Cryptographic hardware provider nCipher plc. is developing an application that promises to remove a major stumbling block for organizations looking to implement a PKI by automating the onerous process of moving encryption keys among devices.
One drawback of public-key infrastructure cryptosystems, such as those used in e-commerce applications and other online transactions, has been that the keys used to encrypt messages or sign other keys are typically tied to specific devices. In many cases, the keys are generated and stored in hardware security modules designed to prevent people from removing them.
Currently, some of nCiphers products include technology dubbed Security World, a key-management framework that provides secure key storage, backup and recovery, and other features.
But the process, which lets users move keys among devices, is involved and awkward. For example, a user can move a key from one machine to another only by bundling the key along with the associated user rights and an access control list, encrypting the entire package and sending it on to another machine. The technology also allows for the creation of policies that define which devices can use the keys.
To simplify the process, nCipher is developing a console-type application that will be able to automate the entire process and take the burden off the IT staff. Such technology will be especially useful in the coming months as encryption becomes increasingly pervasive in the enterprise and in the online world, they said.
“Whatever you do in security will end up being about encryption—signing data, protecting data,” said Alex van Someren, founder and CEO of nCipher, based in Woburn, Mass. “We need to look at how you bring together desktops and servers and laptops.”
This kind of automation is one of the things that has been missing from public-key cryptosystems for years, according to experts, who say the manual work involved in key management is part of the overall problem of complexity that has hampered PKI deployments from the beginning.
“All the PKI systems Ive had experience with have either been ad hoc or characterized by some very application-specific, custom in-house tools. The custom stuff is typically poorly documented, hard to maintain and impossible for a separate support organization to deal with satisfactorily. This kind of tool would be welcome [in] most places,” said a networking coordinator and security analyst at a large New England university.
Cryptography and security experts agree that the kind of technology nCipher is working on could go a long way toward solving many of those issues. And although there are some security considerations inherent in the system—such as access control for the console and, by extension, the keys—they are not difficult to address.
“There are all sorts of security issues, but Alex is clever enough to probably have thought about them,” said Bruce Schneier, a cryptographer and chief technology officer of Counterpane Internet Security Inc., based in Cupertino, Calif. “Its a good idea—not for security but for performance and reliability.”