When I last looked at PKI (public key infrastructure), it wasn't looking too healthy. PKI complexities, cost hold...
promising technology back read the headline, and PKI still isn't taking the world by storm. One PKI vendor, Baltimore Technologies, recently reported a 50% drop in revenue for 2002 and has chopped about two-thirds of its workforce since December 2001.
PKI uses public and private cryptographic keys to authenticate the identity of network users and to encrypt their data so that only the intended recipients can read it. It includes mechanisms for sharing those keys (and the digital certificates that vouch for a user's identity and hold their public keys) across applications. The problem, says William Hugh Murray, an executive consultant with TruSecure Corp., is that "we don't have very many applications to go across" because of the slow adoption of PKI.
But driven by regulations protecting consumer privacy, as well as terrorism-driven needs to protect critical corporate and governmental information, PKI is showing signs of life. Datamonitor, a British-based market research firm, predicts the worldwide PKI market will reach $2.5 billion this year, up from $1.8 billion last year.
From where I sit, it looks like the growth in PKI may come in some surprising areas, such as storage networks, and with more PKI functions implemented "under the covers" as part of the network or application infrastructure, rather than as standalone applications. But PKI is also still so complicated that it will drive new practitioners crazy with some problems you would have thought had been solved years ago. Here are some observations from the PKI front.
PKI in storage
Electronic commerce, commercial and government data mining (such as attempts to detect terror threats from everyday credit card and other transactions) are driving huge growth in networked storage. That storage infrastructure needs to be protected (see Time to prepare for SAN security), and one way to do that is to use PKI not just to encrypt data on the storage network or to authenticate users, but to authenticate the components of the storage network itself.
Kasten Chase Applied Research Ltd., a long-time player in the government security market, hopes to do exactly that with its Assurency Secure Network Storage product. Available this month, the suite includes the rack-mounted Assurency Appliance that serves as a PKI certificate authority for a storage area network as well as a management console through which administrators can control which servers can access the storage network, says Kasten Chase's Senior Vice President of Strategic Business Development Hari Venkatacharya.
"We have shrunken traditional network PKI to about 15% of what it was," he says, in terms of complexity, ease of implementation and software footprint. The initial release supports only storage area networks, but Kasten Chase is working on a follow-on that will support network-attached storage. Kasten Chase is also talking to makers of networked storage components such as switches, host-bus adapters and storage arrays, to create software agents that would provide authentication and key exchange between those devices and the Assurency Appliance.
The Kasten Chase suite also includes a cryptographic co-processor which offloads encryption from the storage fabric or the server and is, says Venkatacharya, more scalable than standalone encryption appliances because each additional server can host its own encryption co-processor. Which leads me the second trend: PKI as part of the network and application infrastructure, rather than as a standalone application.
PKI as infrastructure
Just as Kasten Chase is promoting a cryptographic add-in card for servers, IBM now ships powerful cryptographic engines as a standard feature in their mainframes, says Murray. "Their assumption is the most critical applications in the world" will be running on those systems, meaning they'll need the extra cryptographic horsepower, he says.
Some of the biggest adopters of PKI, in fact, are large financial institutions. One of Baltimore's recent customer wins was MasterCard International's selection of Baltimore's UniCERT PKI software for its MasterCard SecureCode program, which will require online customers to punch in a personal code when using their credit cards. Indeed, says Murray, "the most widely-deployed PKI today is that which is embedded in Lotus Notes – and hardly anybody knows it's there."
Baltimore is trying to make it easier to embed PKI within the corporate infrastructure with its Trusted Business Suite. Launched last fall, it packaged Baltimore's core authentication and authorization technologies with networking, data and messaging applications. The aim, said a Baltimore executive: To make security "transparent."
The market will decide whether these lighter, more transparent, more "embedded" forms of PKI will fare better than previous generations of PKI tools. The functions PKI provides are critical, but for now it's still too complicated, expensive and cumbersome for the average security or network manager.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. Do you have a PKI question or comment? E-mail Bob at firstname.lastname@example.org.
For more information, visit these resources:
- SearchSecurity.com Glossary: PKI
- Executive Security Briefing: PKI investment measurable?
- Executive Security Briefing: Public Key Cryptography: Q&As from your peers
- Quiz: Cryptography