May 6, 2001 By Steve Towns
Internal operation of the certificate authority also ensures reliable storage of digital identities and eliminates worries about the long-term financial health of third-party PKI providers, according to Brent Crossland, the states deputy chief information officer.
"What do you do if your ASP goes bankrupt?" asked Crossland. "That was in the back of our minds all along, quite honestly."
Some differences between the Washington and Illinois PKI operations also are a matter of scope. Washington foresees its digital certificates being used to facilitate nearly any electronic transaction -- citizen to government, business to government, business to business or citizen to citizen.
At least initially, Illinois is taking a narrower approach, targeting dealings with state and local government. However, Crossland said use of state-issued digital signatures could migrate over time to commercial dealings, either through formal agreements or informally, much as drivers licenses evolved into a common method for verifying identity in the physical world.
"Were not ready to get there. There are a lot of liability issues, and there are a lot of questions to be answered," he said. "But if you look in the crystal ball, thats probably where things are headed."
Do the Math
Regardless of whether the certificate authority is outsourced or operated internally, the technology behind PKI systems is essentially the same. The certificate authority uses cryptography software to generate a pair of very large mathematically related prime numbers. One number is given to the user and designated the private key. The other -- the public key -- is stored in a directory by the certificate authority and is usually made widely available.
User IDs are issued in the form of an electronic certificate which, in addition to containing the private key, includes information about who the certificate belongs to, who issued the certificate and when the certificate expires. Certificates can be stored in a users Web browser or in a piece of hardware, such as a smart card or tiny plug-in USB device.
To complete a secure transaction, the user encrypts data with the private key, and the recipient unscrambles the message with the public key. The process provides a positive identity because only the unique key pair can encode and decode the message. In other words, if the public key unscrambles the message, the data must have come from the holder of the private key. The process also works in reverse, allowing someone with the public key to send a message that can only be read by someone with the matching private key.
Although the public and private keys are mathematically related, their length prevents someone from using one to figure out the other, said DSTs West. For instance, Washingtons PKI system uses numbers that are 1,024 characters long. "It will be a very long time before thats cracked," West said. "We will have moved and upgraded everyone to longer key lengths well before anyone even approaches breaking the code on these."
To ensure that data remains unaltered during transmission, the information is passed through whats known as a hashing algorithm, which creates a mathematical representation of the message. That representation is encrypted with the users private key and sent along with the message. At the other end, the recipient decrypts the message and runs it through the same hashing algorithm. If the hash file created by the recipient matches the hash file created by the sender, the data is unchanged.
Choose Your Security
Washington issues three levels of digital identification, offering standard, intermediate and high levels of security. By early March, the
You may use or reference this story with attribution and a link to