Simplified deployment and more realistic expectations have led to a comeback for digital certificates. Ericka Chickowski reports.

In theory, using public key infrastructure (PKI) to securely exchange data and money over an unsecure public network seemed like a great idea. Unfortunately, putting this into practice turned out to be not quite so simple, and the crash and burn following many multi-million dollar PKI projects in the late 1990s, left many security professionals with a bitter taste that lingers on to this day.

But these infrastructures never went away, and in recent years it seems they are quietly making good on at least some of the promises made during the early stages of the hype. "It did go through a period where it was almost like a four letter word," says Sharon Boeyen, principal of advanced security for Entrust Technologies. "I don't think we're hearing anywhere near as much of the negativity there was a couple of years ago."

PKI works through digital certificates and cryptigraphic keys, and the core technology for these hasn't changed much. So what has? Experts believe that the renaissance in PKI stems from a better understanding of how to deploy and manage certificates and limit the scope of projects.

"I would say PKI is on sort of a second honeymoon with the industry," says R. "Doc" Vaidhyanathan, vice-president of product management at Arcot Systems. "It's a lot more muted, but it's certainly another honeymoon. During the first one, about ten years ago, everyone spent millions of punds building up a huge PKI infrastructure - and most of them never got deployed because of the complexity involved. I think the second time around people are coming at it a lot more cautiously, and are also trying to bring less grandiose approaches to PKI."

Others are slightly more guarded in their response. "I'm not sure I would call it a honeymoon," says Roger Sullivan, vice-president of business development for Oracle's identity management solutions. "Perhaps a second date after the first one went horribly wrong."

The reason the industry is even able to give digital certificates a second chance is that there was never anything wrong with the technology in the first place, he argues. The problem was that people expected too much in the beginning.

"There was so little experience in what it actually meant to issue these certificates, and what business practices were required to have one. Expectations were set artificially high by many vendors," Sullivan says. "Customers who purchased these things and tried to deploy them found they were not getting any value and were left wondering why they had spent so much money on them. So that put the breaks on the industry very quickly in the late 1990s."

He explains that these failed implementations did not undermine the inherent value of PKI, they just never fully addressed the challenges of the infrastructure. As he sees it, there are three major stumbling blocks to deployment: the cost of the certificates themselves, the complexity of administration and finding a business rationale for deployment.

While the cost of the certificates remains about the same, much has improved with regards to the other two challenges, according to Sullivan.

Simplicity is key

One of the problems PKI had the first time round was that too much interaction was required from the end-user throughout the certificate lifecycle. Over the past few years, certificate and key management solutions have created situations that require no user interaction or even awareness that certificates are being used, and experts believe this has helped boost acceptance of PKI.

"People are deploying PKI and users don't really even know it is happening," Boeyen says. "That's basically the difference."

Businesses have also been able to simplify deployment as those involved realised that they did not have to spend a lot of time building sophisticated infrastructures right away. "In terms of the way companies roll them out, the process has been evolving," says Paul Kocher, president of San Francisco-based Cryptography Research. "Five years ago people would decide there was an application that justified building a PKI and they would spend a lot of time building a really sophisticated bleeding edge one right at the beginning. We're seeing a lot more companies now that start with something small and dirty and after that other applications come along and they sort of evolve into it."

This has been made possible as specialised PKI vendors and even larger software vendors, such as Microsoft, have created software and services to make it easier to deploy infrastructures. In fact, Microsoft is just getting ready to release Certificate Lifecycle Management later this year. Some believe that digital certificates will become even easier to handle as certificate management becomes more embedded into hardware.

"PKI is getting embedded under the hood in just about every place you can imagine," Kocher says. "The trend is to embed it as a feature into something that people don't necessarily pay for."

An example of this are the Trusted Platform Module chips that are routinely built into almost all of today's motherboards, says Steven Sprague, president and CEO of Wave Systems, a US-based IT services company.

"Inside that Trusted Platform Module, I can contain hundreds of certificates," he explains. "So I have a common component I can leverage in my PC. The goal here is standards-based security in the machine that provides a common framework for everybody to use."

While simplification of certificate management has been a critical factor in the PKI renaissance, Oracle's Sullivan believes that limiting the scope of projects has been another. "We have become much more clear as business people as to which kinds of transactions require certificates and which do not," he says. "And simply by making that delineation we're able to deploy certificates more effectively."

Boeyen agrees that today's enterprises are letting the needs of the business drive adoption. "People are not deploying PKI for the sake of it," she says. "They're deploying it now to meet an existing business need. So they start with a particular application and then it can grow beyond that."

CASE STUDY - INFORMATION SECURITY FORUM

An independent security organisations dedicated to improving best practices among global enterprises, the Information Security Forum (ISF) gathers valuable information about the way businesses are securing their infrastructures.

The challenge is how to safely disseminate all of this sensitive information, according to Miles Clement, senior research consultant at ISF. The forum set up an extranet to make its publications available to members four years ago.

Access was initially controlled by a token-based system for two-factor authentication. But even though that system was quite secure, it meant users had to carry tokens around and remember a pin number. "We found that we had a very high rate of support calls just to reset the pins, or to resynchronize the devices because people weren't familiar with the devices or didn't use them enough," Clement recalls.

On top of this, the cost of the tokens was high and the time it took to deliver the devices to the users acted as a detriment to the whole premise of providing immediate access to information on the extranet. "So this was restricting the number of users who could use our website because of the cost," he says. "And it was making our website not very attractive because it was so painful to get through the authentication process."

The ISF began looking for a simpler two-factor solution last year and decided on Swivel Secure's PINsafe. "We wanted an authentication method that gave us a similar level of protection without the disadvantages of the token-based approach," he explains. "With this we can create a new user instantaneously. It has reduced our set-up time and took away a lot of our other barriers."

The solution works by creating a user pin that acts as a mask for the actual code that is entered into the system, says Andy Cole, vice-president of sales and business development at Swivel.

"We require no device," Cole adds, "Very simplistically, we issue the user a four-digit pin, which is never entered into a public browser. We generate a number string and take the four digit pin to manually extract a one-time code from the string to authenticate."

Clement claims the number of users on the site since deploying the Swivel method in April has nearly doubled. The amount of logins per user has also increased dramatically.

Despite this rise in traffic, the amount of time ISF staff spend supporting the authentication process has plummeted. Not only do they not have to mail out tokens, but they have also been armed with a more manageable password reset procedure through Swivel's technology, which automates the process, Clement says. "Typically, we were experiencing 10 to 15 resets a day in the past," he says. "Now with twice as many users, we only get around two manual resets a day." This allows both the organisation and the site's users to focus on its main line of business.

THREE GOLDEN RULES

There are three major considerations to think about when choosing vendors and deploying digital certificate infrastructure and management solutions

1. Managing the certificate lifecycle There should be an easy way to maintain certificates and ensure a smooth rollover to new certificates before the old ones expire. This is absolutely critical to maintain transparency to the end-user.

2. Maintaining certificate history You should have a mechanism to keep a history of old certificates and keys for any user who is encrypting data. They need to keep old keys that have rolled over to be able to decrypt information that was encrypted with the old keys.

3. Backing up certificates The enterprise needs to have access to backed-up certificates and keys in the event that a user loses or deletes the original. This is the only way to ensure the enterprise will always be able to access the data, no matter what the user does.