Why Should We Look for Alternatives to the Public Key Infrastructure (PKI) Model?

Contents

Introduction

In this document, we suggest that the Public Key Infrastructure (PKI) will remain a marginal trend in the repidly evolving field of electronic comerce and information security. We present a collection of observations, opinions, and references pointing towards our main conclusion. We do not name specific companies or product offerings in part because we didn't formally review the latter. Companies that are strongly committed to the PKI may have related product offerings which . We

We assume that the reader is familiar with the underlying concepts of digital signatures and other forms of electronic authentication mechanisms, and we do not attempt to introduce the concepts that we discuss in here.

A Few Definitions

A term Public Key Infrastructure (PKI) refers to a global system of authentication, trust management, and privacy protection schemes where Certification Authorities (CA) act as electronic credentials issuers. The PKI model envisions ubiquitous and seamless recognition of electronic credentials in the form of security certificates.

The term Public Key Cryptography (PKC) refers to a class of cryptographic algorithms and related protocols and automated data processing mechanisms, which by some magic of computations avoids the use of a shared secret key between the parties while maintaining equivalent protection against "adversaries" as the Secret Key Cryptography (SKC) algorithms.

The term client authentication refers to the property of some security schemes to provide reliable client identification in an electronic transaction, that is some assurance to the service provider as to who actually initiated an electronic exchange. As a preliminary observation, client authentication systematically requires the use of secret or private cryptographic keys in systems, devices, or apparatuses under the direct control of clients,

PKI Not to Be Confused with PKC

The deployment of PKC techniques should not be confused with early adoption signals for the PKI model.

• The typical use of the SSL protocol is without client authentication. Two types of protections are thus provided: 1) confidentiality protection against Internet network eavesdroping, and 2) web site authentication (but only if and when the end-user is aware of the neew for web site authentication and configured his web browser accordingly).
  
  
• The electronic mail encryption utility PGP (whose security model is well explained in [1]) is an examples of a web of trust where introducers provide the trust-raising function assigned to CAs in the PKI model. The two models are addressing the same open network security issues, but starting with opposite assumptions about who should be trusted first (respectively a peer acquaintance for PGP and some authority for PKI).
  
  
• Various schemes for field initialization of long term secret keys use the PKC techniques in an hybrid cryptosystem arrangement: CONNOTECH proposes the SAKEM procedure as an alternative to PKI for client authentication [2], the VPN offerings by V-One corporation encompass a field-initialization procedure based on the PKC techniques [3], and a couple of patents issued before the Internet explosion explore ramifications of this general idea ([4], [5]). In these schemes, the client authentication relies on SKC techniques past the initialization phase.
  
  
• PKC-based VPN offerings may rely on the PKC techniques in schemes very similar to a PKI, with security certificates attributed to legitimate nodes in the network, and a network control center acting as both a CA and a repository for certificates and the CRL (Certificate Revocation List). Nonetheless, a such a VPN authenticates nodes in a network, and not end-users or legal persons as envisioned by the PKI model.
  
  
• A closed PKI is defined more or less as a PKI for a specific business purpose ([6], at page 1240). A trustworthy organization which fields a PKI for doing business with its clients often takes various measures (e.g. restrictions on use of certificates and legal disclaimers) for avoiding potential liability from the representations found in security certificates issued by its CA. This is to be expected, because the spread of liabilities among PKI participants has been discussed at length. Such a closed PKI falls short of our definition of the PKI model.

Global View of Market/ Technology Lifecycle

As an electronic payment technology matures, the wear and tear of its security scheme means the emergence of endemic fraud patterns. The economic cost of this fraud is offset by the cost avoidance associated with the desision to postpone the upgrade of the network. The replacement of magnetic cards by smartcards in North America is an example of upgrade decision that might be envisioned but is quickly turned down on business grounds.

With the PKI security model, we can only speculate about the patterns of PKI usage which might represent attractive targets for would-be fraudors (fraud is opportunistic), and about the true PKI vulnerabilities (e.g. weaker parts of business processes at the perimeter of the core PKI technology because the typical fraud patterns are low technology).

Miscellanea

At one point, we wrote a critique of the PKC techniques, the resulting document is entitled "Thirteen Reasons to Say 'No' to Public Key Cryptography." This document lists various impediments specific to the PKC technology.

A meticulous comparative analysis of the PKI model and the SAKEM procedure reveals that SAKEM specifies more rigorously how the initial client authentication is achieved. When looking for equivalent provisions in publications about the PKI model, the Internet RFC (request for comment) 2510 [7] appears as a comprehensive and up-to-date text. Surprisingly, the basis for initial client authentication upon application for a security certificate is a secret key shared between the client and the CA ([7] at page 58, field name senderKID). Then, the establishment of this very shared secret key becomes the cornerstone operation for initial client authentication. But since its inception, the PKC technology is meant to avoid the out-of-band establishment of shared secrets! In essence, the PKI model appears to collapse under its own weight when one cares to investigate its inner workings.

From the legal perspective, Bradford Biddle is a privileged non-technical observer of this field who concluded that the open PKI "will not be the winning business model" ([6], page 1245). This view is supported partly by a careful study of the spread of liabilities in the various digital signature statutes (starting from the Utah Digital Siganture Act). The latest e-commerce law-making initiatives are much more "technology neutral" than digital signature statutes: they tend to provide an enhanced legal framework for electronic signatures (defined with a much broader scope than PKC digital signature) and let commercial reasonableness determine which technology is acceptable ([8], [9]).

Conclusion

There are good reasons for the PKC techniques to make slow but steady inroads into the various information security solutions needed with the growing use of Internet and transaction automation. "Slow" because the requirements for strong IT solutions are recognized late as e-commerce initiatives are undertaken. "Steady" because the PKC techniques can provide genuine benefits in selected application areas. But the global view of an open PKI is not expected to ever materialize.

We believe that the SAKEM procedure offers a genuine alternative to the PKI security model for client authentication in many application areas. Whenever a closed PKI is an option, chances are that the SAKEM procedure is a better alternative when the fundamentals of the technology are considered.

Perhaps a parallel can be made between the relatively new PKC technology and relatively older data compression technology. At one point, the data compression technology was seen as a universal technique and was made part of a Microsoft Windows operating system release. With the PKI security model, the PKC technology is seen as a universal technology for all client authentication needs. Users quickly found out that the data compression technology had its side effects. Nowadays, data compression techniques are found in utilities (e.g. backup software) or in selected computer applications where its benefits are most critical, and not as a one-fits-all solution. We foresee a similar future for the PKC technology in support of client authentication for e-commerce security.

References

[1] Garfinkel, Simson L., PGP: Pretty Good Privacy, O'Reilly & Associates, Inc., Sebastopol, Calofirnia, 1995

[2] Moreau, Thierry, Initial Secret Key Establishment Including Facilities for Verification of Identity, Patent Cooperation Treaty (PCT) International application number 9852316A1 (PCT/CA 98/ 00431), filed on May 7th, 1998, priority date based on provisional U.S. patent application number 60/046.047, filed on May 9th, 1997, published by the PCT International Bureau on November 19th, 1998, CONNOTECH Experts-conseils Inc., Montréal, Canada

Click here for more details about SAKEM.

[3] US patent document 5,784,463, Chen, James F., Wang, Jieh-Shan, Token Distribution, Registration, and Dynamic Configuration of User Entitlement for an Application Level Security System and Method, July 21, 1998 (application number 760,414, December 4, 1996), assigned to V-ONE Corporation

[4] US patent document 4,771,461, Matyas, Stephen M., Initialization of Cryptographic Variables in an EFT/POS Network with a Large Number of Terminals, September 13, 1988, (application number 879,784, June 27, 1986)

[5] US patent document 5,142,578, Matyas, Stephen M., Johnson, Donald B., Le, An V., Prymak, Rostislaw, Wilkins, John D., Martin, William C., Rohland, William S., Hybrid public key algorithm/data encryption algorithm key distribution method based on control vectors, Aug. 25, 1992, (application number 748407, Aug. 22, 1991), assigned to International Business Machines Corporation

[6] Biddle, C. Bradford, Legislating Market Winners: Digital Signature Laws and the Electronic Commerce Marketplace, San Diego Law Review, Vol 34 (1997), issue 3, pp 1225-1246

[7] Adams, Carlisle, and Farrell, Stephen, Internet X.509 Public Key Infrastructure Certificate Management Protocols, Internet RFC 2510, March 1999

[8] The State of Illinois, Electronic Commerce Security Act, Illinois 90th General Assembly - 1997-98 Regular Session, 1997 Illinois House Bill 3180 (version as enacted on August 14, 1998), posted on the web at http://www.mbc.com/legis/ill-esca.htm

[9] NCCUSL, Uniform Electronic Transactions Act, (UETA) with prefatory notes and reporter's notes, September 18, 1998, "draft for discussion only", National Conference of Commissioners on Uniform State Laws, Chicago, Illinois 60611, U.S.A., posted on the web at http://www.law.upenn.edu/library/ulc/uecicta/eta1098.htm

CONNOTECH Experts-conseils Inc.
9130 Place de Montgolfier
Montréal, Québec, Canada, H2M 2A1
Tél.: +1-514-385-5691 Fax: +1-514-385-5900