From...

February 7, 2000
Web posted at: 10:02 a.m. EST (1502 GMT)

by Daniel Blum

(IDG) -- No longer the exclusive province of mathematicians, cryptography is moving into the mainstream. According to one survey, there are now almost 1,600 cryptographic products on the market worldwide, and export controls are being removed. But before cryptography actually can become a commodity, there are still a few challenges to overcome.

For instance, some say we'll reach the pinnacle of cryptography when public-key infrastructure (PKI) finally enables mass distribution of cryptographic keys and digital signatures. Others argue that PKI is risky, hard to use and still has a long way to go. As usual, the truth lies somewhere in the middle.

	MESSAGE BOARD
Encryption

Standards are falling into place, and customers have a choice of "last mile" mechanisms to wrap, enable or upgrade many applications for PKI. Customers also have a choice of vendors, and the market is showing some healthy consolidation with Baltimore Technologies' acquisition of GTE's CyberTrust unit and Verisign's acquisition of Thawte Consulting.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Why the Feds fight encryption

Encrypt e-mail with ease

The ABCs of PKI

IDG.net's network operating systems page

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for network experts

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

But we still don't know what it takes to make a digital signature as safe as a handwritten signature. We're still not sure whether it's good enough to hold private keys in software, whether today's smart cards are sufficiently secure and convenient, or whether we need new devices, such as mobile phones, to act as smart cards.

With so much uncertainty, portal access management vendor enCommerce says its major dot-com consumer sites are sticking with passwords. Lockstar, which sells software to authenticate PKI users to IBM's Resource Access Control Facility, says its customers want password support as a "transition strategy."

Perhaps we'll be closer to the pinnacle of cryptography by 2002 or 2003. By then Windows 2000, which embeds most major cryptographic algorithms and protocols, may hit critical mass. For many small to midsize businesses, Microsoft's McCrypto could be good enough. But some large enterprises will need greater scalability, flexibility and capability than Win 2000 can deliver.

Uncertainty aside, today's e-business imperative waits on no protocol, and your efforts to enable e-business will soon stall without a good security and directory infrastructure. Enterprises must prepare for PKI soon to forestall a proliferation of inconsistent suppliers, naming conventions and policies. A good general strategy is to begin by building an enterprise and e-business directory as your foundation for identity management, policy management and flexible access control.

In parallel, define a security architecture and migration strategy that provides security through browsers, Secure Sockets Layer and passwords in the short run, and gets you started on PKI by deploying technologies such as IP Security virtual private networks and the Secure Multi-purpose Internet Mail Extensions e-mail standard. Once PKI is as easy to use as passwords - and we can understand how to manage related directory and security services - we can aspire to reach the pinnacle of cryptography.

Blum is a senior vice president and principal consultant with The Burton Group, an IT advisory service providing in-depth analysis for network planners. He can be reached at dblum@tbg.com.