Bridging The Business-to-Business Authentication Gap
IPsec About to Pop
One of the chief ways encryption will be implemented for authentication lies with an IETF standard known as IPsec. Many vendors say they are committed to this standard; product rollouts should begin this summer. IPsec will be used extensively to create interoperable virtual private networks. Of course, one drawback of VPNs is that traffic is secure on the Internet, but not necessarily on the other side of the firewall, where unhappy employees can ply their mischief.
Perry Metzger, a financial industry consultant with Piermont Information Systems
, says the SSL kludge emerged because it took so long to get IPsec going. Now the hope is that TCP stack vendors will include IPsec in their products--but even if they do, they won't be able to readily export those products. Metzger believes the Secure Shell effort, developed overseas and marketed by F-Secure, is a good inte
rmediate solution. SSH, originally developed for Unix, has been extended to Windows and the Macintosh. It supports stronger encryption than the 56-bit Data Encryption Standard (DES) specified in IPsec, as well as data compression (www.datafellows.com/f-secure). F-Secure is also incorporating IPsec in its own approach and envisions scenarios where each approach may present an advantage over the other.
Among the companies participating in an auto industry IPsec interoperability demo this spring were Check Point, Cisco, Entrust, FTP Software, IRE, Microsoft, Netrex, Precision Guesswork, Raptor, TimeStep and Trusted Information Systems. Automakers plan to use IPsec in a pilot that gets of
f the ground this summer--and Moskowitz says that standard was selected because it scales much better than alternatives like SSH or SSL. IPsec is criticized, however, for providing machine authentication, not client authentication, which mobile users need. Nor is it likely to be used for end-to-end authentication until it is incorporated at the OS level. Moreover, for e-mail, yet another standard is needed; most agree it will be Secure/Multipurpose Internet Mail Extensions (S/MIME).
How will businesses handle government key recovery requirements? Moskowitz, who opposes government-dictated key recovery, believes many businesses will want to enhance security by using short-lived encryption keys. Vendors already have products that offer a different key for each packet, although most users will prefer longer time intervals. If businesses take this approach, even using the eminently breakable 40-bit DES limitation for exported products without key recovery, attackers will get very little information for all o
f their effort. On the other hand, says Moskowitz, "we're talking billions of keys. Is there anyplace in the world capable of holding all of these keys?"
So, along with the technical roadblocks come policy and government woes. Yes, there are probably enough hurdles on the road to authentication and encryption to give anyone
a headache. What may be most important, though, is asking whether emerging imperfect solutions increase security or incur productivity advantages. If they do, security nirvana isn't absolutely necessary.
What is necessary is some awareness of the obstacles on the path and a willingness on the part of both vendors and users to make well-informed mistakes, because no one is yet able to accurately predict what lies ahead.
Christy Hudgins-Bonafield can be reached at cbonafield@nwc.com.
|
REPORTS
ANALYTICS
Follow 
