Since President Clinton's signing of the Electronic Signatures in Global
and National Commerce Act into U.S. law on June 30, many have speculated
about how organizations will use digital signature technology in the
near future, and when there will be widespread adoption of the technology
in the business-to-business e-commerce market. Frost & Sullivan
Research reported in August that this legislation positions the U.S.
digital certificate markets for tremendous growth over the next five
to 10 years.
Because of the sheer size of the market (GartnerGroup says business
to business (B2B) Internet commerce will grow from $145 billion in 1999
to $7 trillion by the year 2004), and the nature and value of B2B communications
and transactions, the demand for strong digital identification - or
identity certainty - is becoming a primary focus for organizations.
Without a doubt, the electronic signatures law will continue to prompt
new online business and commerce opportunities. However, the bottom
line remains: Confidential business cannot be conducted electronically
without attention to security. There is a confirmed need for strong
digital identification and network security, and as a result, many large
organizations are adopting public key infrastructure (PKI) technology
and interoperable cryptographic smart cards to store and protect the
digital identities of their employees. To put the demand for PKI into
perspective, Aberdeen Group says that 98% of the Global 2000 enterprises
will be using PKI before 2003, and that 48% of Global 2000 enterprises
are using or piloting PKI at this time.
Understanding PKI
Often referred to by industry experts as a "killer app" -
or the ultimate means for securing e-commerce - PKI is the set of policies,
technology, and functions required to provide public key encryption
and digital certificates, including key and certificate management,
issuance, and revocation; certificate authority policies and functions;
key backup; time stamping services; and directory services for certificate
storage and retrieval. Ultimately, a PKI enables users of public and
private networks to exchange confidential business information and complete
transactions privately and securely.
Addressing the need for user identification
The foundation of a PKI are public and private key pairs for encryption
and digital signatures, which can be obtained and shared through a certificate
authority, operated by a trusted party. Certificate authority products
are available from companies such as AlphaTrust, Baltimore Technologies,
Digital Signature Trust Co., Entrust Technologies, RSA Technologies,
VeriSign, and Xcert International. The key pair can be used to encrypt
and decrypt communications and transactions between two parties. The
public key is made available as part of a digital certificate in a public
directory, while the private key is used only by the owner and never
disclosed to others.
By digitally signing a transaction, document or communication with
your private key, recipients can authenticate you as the sender by using
your public key to verify the signature. By authenticating one another's
identities, those involved in a transaction can communicate with confidence
because they are fully aware with whom they are doing business.
Because there are so many risks associated with the disclosure of private
keys used for digital signatures, most experts recommend that users
protect their private key like they would their passport, never backing
it up or storing it on a computer hard drive. If a private signing key
does get into the hands of an unauthorized third party, he or she can
use the key to generate digital signatures to forge documents or access
private corporate networks and restricted Web sites based on the owner's
access privileges. This need to readily use your private key while not
risking its disclosure by storing or using it on a desktop or server
computer creates a dilemma for users and administrators.
Enter cryptographic smart cards
Cryptographic smart cards feature a microprocessor with special circuitry
to quickly perform complex mathematical calculations and enough memory
to store multiple digital credentials within a PKI environment. In addition
to holding digital credentials to identify and authenticate users, cryptographic
smart cards can generate and perform all digital signature and encryption
functions right on the card. Having the ability to generate and store
private keys directly on the card means the keys are never present in
vulnerable desktop and server computer systems, where they could be
accessed or stolen.
Working with the National Institute of Standards and Technology (NIST),
Datakey pioneered cryptographic PKI smart cards almost a decade ago,
delivering the first cryptographic smart card used for digital signatures
in 1991. Fundamentally, cryptographic PKI smart cards protect the digital
identity of an individual and allow him or her to use the digital certificate
and keys to encrypt and sign electronic communications, such as electronic
mail and legal documents, or to authenticate to a virtual private network
(VPN) or private Internet site.
Using cryptographic smart cards to protect PKI investments
According to Frost & Sullivan's latest research on the smart card
market, participants in the research shipped 14.1 million units in 1999.
By the end of the forecast period, 2006, the number of units shipped
is projected to rise to 114.7 million. The report goes on to say that
the network security segment of the market is projected to make up nearly
half of all units shipped by 2006.
Increasingly, U.S.-based companies are evaluating cryptographic smart
cards because of the high level of security, portability, and simple
deployment they provide when used in a PKI environment. The growth of
the PKI market, coupled with the maturation of PKI vendors' software,
is making it easier and less expensive for companies to use public key
cryptography to secure their applications, including electronic mail
and remote access.
During the past few years, the cost of deploying cryptographic smart
cards has declined, while the technological advances have been substantial.
Datakey's cryptographic PKI smart cards, for example, feature 32K of
EEPROM space for storing multiple digital certificates, user data, and
application programs. Having this amount of memory means users can store
larger and greater numbers of digital certificates on the card and add
applications onto the card for enhanced functionality. The ability to
use multiple algorithms, such as RSA, DSA, DES, and elliptic curve,
directly on the card gives organizations the flexibility to choose the
encryption algorithm that best meets their individual needs.
The long and short of PKI
U.K.-based market research company Datamonitor PLC believes the PKI
market is poised for explosive growth. In March of this year, it reported
that total PKI revenues will reach $3.5 billion by 2003, up from revenues
of $641 million in 1999. Datamonitor's reasoning: The Internet has spawned
e-commerce, and as e-commerce grows, so, too will the need for security.
With the tremendous growth in B2B e-commerce, companies are making
network security - and strong digital identification, in particular
- their primary focus. They are investing in PKI to secure their e-commerce
transactions and B2B and intra-company communications. Along with the
use of PKI and digital signatures as the security foundation comes the
need to protect every employee's digital ID or certificate.
Cryptographic smart card-based solutions not only protect a user's
digital identity by locking it up on a smart card and performing all
security-critical functions on the card, but they protect an organization's
PKI investment. Using cryptographic smart cards in conjunction with
PKI is the only way to ensure that transactions are secure and verified
- and that an individual's digital identity cannot be used without his
or her knowledge.