Application of Public Key Infrastructure in E-Business A. Kazerooni, M. Adlband, O. Mahdiyar Department of Electrical Engineering, Kazerun Branch, Islamic Azad University IRAN A.kazerooni@kau.ac.ir Abstract: Public Key Infrastructures (PKIs) are bases of secure internal communications for an organization. Using PKIs for ultra-organization communications provides many advantages. However, it is too difficult to achieve required level of cooperation between PKIs. E-Business needs implementation of PKIs between domains which have different Certificate Authority (CA). Thus, some problems arise due to security policies and different coding methods in PKI of each firm business. This paper introduces the public key infrastructure and its implementation requirements for the firms. Then we investigate issues of PKI cooperation. Key-Words: E-Business,PKI,Public Key Infrastructure 1 Introduction Security is an important center of attention in the world of electronic commerce or electronic business which is done on the internet. In 1999, an audit found that reliance and privacy are main barriers for e-commerce from CEO view. E- commerce is broader than simple shopping on the Internet. Thus, security of e-commerce not only is necessary for online retail, but also it is required for every electronic task, whether B2C or B2B. Using digital certificate, it is more than 20 years that PKI technology is available. It seems that PKI includes privacy requirements, data integrity, identification, and access/denial control. Version is the best known company in the field of PKI management service. It is usually seen through pop up messages when one navigates webpages. A simple definition of PKI can be arranged as follows; a developed software infrastructure using public key technology which applies digital certificates and codding algorithms in order to secure data transfer over a public network such as internet [3]. Digital certificate is an official document which ensures dependency of key and ID. It covers following data; Key, ID, key application type and document validity period [7]. 1.1 Main Components of PKI PKI usually has one or more Trusted Third Porttes (TTPs) which are named as Certificate Authority (CA). A CA produces public key certificates (see Figure 1). generally, PKI includes a set of CAs, their produced certificates, policies of certificate propagation and other parties (Interface Protocols) which are supports for management production and distribution of public key certificates (see Figure 1). There are four main components in PKI: - Certificate Authority (CA) - Registration Authority (RA) for certificate content control and to make sure that it belongs to its owner. - Repository for distribution of certificates and certificate cancellation lists with maximum efficiency and accessibility. - Archive for the safe and long-term storage of information [1,7]. - 2 Smart Cards In PKI, unlike other methods of electronic signature, codes are unique to its owner and each operation. Digital signatures operate as if there is a printing and stamping machine in each smart card. They put an especial signal on each message or file produced by its career. Such digital signatures are valid indefinitely. That s, signal can always be evaluated to verify its source, easily. For processing of digital signature operation, receiving software needs a copy of sender certificate and special identified master code. The master code is used as root certificate for ISBN: 978-1-61804-039-8 189
evaluation of all certificates of a PKI project. Different master codes define different PKIs. Application software can include all required master codes. Alternately, one can install the required codes later. - Figure 1: Application and certification process [7]. Digital certificates can be canceled at any time, electronically. Cancellation may be applied when carrier has lost his/her smart card. Alternatively, you can automatically revoke the certificate of a business to cancel membership or being disqualified [2]. 3 Fundamentals of PKI Implementation The steps required to implement an organization PKI are; - Step One: Gathering Information - Step Two: Decision - Step Three: Selection of PKI vendors - Step Four: Preparing for Infrastructure - Step Five: Implementation of PKI 3. PKI Interoperability Issues in E-Commerce The most basic PKI architecture is a CA included type which contains production and provision of certificate information to all end users of PKI. Use and management of a PKI in a "controlled environment" seems to be relatively simple. It is similar to a single organization affiliated with several departments. However, B2B e-commerce requires a more complex architecture of PKI containing several CA, since it contains trades using digital tools between partners that usually each have their own CA. Apart from the security services, other related factors should also be considered, such as realtime services, delivery time of products and. To meet consumer needs, effective supply chain management is crucial for an e-commerce organization. General requirements for an organization with e-commerce are as follows; - Company should be able to be in touch with its suppliers and customers, safely and quickly. To operate at maximum efficiency and to provide timely services for consumers. - E-commerce companies should be able to cooperate with other companies to share and exchange information. To meet these needs, e-commerce organizations should be able to establish secure communication links. For instance, to manage value chain in real time, a staff from company A may need to communicate with financial unit of company B and the also supply unit of company C. This is quite natural that we try to use available PKIs previously provided for internal security of organization. Furthermore, there would be enormous potential benefits if such facilities are available. However, it is too difficult to gain required standards for interoperability of different PKIs. Basically, a PKI is normally based on a set of rules and understanding meanings and applications of public key certificates. The rule set may be frank such as certificate policy and/or it may be implicit such as certificate practice statements. Rule sets and their interpretations are inevitably different. Therefore, some difficulties may arise in PKI cooperation. That is, certificate interpretation as a component of a PKI is quietly confusing. As a result, interoperability has become a serious issue affecting the growth of PKI in e-commerce. However, there are some efforts for simplification of PKI cooperation (2001, PKI Forum), but it is still some problems as follows; - Different Developments of X.509 - Different policies for issued certificates. - Different requirements on certification issues. - Different Library Protection. - Different Properties of PKI Applications - Differrent standards for Storing and Retrieving Certificates. - Different PKI Knowledge among organization Staff. 4 PKI Interoperability Models There are some models available for definition of CA communication. Model selection affects interoperability. There are three models which are ISBN: 978-1-61804-039-8 190
usually discussed; Hierarchical Model, peer to peer model (or Mesh Model) and the Bridge Model. In these models, pairs of CAs have direct relationships. The relationship between CA includes confidential exchange of public keys and construction of a pair of specific public key certificates called Cross-Certificate. It means that if A and B communicate, then A signs a public key certificate for B, and vice versa. If an A client (an existence in PKI territory which contains A) is going to evaluate public key certificates signed by B, at first, It can evaluate Cross-Certificate. Therefore, the public key of B is evaluated and as a result, client is able to evaluate B signature on the public key certificate. The cross-certificate concept can be extended to certificate chain which evaluates a series of cross certificate connecting the pairs of CAs. 4.1 Hierarchical Model Many of current PKI implementations use hierarchical schema which contains public key rules. Hierarchical schema may also be signed by an authority. The authority may have a certificate issued by a higher reference. The chains of authority references may goes to the top authority, hierarchically. This is the approach which usually defines the infrastructure of certificate management or public key infrastructure [3]. In hierarchical models, all CAs are arranged in a clear and strict hierarchy. At the top, there is a Root CA. Each pair of CAs has an upper CA. Therefore, an end user can simply determine a unique chain of certificates. As a result, the end user is able to evaluate any public key. Although it is a simple and attractive issue, it is not a model for all of real world situations. CA hierarchy needs relationship with a trust adaption hierarchy. Otherwise, the implementation is not possible (See Figure 4). Trade entities, which are CA operators of B2B e-business, usually don't belong to a natural hierarchical authority. Thus, hierarchical model is not simply applicable. In addition, if a hierarchy of CAs can effectively be implemented, it exposes large load of trust on one point called as Root CA. It is noticeable that the trust concentration may be inevitable and it may happen in Bridge model [1]. In practice, PKI hierarchy is instantly implemented in well-defined administrative domains. Complicated operation methods between Registration Authority (RA) and Certificate Authority (CA) from one side, and CA to CA relations from other side arise several challenges in CA communications. One of considerable problems is Certificate Practice Statements (CPS) and the process of effective and timed management of cancelled certificate lists [3]. Figure 4: Hierarchical Model for CA communication in PKI [4] 4.2 Peer to Peer Model (Mesh Model) Peer-to-Peer model provide a cross-certificate for each pair of CA. This is very much related to business reality. Probably, it finely works for a small community organization (a few CAs) which each couple of CA can have one relationship. In this case, an end user needs to evaluate a crosscertificate, only (See Figure 5). Figure 5: Mesh Model for CA Communication in PKI [1]. Unfortunately, this model can t be used for many of CAs in the complicated multi-national world of e-business. However, it is discussable that we don't need to have a relationship for each pair of CA. There are two problem related to this model; i) it exposes unacceptable large amount of potential load on end user. ii) Using a non-public chain, effective transportation of trust (such as what is need for interoperability of PKI) is probably low. 4.3 Bridge Model Bridge model is roughly a compromise between two mentioned models. In this model, there is one or more CAs which communicates with other ISBN: 978-1-61804-039-8 191
CAs. In this case, a chain of certificates including pairs of cross-certificates is enough for enabling end user to evaluate public key certificate of other user. This model needs much less crosscertificates in comparison to basic peer-to-peer model. In addition, the end user can still make a short chain and well-defined certificate (see Figure 6). Figure 6: Bridge Model for CA Communication in PKI [1] The only problem is to determine proper authorities in order to provide and implement CA Bridge. Such an organization should have a trustable well-defined communication with other CAs. A possible candidate for implementation of Bridge CA can be a federal government such as US federal bridge. In addition, there are several positive results for federal bridge CA. However, such a solution cannot be used for international interoperability. 5 The goal of PKI interoperability issues There are the following issues for PKI interoperability. PKI profile Standards Development and application of Bridge Model Personnel education of PKI technology Rules of industrial forums and Merchants New models for establishing liability transfer Certificate Translation Services Government Support The relationships between Bridge CA PKI current situations After the passage of the hopelessness, public key infrastructure recovers slowly and trustfully about the year 2000. New interest in PKI is for better understanding of its unique properties and requirements of immediate security in many new types of e-business. In Asia, PKI applications are progressing rapidly. The progression is affected by many models of new and important vertical construction of PKI. Certain courts in the region, including Australia, Hong Kong, SAR and Singapore were PKI pioneers since 1990s. Public key infrastructure has had some success across the world in the past 10 years. Although some courts, such as Australia and America were quite disappointed, others such as China and Korea, considered PKI infrastructure necessary for e- Business. In Asia, PKI is in an optimal position, but its implementation is difficult and expensive. Specifically, regulators are bewildered in their proper duty. PKI licensing programs in places like Singapore, Hong Kong and Australia are not in large demand. All countries should carefully examine the new PKI test. Particularly, they should also be sure about having flexible governmental sites which have reference to the quality standards of authentication and identification. 6 Current Important PKI Designs New ways of thinking about PKI is based on previous transactions and communications between all parties of structured e-business. Contemporary PKI almost always includes the communities of fans. All users have a prior business relationship. This are remained PKI which are now in progress. They are vertical in nature with well-defined areas and strict controls on cooperation. Partners often have predefined communications such as governmental certificates and there are regular legal responsibilities. Therefore, PKI implementation is easy. Asia PKI Forum (APKIF) is a PKI coalition of national associations from China, Hong Kong, Japan, Korea, Singapore, Chinese Taipei and Vietnam. Observers from Thailand and Kazakhstan and international organizations (Organization for the Advancement of Structured information Standards) and (The European Tele Communications Standards Institude) ETSI also attend these activities. Malaysia and India are goaled membership countries. APKIF also links regional forums in Mexico, South America, Africa and the Middle East. APKIF works in four working groups: Applications and business, Interoperability and exchange, Legal infrastructure and global cooperation. ISBN: 978-1-61804-039-8 192
Their duty is to analyze legal responsibilities in cross-border e-commerce and online disputes. Asian Business Coalition (PAN Alliance Asia e- Commerce) supervise nine CA with 260000 commercial CA digital certificate in online documentation of trades between Hong Kong, China, Chinese Taipei, Korea and others [1]. In Korea, Six of the largest banks exchange 10 million certificates [2]. In Australian, There is a great interest in the publication of digital "communications certificate" for "known customers". That s, people who are already known to the certificate releaser. This is the new model for central core of current reforms for PKI accreditation program in commonwealth countries [2]. 7 Conclusions E-commerce security is a prerequisite. Good standards of security are trust prerequisite for economic actors operating in the electronic environment. In fact, security is considered as one of the major challenges in developing and developed countries. In the world of distributed services, timeless and network provide massive amounts of opportunities for vulnerabilities. E-commerce is entering a new generation of digital certificates. Using electronic signature, a big evolution occurs in relationships and interactions. Actually, using digital certificates, documents are identifiable and can be followed. Development of electronic commerce in areas such as transactions between the firms is of growing security of digital certificate. More than 80 percent of global e-commerce is based on B2B model (interaction between the firms). Reducing bureaucracy in the interaction, digital certificates helps development of this model and as a result the prosperity of macroeconomics. Using digital certificate, PKI technology platform regulates Internet transactions and virtual identity authentication. Using PKI for secure B2B e- commerce arena has a lot of advantages. Many organizations have implemented a PKI to support their internal security functions. PKI is a business, like most new technologies of information has its own difficulties. However, exclusive value of PKI in specific types of on-line transactions has been widely acknowledged. Today, we have more advance understanding of PKI. According to Australian IT Security; «overwhelming experience in the PKI is used for the automation of routine transactions, what removes existing relationships and creates most value." Thus, use of PKI in vertical marketplaces and specific applications spread, quickly [2]. Therefore, It is still a goal for future to promise an effective public key infrastructure which its data transfer is safe at anytime and anywhere and it needs no setup or pre-planned communication. Serious problems in interoperability limit PKI application for over boundaries of organizations. Removing such barriers for cooperation and promotion of PKI is critical for the future of B2B e-commerce. In this study, we study some issues of PKI implementation and cooperation in interactions between firms and we provide solutions to deal with them. 8 References [1] Pita Jarupunphol and Chris J.Mitchell, Information Security Group, Royal Holloway, University of London, "PKI Implementation Issues in B2B E-Commerce "EICAR Conference Best Paper Proceedings 2003 [2] Stephen Wilson, Managing Director, Lockstep Cosulting Pty Limited, Australia "The Importance of PKI Today", China Communications December 2005 [3] Eric C.Turner, School of Business and Public Management, The George Washigton University, "Public Key Infrastructure: Is this Digital ID system Having an Identity Crisis of Its Own?", Decision Line, September/October 2000 [4] Nura Information Technology center Public Key Infrastructure 87/12/15. In Persian. http://www.utm.ir/articles/faarticles/pki.html [5]http://www.valsanam.blogfa.com/post-38.aspx [6] Rahbar Anformatik Services Applcation of Electronic Certificate in Applied Systems (Digital Signature). In Persian. [7] Esfahaan University of Technology- Introduction of Public Key Infrastructure (PKI) and X.509 Standard. In Persian. [8] Trade Ministry, E-Commerce Development Office, ICT Performance Report and E- commerce. 1384. In Persian. http://prd.moc.gov.ir/to/reports/ministry%20of% 20Commerce%20ICT%20Performance%20Repor t.doc [9] Fannavaran e Ettela at, Interview of e- commerce development prime manager. 6th of Aban, 1386. In Persian. ISBN: 978-1-61804-039-8 193