Powell, Goldstein, Frazer & Murphy
1001 Pennsylvania Avenue NW
Washington DC 20004
April 27, 2000
Advisory Committee on Online Access and Security
Comments of Entrust Technologies, Inc. on
Entrust Technologies, Inc. ("Entrust") hereby submits the following comments on the draft sections posted April 19 and 20, 2000, of the Report of the Federal Trade Commission's ("the Commission" or "the FTC") Advisory Committee on Access and Security ("the Advisory Committee"). Entrust is a leading provider of comprehensive network security solutions to private and public sector organizations, based on public key infrastructure ("PKI")-based technology. The public key concept, originally developed in the mid-19709s by Whitfield Diffie and Martin Hellman, is non-proprietary and has been thoroughly validated in theory and practice over the past two decades. A public key infrastructure uses encryption algorithms in combination with authentication and verification technology offered by digital certificates to provide users with a secure and reliable means of communicating and storing information over public and private networks. The key distinguishing feature of the PKI approach is its comprehensiveness - unlike products focusing on particular aspects of network security, such, for example, as transactional encryption or password tokens or "firewall" products, PKI systems address all the recognized critical network security needs of large organizations:
The Advisory Committee's - and the Commission's - goals of ensuring data access and security (as well as other widely endorsed privacy-related policy goals) are universally supported. But as a practical matter, these goals cannot be achieved, without broad deployment of technologies, prominently including PKI, that address the critical network security needs noted above. One of the most valuable contributions the Advisory Committee can make is to promote greater awareness and appreciation of the various techniques and approaches available for meeting consumers' needs for access and security, and of the technical, cost, and policy issues associated with these techniques and approaches. In the spirit of stimulating such an effort by the Advisory Committee and the Commission, Entrust submits these brief comments.
I. "Privacy" and "Security" are interrelated and interdependent - You can't have one without the other.
A particularly valuable contribution of the Advisory Committee's April 19-20 draft report is that it brings to the surface a critical fact heretofore not widely recognized - that for the most part privacy and security are not in conflict. On the contrary, the prerequisites for ensuring network privacy require parallel, mutually reinforcing, and often identical implementation. For example, as the draft section on "Authentication and Access" expressly recognizes, ensuring consumers access to personal data held by online public or private sector entities will actually increase privacy risks, unless the means are provided to "authenticate" that the requesting individual is in fact the person whom it purports to be. This goal must in turn be accomplished in a manner which works - i.e., it must be reliable, user-friendly, and cost-effective. Moreover, engineering a system to enable individual consumers to conveniently view (or correct) their own personal data will also increase vulnerability to penetration or manipulation of others' data or other parts of the network to which particular individuals do not have legitimate access. Hence, individuals must be simultaneously empowered to access their own data but blocked from improperly leveraging that access. Finally, techniques heretofore associated with "security technology" are essential, not just "access" and the conventional concept of "security," namely, safety from theft by hackers; security techniques are essential to the entire gamut of basic privacy requirements,. For example, if data-collecting entities are required to secure consumers' consent to their use of personal data, and such requirements are meaningfully enforced, then it will be essential to show non-repudiatable evidence of such consent. As another example, the overwhelming majority of unauthorized "break-ins," thefts, and manipulations of sensitive data are from sources within organizations; hence, the measures an organization takes to manage employee access on its internal networks are among the most important guarantors of privacy for consumers or other external individuals.
II. Establishing effective privacy regimes for consumers on a national or global basis will in many instances require deployment and adaptation of the more elaborate security technologies now being introduced within large private and public sector entities.
An important implication of the Advisory Committee's draft report is that, to address the requirements that the Commission, and other authorities, have identified as essential to ensuring privacy, it will be necessary to use the techniques of network security technology. Indeed, in many instances it will be necessary to adapt and utilize the comparatively sophisticated and comprehensive approaches directed to the needs of very large organizations. Viewed from the standpoint of online vendors or other organizations (such as universities or governments) that collect data from many thousands of individuals, the challenge of complying with privacy regimes will essentially mean providing the prerequisites for network security noted above - i.e., access control, authentication, confidentiality, integrity, authorization, and nonrepudiation. However, privacy requirements will involve far-flung and ever-changing populations of consumers, taxpayers, students, etc. Hence, these organizations will be obliged to expand the reach of their current and planned network security approaches - scaling their security systems up to handle the needs of groups even larger than and with more attenuated and episodic relations to the entity than, say, employees, workers, contractors, and the like.
III. The Elements of a Public Key Infrastructure.
Many large organizations are turning to PKI-based solutions to meet their network security needs for dealing with internal data, and with discrete customer and supplier groups. To meet privacy requirements, whether driven by market or regulatory considerations, such organizations will be obliged to consider extending and adapting the internal and "B2B" technologies and approaches they have installed or are planning to install. In the spirit of providing useful information for the Advisory Committee's record, we provide here a brief sketch of the nature and benefits of PKI technology.
As noted above, a public key infrastructure uses encryption algorithms in combination with authentication and verification technology offered by digital certificates to provide users with a secure and reliable means of communicating and effecting transactions over public and private networks. Public key technology provides a mechanism to strongly authenticate users over closed or open networks, ensure the integrity of data transmitted over those networks, achieve technical non-repudiation for transactions, and allow strong encryption of information for privacy/confidentiality or security purposes. Strongly authenticating users is a critical element in securing any infrastructure; if you cannot be certain with whom you are dealing, there is substantial potential for mischief. Ensuring the integrity of data from end-user to end-user makes it more difficult for data substitution attacks aimed at servers or hosts to succeed. Technical non-repudiation binds a user to a transaction in a fashion that provides important forensic evidence in the event of a later problem. Encryption protects private information from being divulged even over open networks.
Limitations of "shared secret" or symmetric cryptography. Public key technology differs from systems using "shared secrets" or symmetric cryptography. In the latter, users are authenticated based on a password, Personal Identification Number (PIN), or other information shared between the user and the remote host or server, or between two or more users. Communications privacy is provided by a single key, again shared between two parties, which is used in an algorithm (agreed to beforehand by the transacting parties) by the sender to encrypt and the recipient to decrypt transmissions.
Symmetric cryptography has several inherent limitations that become acute when the transacting parties have no prior relationship. First, each pair of transacting parties needs a unique shared secret key - or else impersonation or eavesdropping becomes a problem. This means that the approach does not scale well - each user must have as many keys as people with whom he or she deals. Second, once one party generates a secret key, that key must be transported securely to the trading partner, which can cause immense logistics problems and delays. Finally, because the individual must share the key with a trading partner, non-repudiation is lost. What this all means is that symmetric cryptography, by itself, is not conducive to e-commerce or e-government.
Public key encryption, digital signatures, and certification. The limitations of symmetric cryptography are overcome using public key technology, which is also called "asymmetric cryptography." In a typical Public Key Infrastructure (PKI), two key-pairs are generated by or for each user, one key-pair for digital signatures and authentication, and the other key-pair for encryption. Each key-pair comprises two keys (very large numbers, typically 150 to 300 digits in length) which are mathematically linked in a very subtle way. For each key-pair, one key is kept private, and the other is made public.
Each public key is made public in the form of a digital certificate where a trusted party (called a Certification Authority, which may be within or external to the entity) cryptographically binds the public key to the person's identity by digitally signing the certificate. The digital signature on the certificate ensures that any unauthorized alteration of either the identity or the public key will be detected.
The mathematical algorithm used for generating the keys, and the size (length) of the keys, can be selected to provide virtually complete assurance that the private key cannot be deduced from the public one. In the case of a commonly used algorithm called "RSA," this can be done because information available at the time of key pair generation (where the private key is deduced from the public one) is immediately discarded and cannot be recreated.
Because public key technology uses two keys, one of which is kept secret and the other made public, there is no "shared secret" between the transacting parties, and thus no opportunity for one party to compromise the interests of both by losing control over the "shared secret." There is also no need to manage large numbers of symmetric keys (since each set of transacting parties would need a unique symmetric key). The user makes the digital certificate available to whomever he or she wishes to conduct business.
As long as the user keeps his or her private key private, a malefactor will have great difficulty attempting to impersonate the user or obtain private communications simply by attacking the remote computer or server - because there are no "shared secrets" used for these purposes. This is a critical point, because many attacks focus on large data bases of shared secrets - passwords, PINs, and the like - held at hosts or servers which, by their nature, must be available for access by multiple users and applications in order to provide the functionality for which they were designed. If the data base can be successfully compromised using dictionary or other attacks which rely upon finding one or a few commonly used passwords from a long list (even where the passwords are encrypted), a user's account or interests can be compromised without the user's knowledge and even if the user did nothing wrong. With public key technology, the user normally must do something wrong to be at risk: he or she must compromise the private key in some fashion.
"Hash" functions and non-repudiation. In a common form of digital signature associated with e-mail, when the user wishes to sign a document digitally, he or she applies the private signing key to a hash of the document being signed which transforms the hash into a new, different number. The user then sends that signed hash along with the original document to the recipient. The hash is like a unique fingerprint of the document, expressed in the form of a large number. The recipient, in turn, takes the signed hash, applies the sender's public key which transforms the signed hash into the original unsigned hash, and then creates a fresh hash of the original document as sent. The two hashes must be identical for the digital signature to validate. The e-mail client software performs all of these functions - the user does not have to go through each step manually.
The action of digitally signing and then validating the signature to authenticate the sender, provides data integrity for the document because any change to the document after the original hash is generated and signed would cause the signature to fail to validate. This affords technical non-repudiation - the user cannot later deny that his or her private signing key was used to make the digital signature. Of course, it is still necessary to demonstrate that the user had control of the private signing key to establish legal non-repudiation.
A sender can encrypt a document so that it can only be decrypted by the intended recipient, achieving confidentiality. To do this, the sender generates a one-time symmetric encryption key (called a "session key") and uses that to encrypt the document. The sender then takes the public key of the recipient, encrypts the symmetric session key with that public key, and sends the encrypted session key plus the encrypted document to the recipient. The recipient, in turn, applies his or her private key to decrypt the symmetric session key, then uses that to decrypt the document. This combination of symmetric and asymmetric cryptography is done for reasons of computational efficiency, since the former can be done much faster on a computer than the latter. This is especially important for large files. Again, the e-mail software performs these functions automatically - the user does not have to go through each step manually.
Private keys. For most implementations, the private key is held on a hard disk and "unlocked" (i.e., made available to sign or decrypt information) with a PIN or password that is a "shared secret" between the user and his or her computer. For added security, the user may create and hold the private signing key on a hardware token such as a smartcard, and then use a PIN, password, or biometrics identifier (like a fingerprint) to unlock that key for use. To emphasize, the PIN or password in this case is a shared secret between the user and his or her smartcard - not between the user and a remote host or server, and not even between the user and his or her computer. Thus, as long as the user retains control of the smartcard, the system remains secure. If a biometric identifier is used to unlock the private key for use, then security is further enhanced because the malefactor must get the smartcard and a copy (somehow) of the biometric identifier.
Smartcards, which provide for key pair generation on the card, may also provide for signing events to occur on the card. In other words, the hash of the document to be signed is provided to the card, where a microprocessor executes the signing event and returns the signed hash to the application program on the computer. This approach provides the highest security - the private signing key is generated on the card and never leaves it even for signing events.
Some smartcards possess vulnerabilities that may allow a malefactor to deduce their operations by measuring power consumption or the timing of certain events. These types of attacks, however, require physical possession of the smartcard, sophisticated laboratory equipment, and exquisite knowledge of smartcard operation, so they are not usable by a remote hacker or by a common thief who may steal the smartcard. Further, newer smartcards employ power spectral filtering or other technologies that make them less susceptible to these attacks.
Comprehensive, end-to-end public key infrastructure. The mere issuance of digital certificates does not ensure that a user's access is properly monitored, that privileges associated with access are accurately and currently defined, or that the certificates in question have not been updated, withdrawn or replaced. Indeed, the proliferation of users and certificates greatly complicates management of these types of issues, which are critical to maintaining an effective security environment across and between organizations. To address the management and business issues associated with use of public key encryption and certificates, organizations, particularly those dealing with suppliers or customers in the B2B market, must have a robust public key infrastructure that supplements certificate issuance functions with full life cycle management of public and private keys, including issuance, authentication, storage, retrieval, backup, recovery, updating and revocation. In addition, these functions must operate in an easy-to-use, cost-effective manner.
Moreover, unless digital certificates and private keys can be easily utilized on a consistent and reliable basis across multiple applications, organizations will face the challenge and cost of maintaining a separate security infrastructure for each application. Maintaining these different security infrastructures could result in separate keys and certificates for each user for different applications, multiple passwords and inconsistent or incomplete security implementations. Such a disconnected, inconsistent set of products would be costly to operate and difficult to use. Furthermore, any PKI must be able to support an organization's security requirements as the enterprise grows, business functions are altered, and underlying information technologies evolve. To be effective, a public key infrastructure must be able to accommodate a large number of users and integrate diverse computing resources into a cohesive, reliable and secure computing environment that meets the six critical network security needs. The need for comprehensive, end-to-end public key infrastructure solutions is particularly apparent for external (B2B) transactions and communications, the majority of which have information security requirements that are met only by complete, end-to-end solutions that are cost-effective to operate and easy to use.
IV. Implementation of societal privacy regimes and PKI solutions.
The security benefits of digital certification have led to increasing market demand, particularly in markets where information security is critical, such as government, finance, health care and telecommunications. This increasing demand has given rise to numerous products and services that issue digital certificates or that are able to work with digital certificates. As discussed above, adoption of societal privacy requirements for consumers, taxpayers, students, patients, and other categories of individuals will magnify the need to adopt comprehensive enterprise-wide security solutions and to extend the reach, increase the sophistication, and simultaneously simplify individuals' interaction with these systems. To meet these needs, it is important to recognize that highly sophisticated and effective PKI technology is already available, although it is evident that substantial and ongoing investments will be required to handle the vast and varying demands of protecting individual privacy in a networked society. As the process of implementing privacy requirements moves forward, important technical, cost, and policy issues are likely to surface. From the standpoint of individual consumers and of society as a whole, the technology "scaling" issues associated with effective privacy protection will add an additional layer of complexity to the already complex challenge of designing network privacy/ security solutions for particular organizations, however large they may be.
Entrust respectfully submits these suggestions for the Advisory Committee and the Commission to consider: