Print this article | Return to Article | Return to

6. Digital Cryptography

E-commerce won't reach its true potential until a single security standard for digital transactions is in place. That may take some doing.
Marie Leone, | US
October 4, 2002

Brief: Eavesdropping, tampering, impersonation. Aside from reading like the Watergate plumbers' to-do list, these surreptitious violations are also common Internet security breaches. Among the assorted crime-busting technologies being discussed to thwart cyber-intrusions is public key cryptography (PKC), an initialism that, in time, could become almost as familiar to CFOs as ROI.

What It Is: The concept of public key cryptography has been kicking around since 1976, although the commercialization of PKC closely tracks the proliferation of electronic commerce. Essentially, PKC — and its partner, public key infrastructure (PKI) — are systems of digital certificates and certificate authorities that verify the validity of each partner in a virtual transaction. Currently, there is no single standard for PKC, but an aggressive standardization schedule is now in place. Whether the backers of the schedule actually keep to the schedule remains to be seen, however.

Skinny: Kevin Coleman, a risk and advisory services partner at KPMG LLP, warns that absolute security is not possible. The idea, therefore, is to move toward an infrastructure that mitigates as much risk as possible. For instance, suppliers can never be absolutely positive that any signature — whether ink or digital — on a purchase order is authentic. But a buyer usually knows a customer's order history, so they can make a reasonably confident judgment.

But PKC offers an advantage over conventional cryptography. Traditionally, messages are encrypted by a sender, and decrypted by a receiver, that know and use the same secret decoder ring. That doesn't always work though, say officials at RSA Security in Bedford, Massachusetts. The sender and receiver, who could be in different physical locations, must agree on and communicate a password. And that password could be intercepted over the Net.

With PKC however, each person gets a pair of keys. One is public, and is usually published in a confidential directory. The other is a private key, which is kept secret. Anyone can send a message using the public key, but it can only be decrypted using the private key.

Aside from encryption of E-mail messages and other documents like contracts, patents, and designs, PKC can also be used for authenticating digital signatures, which Coleman says has broad business applications. In fact, Adobe Acrobat and Microsoft Outlook already support digital signatures, but executives are still skittish about the technology.

Coleman cites a few other glitches that have to be addressed before PKC and PKI really take off. PKI can be complex and costly. Indeed, experts say CFOs will need to take an enterprisewide approach to PKI to cut implementation costs. The hang-up: Generally speaking, most senior executives (other than CIOs) don't view security as an enterprise issue.

Moreover, corporate champions of the technology haven't yet articulated what business problems PKC and PKI solve. Mostly, that's because many E-business initiatives are in limbo right now.

But if there's any doubt that cyber-security issues should be a corporate priority, consider that Microsoft's job postings include openings for white-hat hackers (the good guys) to test network security. RSA runs "Cryptographic Challenges" — contests with modest cash prizes that entice hackers to break the secret key codes.

When will PKC and other digital security technologies make it to the mainstream? "If you asked me five years ago if digital signatures would be common in 2002, I would have said yes," says Coleman. "But we're still waiting."

ETA: Three years.