Internet Security, The Next Generation
When Software Encryption is not Enough
By Jonny Goldman
Most Webmasters secure their site's transactions by configuring and running a secure server using Verisign's digital certificates and the secure sockets layer (SSL). This scheme authenticates the server to the user and encrypts the data sent following the initial negotiation; however, it does not provide an end-to-end framework that automatically authenticates both client and server. Thus, user names and passwords are still the norm, so users must maintain long lists of passwords for various sites, lest they be compromised and used elsewhere, and Webmasters must maintain and protect huge, unwieldy password files and devise schemes for supporting lost or forgotten passwords. This may be the reason that electronic commerce has taken off so slowly. Happily, the tide may be turning -- smart-card technology is rapidly becoming a viable option for securing systems.
Is It Safe?
Secure systems have four basic requirements: authentication, confidentiality, integrity, and nonrepudiation. Protocols like SSL and S/MIME support the first three, but electronic-commerce systems require all four. Traditionally, the Internet has used usernames and passwords to identify, and hence authenticate users, but what if someone steals or guesses your password? A relatively simple solution is digital identities, or "certificates," used mostly for Web servers: A certifying authority provides you with the X 509 certificate you need to run SSL on your server.
