PKI Technology has enjoyed little acceptance in the enterprise, despite the fact that users are clamoring for more security everywhere. It's a fact not lost on cryptography vendors.

One of them, RSA Security, hopes to change the technology's fortunes when it unveils next week new software that attempts to remove two of the major barriers to public-key infrastructure deployment: application integration and end-user invisibility.

RSA's Keon Web Passport builds on a concept VeriSign introduced last year under the name Personal Trust Agent, according to company officials. PTA and, now, Web Passport employ a small, downloadable module to bridge applications to PKI certificates without having to build PKI support into the application itself. The Keon product, a 700KB plug-in, will support most major applications, including messaging programs that use Secure Multipurpose Internet Mail Extension, all Web browsers and secure forms as well.

But Web Passport goes further, RSA officials claim, as it automates the certificate enrollment process. When a user visits a Keon-enabled Web site but lacks a certificate, Keon issues the plug-in and then retrieves a certificate (which could be from any of the major certificate authorities). The user is then enrolled based on information stored in a Lightweight Directory Access Protocol directory. Bottom line: The end client doesn't have to do anything but accept the plug-in download to start using PKI.

Since Keon works with any application and any certificate and takes the end user out of the enrollment process, the hope is that the software will make PKI at once less visible and more widely accepted.

So far, the key applications for PKI have been single-sign-on and virtual private network authentication. But most vendors, over the long term, envision a world where PKI is used in everyday external, Web-based transactions.

In the short term, however, RSA officials understand users will start with smaller, probably internal deployments and gradually give certificates to customers and partners over the Web.

Electronic Data Systems is starting with single sign-on. Gavin Grounds, director of information assurance services at the Plano, Texas, company, believes PKI is on the cusp of legitimisation. "PKI has for a long time been stuck in that paradoxâ€"we want something immensely secure and immensely simple," Grounds says. "I think we are just now finally starting to get there."

Chris Smith, director of IT at Eastern Federal Credit Union, has used PKI since 1997 but believes it's on the verge of a breakthrough. "It hasn't been without challenges," says Smith, who uses PKI for authenticating his own users. "Even with a very narrow implementation and with mainstream applications, we had to plug holes we shouldn't have. Software like Keon could really open up what we do with PKI."

But it's no guarantee, as security analyst Steve Gibson points out.

"The problem to date has been it's just not transparent enough," says Gibson, who runs Gibson Research. "While this could help, I don't think anything will get truly better until the operating system gets much tighter integration with PKI."

RSA is beta testing Keon Web Passport, which won't ship until the first quarter of next year.

Keying in on PKI

Labs'-eye view: RSA Security's Keon Web Passport

From the trenches

Keying in on PKI

How to decide when, where or if you need public key infrastructure

By Jim Rapoza, eWEEK

Your company needs a PKIâ€"at least, that's what you've been told. After all, a public-key infrastructure provides important benefits such as data confidentiality, secure communications, and strong authentication. But where exactly will it be implemented? To which users? To how many users? Just within the company or to business partners as well? And just what the heck is a PKI, anyway?

Not surprisingly, many people don't know the answer to that last question, including some of the company executives who are telling your IT department to implement a PKI system. The pilot implementation of a PKI system often fails, mainly because the company implementing it is unclear on critical issues such as where to use the PKI, how to manage it and exactly what to use it for.

Vendors of PKI applications can't be trusted to make things easier. Often their systems are difficult to implement and manage, and deployments drain large quantities of buyers' time and money. And once a system is in place, it is not unusual for company officials to find themselves torn about bailing out, even though the implementation is clearly going wrong.

A technology that is as thorny and misunderstood as PKI is, of course, perfect fodder for an eWEEK Labs eValuation. And in this case, the technology is so complex that we're delivering the eVal in two parts. This first part will serve as a sort of PKI primer, providing explanations, advice and best practices that businesses should follow when considering a PKI implementation.

A recent survey of our readers showed clearly that PKI is a mystery to many IT administrators. Nearly 60 percent of the survey respondents said that their companies had no PKI. Another 40 percent didn't know whether a PKI was in place. Fewer than 3 percent were certain that their companies had implemented PKIs.

The readers raised questions and concerns having to do with complexity, implementation problems, lack of standards and the inability of a PKI to integrate with installed security and communications systems. Several readers indicated they need a basic understanding of the technology: One asked for a "PKI for Dummies" guide. That request sounds as difficult as writing "Nuclear Physics for Dummies," but in this installment we have tried to provide the information that managers need to get a handle on PKI tech nology.

The ABCs of PKI
As the name suggests, a PKI is an encryption system based on keys. Anyone who has used a personal encryption product such as Pretty Good Privacy probably has a basic understanding of how a PKI works. In a personal system, two keys that are linked but different are created when a user first generates his or her profile. The public key is made available, through either mail or accessible directories, to those who need to correspond securely with that person or business. Messages and data are encrypted using the public key and then sent to the original user, who uses the private key to decrypt the content.

A corporate PKI system uses the same principles but is vastly more complex. Rather than simply issue pairs of keys, a PKI system has to provide a variety of related capabilities: issuance of keys or certificates, security management, authentication controls, integration with external systems, and data recovery. Each of these issues is complex. For example, an ideal implementation will connect the PKI system completely to a user directory, and all changes in that directory will be reflected automatically in the PKI system. However, this is not the case with all PKI implementations, and companies often must maintain separate management interfaces. This means that an employee might be fired and removed from the main directory but still be listed in the PKI, leaving corporate data at risk.

Many of the obstacles to implementing a PKI system involve integration. A PKI system can integrate with all sorts of systems and applications: groupware and messaging applications; access control systems; user directories; VPNs (virtual private networks); diverse operating systems; security systems; Web applications; and a host of customised, high-end back-office systems. Integrating a PKI product with a particular array of applications is no easy task. PKI vendors often have third-party deals that enable them, for example, to provide simple integration with one vendor's VPN while offering no shortcuts for tying to rival VPN products.

Not surprisingly, the cost of implementing a PKI can be huge. The software itself is often priced at more than US$100,000, and rollout takes, at the very least, months. Costs escalate if a company seeks to integrate its PKI system with other companies' networks. Another layer of complexity is added, and there is no standard methodology for defining trusted authorities or handling cross-certification.

Setting realistic goals
Many PKI implementations fail because companies succumb to the temptation to integrate the system at too many points. Indeed, a PKI system can be comprehensive, and a list of its capabilities can resemble a tempting menu of goodies for secure corporate computing. It can safeguard all communication transmitted on networks, extranets and intranets. It can also provide single-sign-on authentication and even digital signatures. Companies often decide to overreach and, like the character viewing the menu in "Monty Python's The Meaning of Life," they want it allâ€"with disastrous results.

Any business interested in a PKI system must answer some crucial questions. The first and most important is, "What exactly do we need the PKI for?" A company might eventually want the entire tasty smorgasbord that the PKI vendor can serve up, but administrators must begin by identifying the one or two PKI features that their business cannot live without.

Thorough evaluation might convince some companies that they don't need a PKI. If they are considering one for use with a VPN, they might find that they can get all the security they need from the strong authentication built into most VPNs. If the goal is provide secure access to Web-based content, a simple certificate server might do the trick. For secure communications with business partners, many service providers offer business-to-business PKI capabilities.

If a PKI system looks like a possibility, the company should consider a pilot implementation with a narrow initial scale and focus. It's important to decide on the size of the initial pilot and identify which users will be included. As PKI expert Angelo Tosi states in his column, confining pilot usage to the IT department is a mistake. A PKI pilot should include employees who are likely to use the system most heavily after full implementation.

After setting the parameters, a business must address essential questions in a written policy. Who will use the system? Who will manage it? What will its scope and reach be? How will the company recover data? Where will the backdoors be that enable management to decrypt data?

The PKI vendor or integrator should be able to help formulate a policy, but the buyer must ensure that the final product reflects the company's needs and isn't simply a template copied from several other implementations.

A major investment such as a PKI implementation requires a strong commitment from a business. As a deployment proceeds, pressure from top executives can greatly affect the outcome, whether the executives are skeptical about the need for a PKI or supportive of the project. IT managers involved in an implementation can smooth the rollout process by providing realistic forecasts of the project schedule and the system's capabilities. Project managers also should remind other executives whenever necessary that the PKI will benefit important business units, such as legal departments, human resources and sales.

East Coast Technical Director Jim Rapoza can be contacted at jim_rapoza@ziffdavis.com.

Picking the right security tools

-Certificate server Well-suited to businesses that want to provide secure access to Web-based content, especially intranets, extranets and portals -Personal encryption software Good choice for individuals or small groups of users who need to protect documents and data on local systems -PKI system For large enterprises that need to provide controlled document and server security across a variety of applications and back-end systems -Service providers Offer much of the functionality of PKI without the implementation overhead—but also with less control. Good choice for use with business partners -VPN Mostly for businesses seeking nothing more than secure Internet access to company networks

Labs'-eye view: RSA Security's Keon Web Passport

By Jim Rapoza, eWEEK

RSA Security's Keon Web Passport is a nice new product, but, contrary to the company's claims, it does not represent a revolutionary development that will change how PKIs are used.

I spoke with RSA representatives about Keon Web Passport last week while eWeek Labs was conducting an eVal of public-key infrastructure systems. Web Passport is essentially a browser-based version of RSA's powerful Keon client. It will give mobile users access to manyâ€"but not allâ€"of the features that they expect from the full-featured client, with the most important being access to all their digital certificates.

This will be great for users who need, for example, to access secure information from a kiosk at a convention. However, the Windows-only browser plug-in doesn't exactly break new ground. For some time now, VeriSign has offered a similar tool called Personal Trust Agent that runs as an ActiveX control or a Netscape plug-in. It's not as powerful as Keon Web Passport, but it, too, allows for mobile access.

Realistically, most companies that are serious about PKI will use tokens or smart cards to provide users with roaming access to keys and certificates. RSA's Keon Web Passport is a welcome tool that will increase access to PKI resources. But as for changing the face of PKI, don't believe the hype.

East Coast Technical Director Jim Rapoza can be contacted at jim_rapoza@ziffdavis.com

From the trenches

By Angelo Tosi, eWEEK

More than a dozen people had crowded into the meeting roomâ€"employees from a business unit, from IT operations and from information security. The technical project leader was presenting the architecture he had designed for the business unit's e-business initiative.

The company was planning to share product information with its business partners through an Internet portal. The architecture included one of the best directory servers on the market that came equipped with a CA (certificate authority) module. "We will use the CA to issue digital certificates," the presenter said. "It is part of the package, so we thought we'd use it."

Not all PKI (public-key infrastructure) pilot projects get off to such a bad startâ€"with the emphasis on the technology rather than the process and with the decision to use digital certificates made just because they are thereâ€"but this scene exemplifies many of the mistakes that an organisation can make when putting a PKI system in place.

The biggest challenge in implementing PKI is not technological; it is organisational and operational. The technology of public-key cryptography is, after all, more than 20 years old. The real challenges are to identify and measure the value added by a PKI and to design and manage the certificate life cycle.

Most mistakes are consequences of a decision to confine PKI pilot projects to the IT department. It is, instead, vital to choose a business case where PKI can make a difference as a business enabler or can fulfill legal and regulatory requirements. A clear business case is needed to define goals and agree on measurable success criteria for the PKI pilot.

The early involvement of the business unitsâ€"as well as of all other stakeholders in the pilotâ€"ensures its support during critical periods. I participated in one pilot in the financial industry where the executive management team supported PKI deployment as a cornerstone of the company's security infrastructure.

This support proved fundamental throughout the pilot, in particular when the vendor of an Internet banking application tried to push aside the PKI pilot. The vendor had never integrated its application with a PKI and was trying to minimise its own risk. Eventually, the pilot met all the predefined success criteria without affecting the planned Internet banking rollout. Today, that PKI deployment project is in its second year, and its scope is expanding.

The design of a certificate life cycle is an interdisciplinary endeavor involving the whole enterprise. It is essential to involve all stakeholders in the PKI pilot at an early stage, before choosing a PKI product.

The legal department defines the authorised uses of a digital certificate and the issuer's liability. It also has a say in whether distinct classes of certificates will be needed and, if so, what they should be.

The identification of certificate applicants and the verification of their eligibility should be done in conjunction with processes already in place in a company's human resources department or customer service department or with the processes in place at an external business partner.

A company's Certificate Policy and its CA Certification Practice Statement should be developed in parallel with the PKI system, not after it is in place. And, obviously, the business unit that is pilot-testing the PKI is a key player.

Finally, the choice of a PKI system should be made keeping in mind the future requirements of the enterprise. If those conducting a PKI pilot fail to analyse a company's medium- and long-term requirements, the company may find that the limitations of the chosen PKI system keep it from being of use as the company's PKI deployment expands.

Angelo Tosi, a manager with Global Risk Management Services at PricewaterhouseCoopers, in Boston, has worked in PKI consulting since 1997.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.