Privacy Advisor

Password or PKI?

August 1, 2003

Steve Mathews

Public Key Infrastructure — PKI — hasn't had good press in recent months. After a lot of early hype, PKI's reputation has been tarnished as a technology that is too complicated and too expensive, requiring high levels of control and management. Because of this, huge numbers of organizations are still placing their trust in passwords to protect sensitive and confidential information before shipping it over the Internet. This attitude, however, is shortsighted. Public key encryption technology offers far stronger security than any password system and need not be expensive or difficult to use. So why are so many businesses turning their backs on a strong and effective technology?

What's Wrong with Passwords Anyway?

The reality is that most people feel that a password is good enough to protect their information. After all, it is what most computer users are used to, and many started off with the ID and password system when terminals were first used to give access to a mainframe system. It was all very simple then because you knew where the terminal was and it was physically controlled. There would, of course, be "chosen ones" that had higher-level privileges, but passwords could be changed regularly to limit unauthorized access.

Things are very different now. For starters, the whole business of passwords is full of difficulties and confusions both for the administrators and the users. How long should someone have access? When should the passwords be changed? How do you stop reuse? How to remember random sequences? Organizations often have to invent passwords that are used on the fly and tend to choose simple words and phrases for two main reasons. The first is that they have to send them to the recipient — perhaps via e-mail or even over the phone, in which case they have to remember them. And the second reason is that the receiver has to be able to type them in correctly — otherwise the system will rapidly grind to a halt. In addition, the sender may simply have to get into the file to check what was sent so a trivial password is far easier to remember.

However, even if passwords are more complex, they are still readily open to attack. There are programs and Web sites that offer commercially based services for breaking into most of the file types you would want. These are perfectly legitimate services for helping people to recover lost information, and they illustrate how easy it can be to crack a password. See the box on page 6.

Another problem is that passwords offer nothing to help prove who sent the information. For example, if someone sends you a password-encrypted file and puts someone else's identity on it, you have nothing to prove from whom it really came. There is a danger in assuming that just because a file is password-protected it has been sent from the right person.

What Are the Advantages of PKI Then?

It is important to be clear that in this article we are not talking about the kind of "global public registered identity" schemes that PKI suppliers have been talking about for the last five years. These have not had good results for many reasons, some of which are to do with the fact that they do not map to the way most people actually work. But the central idea of the technology is sound and can be implemented at very little cost and effort. So ignore suggestions that unless you buy full-scale PKI, you are incapable of doing secure e-business with people you don't know. It just isn't the case.

If you think about it, for most of us there are not many people who we want to send private information to, and we probably know who they are in advance. In fact, if you don't know who the recipient is you are unlikely to send them anything confidential in any case. So the real issue is about automating secure communications with a small number of people outside of your organization and not in the control of your IT department or subject to your rules.

Public key technologies make it very easy to set up secure one-to-one relationships. You know who the person is before they send you their public key, and the number will be a lot less than the number of entries in your e-mail account. Once their key is in your system, that's all there is to do. There are no passwords to remember or invent, and secure communications between you is seamless because the keys do all the work. Better than that, because you know who sent you the keys, if a digital signature checks out then you really do know who sent it. An advanced system will even let you keep notes on other people's keys if you want or relate the key to a specific e-mail address if the sender didn't already do that.

Setting up this level of public key technology is quick and need not be costly. However, look for one that is capable of working with PKI vendor technologies as well as de facto standards like OpenPGP. The people to whom you are sending keys may be using keys from other systems, and you aren't going to be able to force everyone else to fit in with your methods. Also, look at systems that will allow the people you want to receive information to do so without having to buy the software and without having to integrate it into their own desktops and applications.

And finally, be careful about buying into systems that require you to be online to someone's Web server before it will work. Apart from the fact that the Web server owner may be able to read all the information passing through the server — if the information was protected before getting to the Web server, what would you need them for? In addition you can only make transfers if you can actually get to their Web site. Not everyone stays online permanently, and some users are not allowed direct Internet connections by their organizations. Make sure anything you buy can work anytime, anywhere.

So when you come to weighing up the pros and cons of passwords against PKI, dispel the myths that PKI is complex, costly, and last year's big thing. In reality, a PKI solution to protect files, folders, e-mails, and attachments from a single PC can cost less than $75 — and you won't need to remember the cat's name for a password anymore.

Steve Mathews is managing director of ArticSoft and was one of the authors of ISO/IEC 17799 (formerly BS7799). A member of national and international formal standards bodies, he has 15 years' experience in IT security and 30 years' IT industry knowledge. He can be contact via e-mail at smathews@articsoft.com This e-mail address is being protected from spam bots, you need JavaScript enabled to view it or by phone at 011 44 7939 005119. For more information about PKI-based solutions for protecting files, folders, documents, and e-mail attachments, visit www.articsoft.com.