Dave Oshman knows a thing or two about public key infrastructure. He developed PKI-based security solutions for the National Security Agency andthe U.S. Postal Service, then cofounded "beTRUSTed," PriceWaterhouseCoopers' certification authority. Oshman is now senior vice president of technology at Identrus, a New York company formed by some of the world's largest banks that promotes a digital certificate and digital signature standard for financial services.
With the Identrus standard, member banks can provide their customers with assurances of the identity and ability to pay of counterparties. Identrus-enabled applications include electronic bill payment and presentment, e-marketplaces, payments processing, online letters of credit and foreign exchange settlement from founding members ABN AMRO Bank, Bank of America, HypoVereinsbank and Deutsche Bank (see BS&T February 2001, page 14).
In an interview with BS&T associate editor Ivan Schneider, Oshman discusses Identrus' security components and the operational requirements for companies that want to get involved.
BS&T: For banks, what does it take to offer Identrus-based services?
OSHMAN: There's an infrastructure cost for hardware and software, depending on how much performance and scalability you need. Those costs are pretty easy to figure out. You also need to determine how much manpower you're going to need to keep the thing running.
Then, it's pulling together the policies and procedures to make sure the thing runs well. This is the biggest challenge that banks have in implementing an Identrus system.
If a bank is going to operate an Identrus certification authority (CA), we want to know beforehand that they have disaster recovery in place and have developed their certification practice statement. That tends to be the biggest stumbling point for banks-just getting through the documentation and making sure that it's all up to snuff.
BS&T: What are you doing to help banks prepare for an Identrus program?
OSHMAN: Identrus is putting together an implementation guide that will help banks get through that process. After putting six banks up into production we've figured out the biggest challenges. We want to work with some professional services organizations, or maybe our "Express Partners," to help put a service in place so that banks can adopt Identrus as a package deal.
BS&T: Is there room for another security standard in banking?
OSHMAN: Two years ago I would have said there was a potential for a lot of different organizations to make something like that happen. But we close the year 2000 with 42 Identrus member banks. We now have six member banks that are online and probably another 15 that we expect to go online towards the middle of the year. These are 42 of the 50 largest banks in the world and the other eight banks are not far behind.
Editor's Note: Identrus has announced the addition of seven new Certificate Authorities: AIB Group (Ireland), Bank of Ireland, Bank of Tokyo-Mitsubishi (Japan), Banco Sabadell (Spain), Banesto (Spain), Credit Lyonnais (France) and PNC Financial Services Group. These financial institutions will be able to issue secure, crypto-enabled Identrus Global IDs as soon as their internal security infrastructures are ready.
We have too much momentum for there to be any real concern about competitors in this space. We certainly keep our eyes out for those businesses that we think can be competitors.
BS&T: Could the card associations make inroads into the market?
OSHMAN: Certainly-they have a stronger knowledge in the consumer side of things, and Identrus is focusing on the business customers.
But they haven't done anything yet, and I think we're past the time where we could get a new entrant into the market.
BS&T: What are you doing to help applications developers?
OSHMAN: We're now putting together a solutions provider program. If a company has, say, an e-mail application, we will provide them with the specifications to make it Identrus-compliant. We will also have a process through which we can test each of those applications to determine whether they meet our requirements. Companies that pass will be given an Identrus seal so that they can go out and sell their products as Identrus-ready.
For secure e-mail, we already have a working group in the U.K. that came up with the secure e-mail specification. Now that the specification is done, people who want to do secure e-mail with Identrus will know exactly how to go about implementing it.
This year we really want to focus on getting applications enabled so that our banks have a lot of choices, so that there really is a reason to join Identrus and then for people to start using the system.
It would be really nice if there were 100 or 200 applications that were Identrus-ready so that the banks could just go and pick them off the shelf and start using them.
BS&T: How does PKI work?
OSHMAN: The mathematics of it are based on the factoring problem. The whole theory is that really big numbers are very difficult to factor, especially if you choose certain things about them. For increased security, you can make the keys- the inputs to it-bigger.
BS&T: How big are the keys for Identrus?
OSHMAN: For the identity certificates and for the Level 1 certificates used by qualifying Identrus banks, we use 1024-bit keys. For the root certificate we actually use double that: 2048-bit keys. And we allow our Level 1 banks to use 2048 if they want to. Editor's Note: The typical browser uses 128-bit encryption.
BS&T: What would it take to break those keys?
OSHMAN: Every year at the RSA a security industry trade show, they have a contest to see who can break this encrypted message the quickest. Last year they had ten thousand computers using parallel processing that were able to break it in 23 hours. But that was based on a 56-bit key.
If you had the strongest computer there was, it would take half-a-billion years to break a 2048-bit key.
BS&T: Do people have to know anything about PKI in order to use it?
OSHMAN: I would hope not. All the end user should know is that they have to protect that PIN and that smart card.
BS&T: What happens if someone's PIN or smart card is compromised?
OSHMAN: Each party in the system has to take some responsibility. An end user starting a transaction will probably have to sign some type of agreement that says, "I understand that I need to take care of my PIN and if I suspect that anyone has used it, it's important for me to contact whomever gave me this card and report it." But if that doesn't happen, there are actually some very detailed dispute resolution procedures that Identrus has written.
Everything that could happen in the system is covered by our operating rules- all of the legal documents that define "what happens if."
And specifically for compromised PINs/cards, there's a dispute resolution procedure where you go and talk to your bank and figure out what went wrong and who's responsible.
BS&T: What must a company do to bring employees onto Identrus?
OSHMAN: Either an Identrus member bank performs the registration, or the bank can designate an individual within the company to register those people into the system.
BS&T: Who's liable for rogue employees?
OSHMAN: At the end of the day, whether the company or the bank registered that person, the company's going to be responsible for the people that they authorize to get certificates.
So if some guy all of a sudden goes bad within a company, the company's going to be responsible for that.
BS&T:: Are there any vulnerabilities to the system at the PC level?
OSHMAN: If you log in through your computer keyboard, which most people do, a rogue application can capture keystrokes...which can start sending commands through to the smart card to do things.
But because all cryptographic processing is done on the smart card, people can't break through and figure out what the keys are from the computer.
As far as telling the smart card to do stuff, a rogue application could do that. However, you can have a smart card reader that has a keyboard built in for PIN entry.