PKI in Australia: Enter the Gatekeeper

Although the Australian Government's Gatekeeper initiative to implement PKI (Public Key Infrastructure) technology was established just over three years ago, there hasn't been much headway in seeing its acceptance in the business community.

Although the Australian Government's Gatekeeper initiative to implement PKI (Public Key Infrastructure) technology for electronic transactions was established just over three years ago, there hasn't been much headway in seeing its acceptance in the wider business community.

In fact, Robin Giang, a Hong Kong-based analyst for IDC Asia/Pacific, estimates that less than a quarter of businesses in Australia are using encryption of some sort for their company's data. "Encryption tools listed here include [but are not exclusive to] the usage of PKI technology," says Giang.

In Australia the proportion of companies using encryption technology for their data is at about 21 percent, which is similar to Asia-Pacific's rate of 19 percent.

"Overall, the large enterprises (about 34 percent) are using encryption tools more so than the 'SMEs' (small and medium enterprises)," explains Giang. " Also, the Banking/Finance sector (62 percent), in particular, is using encryption technology more so than their industry counterparts."

Other areas of major encryption usage in Australia include the distribution and manufacturing market segments, says Giang.

Nevertheless, while business acceptance of PKI technology has been slow to take off the Australian Federal government has been one of the strong adopters in this country.

Back in December of 1997, the Prime Minister issued an industry statement called "Investing for Growth", which, among other things, outlined his vision for bringing government services online. Effectively, the statement allowed the government to develop a national framework for the authentication of users of electronic online services.

As part of this strategy it was decided that Commonwealth agencies would use public key infrastructure for electronic transactions, including e-commerce for the exchange of government information as well as for the procurement of services for the government. This strategy was called Gatekeeper.

The foundations of the Gatekeeper strategy were laid out in a publication brought out on 6 May 1998 entitled "Gatekeeper--a strategy for public key technology use in Government". The recommendations of this report led to the establishment of the Government Public Key Authority (GPKA), which has now changed its name to the Gatekeeper Policy Advisory Committee (GPAC).

GPAC, according to the National Office of the Information Economy (NOIE), "is a management committee made up of senior representatives from Commonwealth agencies and information technology industry associations". This committee oversees the introduction of public key technology (PKT) into Commonwealth government agencies and also supports these organisations to "take advantage of PKT tools and services".

Perhaps the most important aspect of what GPAC does is to aid in the development of standards for the Government Public Key Infrastructure (GPKI) and accreditation methodologies for companies that plan to offer PKT services to the government. If a service provider receives Gatekeeper accreditation it is then allowed to offer digital certificate and PKT services to any or all Australian Commonwealth government agencies.

The accreditation has been designed to ensure that the service provider's "physical and electronic security" are of an appropriate standard to guarantee "an adequate level of trust to both agencies and users". To reflect the different requirements of certain departments, there are two levels of accreditation--entry level and full.

Entry level accredited service providers will only be able to provide limited services while fully accredited businesses will be able to offer a full range of services. NOIE says that the major difference between the two levels is that full accreditation requires that security measures be upgraded to a "highly protected level".

Generally speaking, public key cryptography involves the use of two keys--one public, one private--which are created simultaneously using the same algorithm by a Certificate Authority (CA). The private key belongs to the company/individual/organisation that requested the creation of a key by the CA, while the public key is made available, as part of a digital certificate, in a directory that all parties can access.

The private key is never transmitted across the Internet or shared with anyone else. Its primary task is to decrypt information that has been encrypted by somebody else using that particular organistaion's public key. The private key can also be used to help that business authenticate information sent to somebody else. This means that you can encrypt data with your private key, and the person you've sent the information to can decrypt it using your public key. The main reason for doing this is to ensure to the person you are sending data to that the data actually came from you (or your organisation).

All of this sounds relatively simple in theory, but you have to remember that it all depends on the security and algorithm implementation of the CA. That is why Gatekeeper has strict standards for those organisations that wish to provide CA services to government departments.

A key part of that is the customer identification process in which the person or organisation that wishes to obtain a digital certificate must provide important ID information. Depending on what level of identification validation is obtained during the approval process for a digital certificate will determine what level of trust is associated with that certificate. The more valid identification information that can be provided, the higher the level of trust that can be attributed.

To complement this approach, there exists within the PKI system the capability to have what are known as Registration Authorities (RA). These verify user requests for a digital certificate and tell the CAs to issue those certificates to the requestor.

In Australia, Gatekeeper has fully accredited only a few CAs including the Australian Taxation Office (ATO), Baltimore Certificates Australia and eSign Australia. In concert with that, Gatekeeper has also fully accredited eSign to act as an RA--enabling it to provide both CA and RA services to the government--and it has also fully accredited the Health eSignature Authority as an RA for extended services.

The Health eSignature Authority is primarily an RA within the Australian healthcare industry, which was established by the Health Insurance Commission as a wholly owned, separate proprietary company. According to the Health eSignature Authority, it "receives applications from organisations and professionals within the Australian healthcare sector, authenticates the identity of the prospective Healthcare Location or Healthcare Individual User and submits requests to its Certification Authority--Baltimore Certificates Australia."

A major feature of eSign's Gatekeeper accreditation is that it is the first commercial CA to have the authority to issue Australian Business Number-Digitally Signed Certificates (ABN-DSC). Australian Senator Ian Campbell, parliamentary secretary to the Minister for Communications, Information Technology and the Arts (Senator Richard Alston), explained when the accreditation was made official, "The ABN-DSC is designed to enable Australian business to have a single online identity when dealing with their business partners and governments."

This is expected to streamline the business of conducting transactions online because the digital signature of each company will be linked to its Australian Business Number.

There are a large number of organisations that have applied for Gatekeeper accreditation as CAs including: SecureNet, KPMG Information Solutions, KNX Asia Pacific (Key Trust), Adacel, Maddock Lonie and Chisholm, Etax CPA, Alchemist Healthcare, beTRUSTed (part of PriceWaterhouseCoopers), SecureGate, KeyPost (a division of Australia Post), Telstra, Perpetua and Centrelink.

Although Gatekeeper was established just over three years ago, there's only be moves to begin certifying CAs for government PKI in the last twelve months. Nevertheless, the government is making moves to ensure that PKI will lead to increased efficiency and better cost savings within government departments and agencies.

But where is business in all this? Surely this is something that no organisation wishing to conduct business online should be without?

IDC's Giang states that there has been a major adoption of PKI in Australia by the financial sector and, to some extent, the manufacturing sector. However, overall, the take up has been slow, with only a third of large enterprises opting to implement these technologies. Considering that the overall rate of PKI adoption in Australia is 21 percent, this means that a rather large proportion of small-to-medium enterprises have not implemented a solution.

Mike Jeffries, PKI product marketing manager for Baltimore Technologies' Asia-Pacific operations, believes that, although other industries have been slow to adopt PKI, the Australian banking industry's keen interest could help to fuel cross-border authentication initiatives.

"The Australian banks have been among the fastest adopters in the world of the global PKI initiative called 'Identrus', which has been established to solve the cross-border authentication issue for international e-commerce," explains Jeffries. "Three of the largest banks have already stated publicly their Indentrus membership--ANZ (who are using Baltimore), NAB and Westpac (who have yet to announce any technology decisions)."

Jeffries says that Indentrus has established a single, global Root CA and is encouraging the world's biggest banks to set up "level 1" CAs underneath the Root CA. The result is that each bank will be able to issue certificates to its corporate customers according to common set of policies "pushed down the hierarchy by Identrus.

"This means that an Australian 'Indentrus-certified' company can confidently do business with any other 'Indentrus-certified' company, wherever they are in the world, because they are all part of one, common PKI," states Jeffries. "There are other ways of addressing the cross-border authentication issue, such as cross-certification, cross-recognition, and bridging between PKIs, but these become very complex and are at best partial solutions."

Neverthelees, despite the pioneering stance taken by some banks, adoption in other industries has been slow to take off.

In Australia during 2000, the spread of PKI as a security solution was particularly slow, according to IDC senior analyst Natasha David. "According to a recent... study done by IDC, certificate authorities such as server certificates and client certificates were among the least widely deployed security technologies by 2000," says David. "However... IT managers, primarily those from telecom, utilities and distribution sectors, say these are two key technologies they will be seriously evaluating for their enterprise in the next one to two years."

Unfortunately, David explains that the main reason enterprises are thinking of adopting these types of technologies is to secure their organisation after it's already been breached. "IT managers affirm that a security breach within their company comes as the greatest incentive to implement proper security measures," says David. "In addition... IT managers indicate that the increased use of the Internet and strategic e-commerce initiatives are two other fundamental drivers [for] their decision to deploy security measures such as PKI and certificate authorities."

According to David, part of the problem with implementing PKI in Australia is the lack of regard for other security measures to prevent breaches in the first place. "As security breaches are the main driver of implementing any security technology within an organisation, it seems Australian businesses are waiting until the horse has bolted before closing the gate."

Another confusing factor, particularly for consumers and others that don't fully understand the technology, is the issue of where private information resides and how much of that info is actually required. Baltimore's Jeffries explains, "The 'evidence of identity' required to be gathered by a registration authority (RA) before a certificate is issued is defined in the certificate policy, usually a public document that can be found on the CA's Web site."

"This information normally goes no further than the RA (where it is subject to the normal requirements for storage of confidential client information)," says Jeffries. "The information does not, for example, get sent to the CA or, worse, the Root CA, for central storage."

Jeffries says that it is often assumed that because PKI has a hierarchical structure it implies that this private information gets stored in a centralised location, thus raising privacy concerns. It is this lack of clarity about the issue and the technology that causes uncertainty about the PKI system. Jeffries believes that users, consumers, businesses and organisations need to be fully educated about the structure of PKI as well as its benefits.

Gregg Rowley, managing director of eSign Australia, feels that PKI has the ability to build trust, particularly for consumers. Unfortunately, he believes that Australian consumers are reluctant to buy online because there is a distinct lack of brand trust in the marketplace.

"From a consumer perspective, research suggests that as a nation we lag behind the US and other parts of Asia, in terms of buying online," said Rowley. "Why?"

"When you stop and ask people whether they have bought anything over the Internet, it's still just a few that have," explains Rowley. "So, what's preventing us from doing so? One issue is trust of the brand... But, more importantly, the problem is security and people do not know what to look for in terms of what is a safe site and what isn't."

Rowley believes that the Web is probably one of the safer options for buyers and he feels that Web sites that offer consumers services have a duty to keep their customers informed.

"At the end of the day, the Web is actually safer than you or I giving our credit card to a waiter--the issue is that we don't perceive that to be a risk," said Rowley. "Given the much-publicised hacking incidents, the Internet is deemed a no go area... Perhaps e-tailers need to take the issue and spend more time and effort educating customers that Web sites are one of the safest buying channels."

A possible solution to the education problem could be to have PKI hosted by a secure hosting facility and one such facility was opened in Australia by Baltimore Technologies last week. The centre was built to "generate, manage and host public key infrastructures on behalf of Australian and international organisations and to provide other managed e-security services."

According to Baltimore officials, the facility was designed using ASIO (Australian Security Intelligence Organisation) guidelines that ensure a very high level of physical and operational security. Among the organisations that are using the hosting services and facility include: Austrade, Australian Payment Clearance Association, ANZ, Health eSignature Authority, ATO, beTRUSTed and Telstra's Gatekeeper CA.

The centre has been accredited to provide Identrus and Project Angus (the combined Gatekeeper/Identrus initiative) services.

John Palfreyman, managing director of Baltimore Technologies in the Asia-Pacific region, expects this new centre to be of particular benefit to medium size businesses who understand the importance of adopting a PKI solution. Although these companies might comprehend PKI's significance, they may not have the resources in place to fully secure their businesses, explains Palfreyman.

Baltimore is able to provide these services because, as Palfreyman says, it already supports a number of CAs and the cost to add more clients is quite minimal. "We already have the expertise in place," states Palfreyman. "[Around] 70 percent of security is based on policy not technology."

Read more about PKI in Asia.