Securing Wireless Transactions

Implementing PKI in the wired world is becoming an increasingly important way to authenticate and secure e-commerce transactions

Implementing PKI in the wired world is becoming an increasingly important way to authenticate and secure e-commerce transactions. But, experts say, security managers shouldnt stop there. The same security and identity verification capabilities that are making PKI important for wired transactions will also make it a fit for wireless transactions, experts say.

Various public-key infrastructure products—including Certicom Corp.s WAP (Wireless Application Protocol)-enabled Trustpoint PKI Portal and RSA Security Inc.s Secure ID—have been modified for mobile applications, providing encryption, authentication and nonrepudiation for wireless data. PKI allows wireless users to encrypt their over-the-air communications using public keys that are trusted by the server and the mobile device. Public keys can authenticate the application provider and the user to one another, ensuring the integrity of data flowing between user and application. And, PKIs nonrepudiation capability guarantees the merchant that the consumer is who he or she claims to be.

Some large e-businesses with big wireless plans are beginning to embrace PKI. Last summer, IT managers at Visa International began evaluating whether or not SET (Secure Electronic Transaction), Visas PKI solution for financial transactions, can be extended into the companys wireless channels. In the end, Visa officials decided that the technology did meet the companys needs, said Joe Chouinard, vice president of Visas New eCommerce Channels division, in San Francisco. Visa chose to use a Wireless Transport Layer Security PKI extension to ensure end-to-end security for its mobile commerce program launched last month in Australia.

This does not mean PKI is a panacea for wireless security, however. Many organizations continue to grapple with limited PKI pilots on wired networks, never mind wireless, which will present some unique challenges, experts say. For starters, IT managers such as Tom Hagan, senior vice president and chief privacy officer at medical insurance application service provider PersonalPath Systems Inc., in Upper Saddle River, N.J., worry about the scalability of wireless PKI. Given the high predicted growth rate of mobile subscribers, experts say its important to ensure that your chosen solution can make the millions of wireless connections the market will demand.

Others, including Chouinard, said theyre worried that the mobility and size of cellular phones make it too easy for users to misplace the keys. Without the use of smart cards to store keys, theres almost no way for an e-business to authenticate a wireless users identity, they said.

Already, smart cards that store private keys are in widespread use in Asia and Europe. Four years ago, Citibank Corp., in Singapore, implemented the wireless transfer of funds and bill payments using wireless PKI. Other examples include the New Zealand Stock Exchange, which utilizes a WAP trading system, and Svenska Handelsbanken AB, in Stockholm, Sweden, which conducts full-service Internet banking with the use of wireless PKI.

In the United States, experts say that, just as with PKI, vendors have been talking about smart cards for years, but prohibitive hardware costs have kept the technology from taking off. Once the cost of smart cards falls—within the next few years, experts say—wireless PKI will become the key to securing mobile commerce.