![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
e-business is based on a flow of information among businesses over the Internet. The value of e-business is a reduction in costs or an increase in revenue that come as a product of exchanging business information over the Internet. The danger of e-business is the risk of information being lost, stolen, fabricated, or corrupted as it passes over the Internet. Therefore, what can be done to mitigate the risks of e-business?
Four security risks must be addressed to assure the safety of e-business transactions and associated data. These four risks can be remembered with the abbreviation PAIN:
- Privacy: e-business transactions are protected against access by attackers who seek to make copies of them or to insert fraudulent data into the process.
- Authentication: Access to e-business applications and data is restricted to those who can provide the appropriate proofs of identity.
- Integrity: e-business data and applications are protected in such a way that any effort to change them is detected and prevented.
- Non-repudiation: The flow of data through an e-business application and the flow of transactions that drive the data are logged and reported in such a way that should a dispute arise about any transaction, proof of what actually happened can be produced.
Public Key Infrastructure (PKI) provides a solution to the risks of e-business. Elements of PKI technology can be used to solve each of the risks individually, or PKI technology as a whole can be used as a complete security solution for e-business applications. The remainder of this article provides examples of how PKI can be used to address each of the PAIN risks.
Privacy means that a transaction between businesses cannot be viewed or interfered with by an outside party. PKI uses encryption to ensure that transactions are kept private. PKI technology can use encryption to protect the privacy of data in transit and in storage. Many businesses today think that Virtual Private Networks (VPNs), Extranets, or Secure Sockets Layer (SSL) are sufficient to ensure the privacy of e-business. In fact, many of these solutions use PKI encryption technology to provide privacy. However these solutions can provide privacy for the actual exchange of data across the Internet, and that is all. They do not provide privacy for data stored on e-business servers that are connected to the Internet.
There have been many news reports on the theft of e-business data stored on e-business servers. In these cases, the e-business data is stored with limited protection on the e-business server. A hacker who successfully breaks into the server will almost certainly be able to find and steal that data. If the data is stored in an encrypted format, then the threat of theft is significantly reduced. Even if the data is stolen, the thief must break the encryption before it can be of any use to him.
While the value of this privacy is obvious, the cost of privacy is less obvious. Encryption is a wonderful tool for protecting valuable information, but there is a performance cost associated with the use of encryption. e-business applications that rely on encryption for privacy must be placed on larger servers that are able to provide the additional computing resources that will be needed by the encryption programs.
Authentication means that access to an e-business system is limited to those who can provide the proper identity credentials. Authentication is commonly handled through the use of a logon ID and password. This technology is considered a very low level of authentication and is often easy to break. PKI uses a digital certificate as the identity credential. The idea of a digital certificate is similar to the idea of a passport. Nations require that people traveling across international borders must be able to produce an identity credential called a passport. People get passports by proving who they are to their national government. All governments accept a passport as evidence that the issuing national government believes that this person is who they claim to be.
A digital certificate is very similar. A person must prove his identity to a Certificate Authority or CA. If the CA can verify the claim of identity, it will issue a digital certificate that states that the issuing CA trusts the identity of this individual. Programs that require a digital certificate as an identity credential also specify what CA or CAs they accept certificates from. This is an additional level of security. It prevents a person from starting his own CA and issuing fraudulent certificates. It is also a way for a company to specify who it trusts by defining which CAs it trusts.
In the physical world, we keep our ID in a wallet. In the electronic world, there are two common places to store a digital certificate. The most common is in a Web browser. You may not be aware of it, but you likely already have several digital certificates stored in the browser and used to access various sites on the Internet.
The next most common place to store a digital certificate is on a Smart Card. In this case, the Smart Card is inserted into a special reader in order to access a secured system. The secured system reads the digital certificate stored on the card and decides whether to permit you access.
Some technologies make extensive use of certificates "under the covers," hidden from the view of a user. For example, Virtual Private Networks (VPNs) often rely on certificates to prove identity of network devices. Secure Sockets Layer (SSL), a widely used tool for securing e-business transactions on the Web, also uses certificates built into Web browsers and servers.
Integrity means two things. One meaning of integrity is that the data received is the same as the data sent. That means that the data was not changed in transit either by mistake or on purpose. The other meaning is that at any time in the future, it is possible to undeniably prove whether different copies of the same document are in fact identical or not.
PKI uses a technology called "message digest" or "hashing" to ensure data integrity. It is possible to view any data object as a string of numbers, even if people view it as a text document. Message digest programs do exactly that -- they view all data objects as strings of numbers. A message digest program adds up the numbers in a data object using a special technique. The result is a single number called the message digest or hash value of the data object. Because of the mathematical technique used in the calculation, the hash value of a data object is unique; no other data object can produce the same hash value. If so much as one character is changed, added, or deleted in a data object (even a blank at the right end of a line), the calculated hash value will be different and a loss of integrity will be detected.
The message digest is a common way of verifying data integrity in transmission. The sender calculates the message digest and sends that value with the file he is transmitting. The recipient calculates the message digest of the received file and compares it to the value that the sender calculated. If they are the same, then the file sent is the same as the file received.
Non-repudiation means that if a discrepancy or dispute arises over an e-business transaction, there is incontrovertible evidence present within the e-business system that can be used to prove beyond reasonable doubt just what exactly occurred and why.
The most common way to provide non-repudiation is through the use of digital signatures. A digital signature is the electronic equivalent of a handwritten signature. Many nations and most of the states in the United States now have laws that define how and where digital signatures can be used in the conduct of business. Most nations will have digital signature laws on the books within two years.
PKI technology is based on a cryptological technique that can create a unique pair of numbers. These numbers are used as keys by special encryption programs. If a file is encrypted with one key in a given pair, only the other key can decrypt it, and vice versa. PKI specifies that when a person receives a key pair, one member of the pair will be kept private and the other will be published as the public key. An example will illustrate how the key pairs are used.
Alice and Bob each have PKI key pairs. They each have access to the other's public key. If Alice wants to send Bob a private message, she can encrypt the message with Bob's public key and send it. Only Bob's private key can decrypt the message, so Alice has confidence that only Bob can read the message, even if a million people were to receive the message.
Now consider another example. Bob and Alice want to digitally sign an electronic contract and they want to be sure that the contract can't be changed later and that neither can dispute that they signed it. Bob will do the following:
- Bob and Alice agree to the terms of the contract.
- Bob calculates a message digest or hash value of the electronic contract.
- Bob encrypts the hash value with his private key.
- Bob provides the contract and the encrypted hash value of that contract to Alice.
Alice can prove that the hash value is from Bob because Bob's public key can decrypt it. Because no other key in existence can decrypt this hash value, it must have been encrypted using Bob's private key. Alice can tie the decrypted hash value to the contract by calculating a hash value of the contract herself. Since each document produces a unique hash value, if the value she calculates is the same as the value Bob provided, then the contract she has is the same as the one he sent. Now Alice will encrypt the hash value she calculated with her private key. Both parties have digitally signed the contract. The proof of this consists of the following:
- The contract
- The hash value of the contract, encrypted with Bob's private key
- The hash value of the contract, encrypted with Alice's private key
If there is doubt about the contents of the contract, the parties can calculate a hash value of the contract and compare it to the original values calculated by Bob and Alice.
If there is doubt about the keys, can Bob's public key decrypt his version of the hash value? Can Alice's decrypt hers? If the answers are "yes," then the only possible argument that can be made is that a private key has been stolen. If this argument is made, then all documents that have been signed or encrypted by the compromised person can be said to be legally void, since the date of theft is probably not known.
Business data has value and so must be protected. Some business data has more value, some less value. This means that an important consideration in the design of any e-business application is "how valuable is this data?" The greater the value, the more must be done to protect it. This measure of value is used to justify a budget for security software and security specialists that will be used to protect the e-business application once it is deployed.
There are four main risks associated with e-business. They are: privacy of transactions, authentication of individuals who have rights to access e-business systems, integrity of data in transit and in storage, and non-repudiability of transacted business. These four risks can be remembered with the acronym PAIN. PKI technology offers solutions to each of the elements of PAIN in e-business.
Stacy Cannady has 20 years experience in systems and network support and in data security. Stacy currently works for IBM in PKI security products. He can be reached at scannady@us.ibm.com.
Thomas H. Stockton has over 12 years experience in the areas of EDI, e-commerce and Internet security, specifically with PKI. Tom currently works in IBM's PKI marketing group, holds an M.B.A, and has contributed several articles to Electronic Commerce World. He can be reached at tstock@us.ibm.com.
Table of contents
Next steps from IBM
WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.
- Try: Download a free trial version of IBM WebSphere Portal Express V6.1, which offers collaboration, document management, and secure Web content management.
- Article: This article provides an overview of the WebSphere Portal security architecture, including internet security, and secure connections between clients.
- Tutorial: This tutorial take you through the steps to develop and test your first portlet WebSphere Portal Test Environment.
- Demo: These demos show Web 2.0 features available today within WebSphere Portal, as well as several features planned for the future.
- Buy: IBM WebSphere Portal Express
Tags
Use the slider bar to see more or fewer tags.
For articles in technology zones (such as Java technology, Linux, Open source, XML), Popular tags shows the top tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), Popular tags shows the top tags for just that product zone.
For articles in technology zones (such as Java technology, Linux, Open source, XML), My tags shows your tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), My tags shows your tags for just that product zone.
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
