officials accelerated this approach and chose to begin the rollout while policy development and implementation planning was in progress. “Industry and government as a whole can get bogged down in the initial stages of policy and planning when new products are introduced into the marketplace. Some individuals in DISA recognized that there was a good commercial product out there that meets their needs. They decided they had to get past the policy and planning and go ahead and get to the implementation while also developing the policy and planning,” Andrews offers.

While the Defense Department initiates the rollout of PKI on a departmentwide basis, the U.S. Navy recently began incorporating the security technique at the Naval Supply Systems Command (NAVSUP), Mechanicsburg, Pennsylvania. The command’s primary mission includes managing the logistics programs in supply operations; contracting; handling resale, fuel, transportation and security assistance; supporting mobile fleet hospitals; and dealing with quality of life issues for naval forces including food service, postal services, Navy Exchanges and movement of household goods.

In addition to Netscape Communicator, the Navy’s PKI program employs the company’s Certificate Server and Directory Server products.

The Certificate Server integrates with other Netscape products to allow information systems administrators to create and manage PKI that authenticates both clients and servers using open standards-based digital certificates. It can be employed to issue certificates for single sign-on, allowing users to enter a single password to gain access to the various web, messaging, collaboration, directory and catalog servers used each day.

Administrators can configure a server to accept only certificates signed by a specific authority. Management costs decrease through the Certificate Server integration with lightweight directory access protocol (LDAP) directory servers such as Netscape’s Directory Server.

The Directory Server’s features enable the design of extranet and electronic (e-) commerce applications for extremely large numbers of users. It can support more than 50 million entries per directory and a transaction rate of more than 5,000 queries per second.

These two complementary products facilitate easier management of security programs. The Certificate Server sends updates about digital certificates to the Directory Server via LDAP over a secure sockets layer. When new certificates are created, the Certificate Server automatically sends an “add certificate” update to the Directory Server. The reverse is true when certificates are revoked.

According to John Menkart, director of government sales, Netscape Government Group, these capabilities were market-driven. “The server side directs the issuance, distribution and management of these [digital] certificates. The Defense Department and commercial world both demand ease of use and large-scale operation,” he offers.

Five years ago, Charlene Tallman, command information systems security program manager, NAVSUP, recognized both the incredible potential and inherent dangers of using the web to conduct business. As discussions increased about changing from closed, controllable systems to larger, open networks for information dissemination and commerce, she promoted the expansion of security policies to cover the issues raised by using the information superhighway as a conduit for military communications.

During the last several years, she has been involved in developing the security measures that will, in the near future, lead to an increased use of paperless acquisition.

Tallman admits that these early stages of putting adequate information protection procedures in place is not an effortless task, but adds that the results will eventually save both time and money. The command conducted a small metric evaluation of PKI procedures earlier this year. Instructions for applying for digital certificates were sent to 22 people. Of the 16 people who applied, four had major problems with the process; however, these difficulties were related to the firewalls that had been set up and to creating the profile in Netscape rather than problems with establishing the certificates on their own computers, she says.

“Acquiring a digital certificate today is a painful process, and there is some inconvenience, but once we’re over that hurdle, it makes the processes easier. Compare it to securing a house with locks, keys and wiring. At first it seems difficult to get used to carrying keys or turning on and off the alarm. But once you get used to it, it seems natural,” Tallman explains. The grandchildren of today’s generation will be issued a digital certificate concurrently with a birth certificate, she predicts.

NAVSUP’s acquisition program, OneTouch Supply, employs digital certificate and PKI technology to activate, in a single step, a global network of sources for naval customers. To access the service, military personnel need a personal digital certificate, which can be acquired online, and a Netscape web browser version 4.5 or higher. The program is currently in its early stages; however, the command’s vision for the program includes online access to requisition status information, stock check information, input and submission of standard requisitions, and a technical screening of information contained in several databases.

Marketing is an important part of teaching naval personnel about the program and procedures. The command conducted an electronic (e-) mail campaign and offers information through its web site. Training, both online and in traditional sessions, also is provided. While Tallman believes it is not important for personnel to understand all the technical aspects of PKI, she adds that security is a serious issue and should be treated as such.

According to Joseph Broghamer, lead, information assurance, Chief Information Office, Department of the Navy, PKI offers strong authentication capabilities, and the Defense Department intends to issue digital certificates to all personnel by October 2001. The technique promises the opportunity for confidentiality on web sites, electronic security for e-mail and expanded e-commerce because buyers will be able to authorize purchases from their desktops.

Broghamer confirms that these new security techniques are still in a state of flux. “Somewhere in the future, a hardware certificate could replace the digital certificate. This could be smart card or similar technology,” he offers.

Currently, NAVSUP is collecting information and issuing digital certificates for its personnel; however, once the Defense Department’s PKI is in place, naval personnel will be able to migrate to it. “Right now, we have different systems, like having Sears and Penney’s credit cards, and you can only use them at those specific places. The goal is that it will be more like a Visa card and can be used with all systems,” Tallman explains.

Netscape officials believe that digital certificate use will become more pervasive, and the technology will be more embedded as additional people acquire them.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.