Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Best practices in Internet security: The Access Certificates for Electronic Services Program

The Access Certificates for Electronic Services Program (ACES) brings multiple PKI service providers together into an interoperable public key infrastructure (PKI) for use by government entitites and the private sector.

By George H. Datesman

Organizations and individuals need to be able to protect themselves from stolen or altered Internet communications and block transmissions from unknown senders. To accomplish this goal on behalf of federal government agencies, the U.S. General Services Administration (GSA) initiated the development of the Access Certificates for Electronic Services (ACES) program. The program brings multiple PKI service providers together into a regulated and interoperable Public Key Infrastructure (PKI) that will soon be available for use by other government entities and the private sector. Opening ACES for general use should significantly enhance e-commerce and e-government in the United States.

GSA will soon release detailed information to prospective participants, which include the ACES PKI service providers (commonly called certificate authorities), the ACES Relying Parties (those who rely on the ACES Program to secure their information and provide identity assurance), and the individual PKI certificate holders (who are known as "users" or "subscribers"). The procedures for becoming an ACES relying party will be part of this formal announcement expected to be released around October 1.

A brief overview of cryptography

ACES protects Internet communications through cryptography. Cryptography, the use of secret codes, has been used for thousands of years. Traditionally, the codes are created by the sender substituting different letters, numbers and symbols for the text message according to a set of rules or algorithms. The substitution results in a message that is unintelligible gibberish to anyone who cannot reverse the process into readable text. When only the senders and

More information

Learn more about PKI in our resource center

Lesson 3 of SearchSecurity's Security School: Training for CISSP Certification addresses cryptography

Download Chapter 3, Deciding what you really need, from Cryptography for Dummies

recipients know the substitution rules, the information is secure.

Using algorithms that change the substitution rules by using different "keys" to start the substitution process provides additional security assurance. That way, many people can use the same algorithm (it can be public). Only the keys need to be kept secret among the several people who need to communicate. These are called "symmetric key" cryptographic systems.

In the early 1970s, work on the theory of one-way mathematical relationships led Whitfield Diffie (then an employee of The MITRE Corporation and MIT) to conclude that it should be possible to develop a mathematical relationship between two different cryptographic keys such that if one key was used to encrypt the plain-text message using a specific algorithm only its mathematically-matched key could be used to decrypt the encoded text using that same algorithm. These "key pairs" established a new approach to cryptographic keys since it was no longer necessary for all communicators to use the same key. Thus, each participant receives a key pair. One key is known only to the owner of that key and is kept secret (the private key), and the other key is made public (the public key). The public key is kept in a directory and made available to anyone who wants to establish secure communications with its owner.

Cryptographic systems that use this type of key management are known as "asymmetric key" or "public key" cryptographic systems. An infrastructure is required to manage these systems, and the generic term "Public Key Infrastructure (PKI)" is now used to denote a standards-based approach to the development and operation of PKI systems. National and international organizations are converging on a set of standards that have been formulated into a PKI Certification Authority certification program (WebTrust CA™) by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants.

GSA oversight

GSA retains responsibility for monitoring the ACES Certification Authorities to ensure continuing compliance with the ACES Certificate Policy and requires each CA to undergo and submit an annual compliance review by an independent third-party auditor; WebTrust CA™ certification is the preferred method for satisfaction of this requirement. This provides further assurance to all ACES participants that the ACES Certification Authorities are abiding by the requirements set forth in WebTrust CA™ and the ACES Program Certificate Policy.

Certificate usage

Availability of the ACES Program provides a reasonably priced and well-regulated basis for improved protection from Internet-based spam, scams and smut. Technologically, it is feasible to develop capabilities designed to filter out communications from individuals and/or organizations who are unwilling to reveal their identity. The ACES Program provides the identity authentication capability that the Federal Trade Commission, the Federal Deposit Insurance Corporation and the U.S. Secret Service have recently reported as essential to protecting the public from these unwanted communications. While it may not be the perfect answer and it may not be able to stop all of the unwanted communications from reaching the intended victims, it is certainly capable of providing a much higher level of protection than what is currently available today.

About the author
George Datesman is the Mitretek Senior Manager responsible for the technical and policy support Mitretek provides to the GSA ACES Program. He has more than thirty years of law enforcement and security management experience. He holds BS and MS Degrees in Criminology and a Ph.D. in Educational Administration. For more information, e-mail George at < a href="mailto:datesman@mitretek.org">datesman@mitretek.org.

This was last published in September 2005

Dig Deeper on PKI and digital certificates

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.