Discussion of Issues

Prior research has demonstrated how someone who is capable of capturing less than an hour’s network traffic could determine a user’s private key. However, this is not the only potential problem with public key infrastructure (PKI) systems. Since any party may purchase PKI systems, a single party may purchase several units and send many encrypted messages back and forth to himself/herself. In this manner, such a party would have both the clear and ciphered text versions of the message. The missing third piece would be the encrypting key. However, in mathematics it is well established that if two elements of an equation are known, one can solve for the third. Here, dense computational tools may be required to crunch the sheer number of test results in order to determine how the keys are calculated, but the process is well founded and most likely known by most sophisticated governments and possibly others. Such a potential counter to a PKI system would put in jeopardy one of the most widely used tools for protecting information today. For this reason, governments closely control and guard devices used in their applications of public key type encrypted communications. Nevertheless, because of the overhead involved in managing and operating a private key system (key management, key generation, secure key distribution, key destruction, key storage and so forth), most individuals and businesses deem themselves incapable of efficiently and cost effectively implementing a private key infrastructure.

Other key issues with PKI systems are as follows:

• Short Message Expansion: some public key systems expand short messages. This provides a great deal of information to knowledgeable cryptanalysts.

• Man in the Middle Attacks: where A thinks he is negotiating a key with B, C stands in the middle and communicates with both A and B instead of A to B.

• Non-Prime Number Keys: some PKI tools have been shown to not generate prime number keys, thereby leaving them open to factoring attacks.

What are the effective solutions to these issues since, due to the overhead involved in managing and operating a private key system (key management, key generation, secure key distribution, key destruction, key storage, etc.), most individuals and businesses deem themselves incapable of efficiently and cost effectively implementing a private key infrastructure?

Limits on the strength of exportable encryption is necessitated by the dual requirements of governments to not only provide a means for their citizens’ communications to be protected, but also to be able to read communications of those who would thwart the law and/or violate national tranquility. These juxtaposed requirements create the situation where governments must perform both offensive and defensive functions by balancing the requirements of each against the other. This conundrum has caused much concern for civil libertarians in the U.S. and elsewhere who claim their communications should be completely private. How do e- commerce security managers in governments abdicate their legitimate dual, bifurcated responsibilities?

How can industry and government work together to ensure that the highest security standards are developed and adopted? For instance, there will likely be lawsuits filed against U.S. public corporate entities by shareholders should such corporate entities suffer a loss due to a computer security breach under the premise that the Board of Directors and the officers of the corporation did not properly execute their fiduciary duties in using due and reasonable care in protecting corporate assets. Such potential litigation should be a catalyst for prudent management of U.S. public companies to become very proactive in overseeing the entity’s information security plans and implementations. In fact, the possibility of such potential litigation may make using U.S. Governmentapproved CCTLs or other certified information security tools an imperative in order to show that the entity used tools certified by the U.S. Government – under the theory the government is the highest information security certification body in the USA.

From a meta-perspective, the key issue for managers to consider is the following:

If we were not already using this e-commerce security technology/ technique, would we go into it today? OR Are we moving fast enough today to build our expertise in e-commerce security to exploit immediate opportunities for streamlining inter-company processes, outsourcing activities in which we do not have distinctive capabilities and/or designing e-commerce security systems that we can market to other companies?