Information Technology Reference
In-Depth Information
DISCUSSION OF CHAPTER 2:
THE QUEST FOR SIMPLICITY IN SECURITY: DIGITAL
SIGNATURES MADE SIMPLE
Dr. Gadi Aharoni
with contributions from Maj.General L. Vellone, Dr. M. Uneri, Dr. D. Stanley, Col. D. Handy, Prof. P. Amaral, Dr. A.
Erez
Vellone : I am interested in understanding the distinction in digital signals from B-to-
B, B-to-C, etc. Could you explain this distinction in detail?
Aharoni : Let me explain how it works. It works if you have a controlled environment
where you control your users. It works in an enterprise because you control your
employees. People do not just walk into an organisation and then get paid their salary.
The employee list is very well controlled. In a banking system the bank accounts are
very well controlled. In this type of organisation I can give you the Co-sign solution
which is easy to manage, easy to install, etc. Where does this solution not work? I think
of Amazon.com. I connect to it and order a CD; so who are you, where are you from,
how do I know who you are? Unfortunately, if you want a solution for Amazon.com's
website, you have to establish a full link PKI solution, with all the pain that is involved.
That is why you will not see a PKI solution with the Amazon.com website. Usually a
good solution is B-to-B, because as long as you control the number of partners you do
business with, this is a controlled environment. Then you can use the technology B-to-C,
meaning, for example, the link of a bank customer to a bank, as the cutomer list is very
well controlled by the bank. C-to-C is just for the government so it is not really very
different. But in some environments this solution does not work and this is where I
started from; I said let us not try to give you a solution for all environments.
Azarov : In this connection I am thinking about perhaps a relationship with NUM, the
old numerical equation, and digital signatures in general.
Uneri : I have three questions. Firstly, is the product securely tested somewhere
according to some criteria, for example, a common critera, such as the cost? Secondly,
can we talk about authentication mechanisms. How do you make sure of the
authentication? If the user is logging onto the Internet with a password, is it simple to
create a password? And thirdly, with which laws does digital signature comply?
Aharoni : Firstly, the question on various common criteria. What we do is to go
through a certification mechanism issued by NIST. NIST is the American National
Institute of Standards; it issues a security certificate of validation, or FIPS. Our products
go through FIPS140-1 at level one if it involves software and level three if it involves
hardware. A lot of our products have been through this FIPS certification. The
requirement for a common criteria or ITCEC certification is always there. I would like to
Search WWH ::




Custom Search