FRAMINGHAM (01/31/2000) - No longer the exclusive province of mathematicians, cryptography is moving into the mainstream. According to one survey, there are now almost 1,600 cryptographic products on the market worldwide, and export controls are being removed. But before cryptography actually can become a commodity, there are still a few challenges to overcome.
For instance, some say we'll reach the pinnacle of cryptography when public-key infrastructure (PKI) finally enables mass distribution of cryptographic keys and digital signatures. Others argue that PKI is risky, hard to use and still has a long way to go. As usual, the truth lies somewhere in the middle.
Standards are falling into place, and customers have a choice of "last mile" mechanisms to wrap, enable or upgrade many applications for PKI. Customers also have a choice of vendors, and the market is showing some healthy consolidation with Baltimore Technologies Inc.'s acquisition of GTE Corp.'s CyberTrust unit and Verisign's acquisition of Thawte Consulting.
But we still don't know what it takes to make a digital signature as safe as a handwritten signature. We're still not sure whether it's good enough to hold private keys in software, whether today's smart cards are sufficiently secure and convenient, or whether we need new devices, such as mobile phones, to act as smart cards.
With so much uncertainty, portal access management vendor enCommerce says its major dot-com consumer sites are sticking with passwords. Lockstar, which sells software to authenticate PKI users to IBM's Resource Access Control Facility, says its customers want password support as a "transition strategy."
Perhaps we'll be closer to the pinnacle of cryptography by 2002 or 2003. By then Windows 2000, which embeds most major cryptographic algorithms and protocols, may hit critical mass. For many small to midsize businesses, Microsoft's McCrypto could be good enough. But some large enterprises will need greater scalability, flexibility and capability than Win 2000 can deliver.
Uncertainty aside, today's e-business imperative waits on no protocol, and your efforts to enable e-business will soon stall without a good security and directory infrastructure. Enterprises must prepare for PKI soon to forestall a proliferation of inconsistent suppliers, naming conventions and policies. A good general strategy is to begin by building an enterprise and e-business directory as your foundation for identity management, policy management and flexible access control.
In parallel, define a security architecture and migration strategy that provides security through browsers, Secure Sockets Layer and passwords in the short run, and gets you started on PKI by deploying technologies such as IP Security virtual private networks and the Secure Multi-purpose Internet Mail Extensions e-mail standard.
Once PKI is as easy to use as passwords - and we can understand how to manage related directory and security services - we can aspire to reach the pinnacle of cryptography.
Blum is senior vice president and principal consultant with The Burton Group, an IT advisory service. He can be reached at dblum@tbg.com.