INTRODUCTION As the desktop computer and the facsimile emerged as vital business tools in the past decade and became an integral part of corporate culture, we are now witnessing a similar importance beingplaced on new technologies which support electronic communications and commerce overdistributed networks and open networks such as the internet (eg. electronic mail, paperless forms, electronic data interchange, on-line banking, etc.). The following discussion serves as a guide of sorts to businesses contemplating the use or expanded use of electronic communication as a business tool and who have a need to ensure the security of such electronic communications. This article will discuss some of the most prominent business, technical and legal issues which must be addressed and introduces the role that public key cryptography will likely play in creating a secure environment in which to conduct business. While it is not imperative for all businesses to immediately address the issues raised herein, it is likely that most successful businesses of the future will find a need to become familiar with the challenges created by these emerging technologies. This article makes the following propositions:
THE SPECTRUM AND BUSINESS NEEDS I-------------------------------I------------------I----------------------I
In any given business organization there are a wide range of activities which can or do involve the use of electronic communications to facilitate business. These applications span the spectrum, from inter-office electronic mail to work flow re-engineering (such as the introduction of electronic forms), to electronic data interchange over a closed distributed network, to internet communication with other business entities to facilitate the execution of a project, to contracting electronically over the internet in real-time. Each application can be said to constitute or be an element of electronic commerce. One emerging common element of all these activities is the need for the communication to be conducted in a secure environment. In the past, the need for security was less of a concern when electronic communications where viewed as ancillary to or supportive of paper-based transactions and when communication was among an identifiable and controlled group of individuals, such as, the employees within an office. This is still largely true; however, electronic communications will be used increasingly as a primary means to transmit vital business information and to create legally binding contracts. Therefore, security is becoming vital. For example, how can a business wishing to engage in electronic commerce prevent electronic fraud, theft of valuable confidential information, loss of business opportunities resulting from disruption of service, unauthorized use of resources, loss of customer confidence, and costs associated with human error or system failures? Security concerns exist in conventional paper-based transactions but become more pronounced when electronic-based documentation is introduced. This is because there is a fundamental difference between paper-based documents and documents presented in electronic form. The difference is that electronic transmissions lack uniqueness. In paper-based documents (such as agreements, purchase orders, invoices, checks, receipts, etc.) there are various inherent safeguards which provide comfort to the relevant parties that such documents exist and/or have been agreed to by the parties. These safeguards include the distinctiveness of the ink embedded in paper fibres, the uniqueness of the printing process, watermarks, the biometrics of signatures (eg. pressure, shape, and pen direction are unique to each person), time and date stamps which evidence delivery, receipt or acceptance, and the detectability of modifications, insertions, and deletions to a document. Also, in some cases, further authentication can be established by introducing witnesses or notaries to the transaction. In contrast, electronic-based documents by their very nature do not provide such safeguards. Without the overlaying of a security infrastructure, electronic documents are simply a series of bits and bites of binary code which are not tied to any particular person or entity. The challenge is to create a security infrastructure and procedures which will support the use of electronic communications and develop a body of legislation and accepted business standards related thereto. Where a business entity is situated on the spectrum of applications depends on the needs of the business but it is likely that the emerging needs of most successful businesses will create an impetus for an organization to move further along the spectrum toward more complex transactions where there is communication over the internet and security is of a high priority. The factors which will motivate a business to use electronic communications to facilitate its business operations include: (a) the desire to increase productivity while reducing the cost of doing business; and (b) the desire to gain a competitive advantage over rival businesses by being first to market with a new product or service. The factors which will lead businesses to seek greater security in electronic transmissions include: (a) the need to be able to confirm the identity of a sender and receiver of information as well as the integrity of the transmitted data; and (b) the need to ensure confidentiality of the data contained in an electronic communication. As businesses move along the spectrum, new and complex technical, business and legal issues emerge. This is especially so when business activity involves communicating over the internet and when the parties communicating wish to create binding contracts electronically. BUSINESS, TECHNICAL AND LEGAL ISSUES There are a number of business, technical, and legal issues which must be satisfied by any security infrastructure. These issues include: (i) the authenticity of a communication; (ii) the integrity of transmitted data; (iii) non-repudiation of a communication; (iv) the assurance of confidentiality; and (v) the formation of a legally binding contract. For a business to be able to rely on electronic communications to conduct commerce, it must first have some assurance that obligations created by a communication are binding on the obligated party or parties. For example, how does one create a legal relationship between parties to a transaction and how can the parties be identified? This may not be difficult when the parties are familiar with each other and communicate over secured networks but this becomes more difficult when the transaction occurs in an open environment where the identity of the parties is difficult or impossible to confirm without a trusted third party vouching for the identity of one or more of the parties. Therefore, the first level of assurance is the verification of the origins of a communication. In the case of an order for the shipment of goods, a vendor may incur financial losses or suffer other forms of damages if it fails to confirm the identity of the ordering party and later discovers that such party never placed the order and that the goods were shipped to a party not permitted to receive such goods. In the event of a contractual dispute resulting in a court proceeding, it is important to be able to establish the authenticity of a communication and demonstrate that an accurate record of both the communication and the means of authentication has been maintained. A second level of assurance is that the parties to a communication must be able to confirm that the transmitted data has not been altered or otherwise modified while enroute from the sending party to the receiving party or when stored after the transmission has been received. This is especially important when the communication is over an open network such as the internet, where transmissions can be intercepted and tampered with as the message passes through various forwarders and packet-switching nodes. For example, a financial institution that has received a communication to transfer a large sum of funds from a client account to a third party would need to be able to verify that the decimal point was not purposely or accidentally moved and that the destination address is accurate. Integrity of the communication can also play a very important evidentiary role when a party is required to demonstrate in court that a communication was not altered. The integrity of the data can be achieved by having the sender: (i) generate a transformation of the data using a mathematical formula and (ii) deliver the data, transformed representation of the data and a securely protected copy of the mathematical formula to the recipient. The recipient uses the formula to generate a local transformation and if it is identical to the one received, the recipient knows that the integrity of the data was preserved. A third level of assurance which must be satisfied is that the sender of a communication cannot deny having sent such communication. This concept is often referred to as "non-repudiation". Non-repudiation does not mean that the sending party is prevented from challenging the enforceability of a contractual obligation, which is a matter to be determined by applicable law; rather, the focus is on the non-repudiation of the transmission itself provided all security procedures have been followed and can be confirmed. In order to support non-repudiation, a technical mechanism is required to allow for an electronic marking or "digital signature" to be attached to a communication in a manner which will allow the communication and signature to be recorded and preserved. A fourth level of assurance is confidentiality of a communication. This is of particular concern when a transmission is sent over an open network where it becomes more difficult to prevent unauthorized access to the communication. The assurance of confidentiality is important when a transmission contains valuable intellectual property of one party such as a trade secret or when one party is contractually obligated to refrain from disclosing the terms of a business relationship or arrangement. One method of satisfying the requirement for confidentiality is to encrypt the data and securely deliver to the recipient a tool to decrypt the data. A fifth level of assurance is contract formation. In order for electronic commerce to be viable, businesses must have some assurance that electronic-based documents have the same level of legal validity and enforceability as paper-based documents. The basic requirements of all contracts are that there is an offer of specific terms, acceptance of the offer, and adequate consideration. In some cases, there may also be applicable statutory requirements. For example, in many jurisdictions, specific legislation requires that transactions for the sale of goods over a certain value must be documented in writing and signed by the contracting parties in order to be enforceable in court. However, how is it possible to have certain electronic contracts be enforceable if there is no written signature in the conventional sense? Can digital signatures bind the parties? Whether electronic-based documents will be regarded as satisfying specific written requirements will be determined by the applicable courts or by statute. However, as the courts have in the past accepted new modes of communication such as telegraphs and telecopiers, electronic-based communications will likely be recognized provided it is associated with a proven and reliable security infrastructure. This last point illustrates how the law is continually trying to keep pace with emerging technologies and the degree of uncertainty that is associated with engaging in activities which have not yet been adequately addressed by legislation or case law. As a result of this uncertainty, businesses will likely continue to create contractual relationships using paper-based documentation where convenient and where such uncertainties are unacceptable. For example, in business to business transactions based on on-going and long term relationships, the contracting parties will likely continue to enter into paper-based trading partner agreements to define the terms on which purchase orders will be accepted and the role that electronic communications will play in the business arrangements. It should be noted that there are currently various legal initiatives underway which promote the use of electronic commerce, but until legal developments reach a stage where such laws have been judicially endorsed and industry business practices are formed, there will still be a need to ensure that such transactions comply with conventional legal requirements. INTRODUCING PUBLIC KEY INFRASTRUCTURE (PKI): DIGITAL SIGNATURES, ENCRYPTION, AND OTHER PKI TERMINOLOGY There are numerous emerging (and in many cases unproven) technologies which attempt to address the business, technical and legal issues discussed above and claim to provide a security infrastructure to support electronic communications. These new technologies include systems based on the use of passwords, biometric tokens such as retinal or hand scans, firewalls, and various public key infrastructure architectures. While many of the security technologies can be used in combination, the most developed of these technologies and the one which is most likely to form the backbone of future security systems is based on public key cryptography. The following discussion serves as a primer for businesses wishing to better understand the technology which is emerging to support secure electronic commerce and the often difficult to understand terminology associated therewith. Public key cryptography is the use of public/private key pairs to perform mathematical transformations on data thereby rendering such data secure. In public key cryptography, keys are generated in pairs. Each pair consists of a private key and a public key. The binding of a public key to its subject (the user for whom the key pair was generated) is certified by a trusted entity referred to as a Certification Authority (CA) and the resulting object is called a certificate or public key certificate. To provide assurance as to the authenticity and integrity of a certificate, the CA attaches its own digital signature to the certificate. The international standard upon which certificates are currently based is commonly referred to as X.509 and certificates which conform to the current edition of that standard are commonly referred to as X.509 version 3 certificates. The two main security mechanisms in public key cryptography are digital signatures and encryption. A digital signature is the application of a cryptographic function which uses the signer's private signing key to produce a shortened or "hashed" version of the data that can only be verified through the use of the corresponding public key and additional cryptographic functions on the data. A public key mechanism is used to: (i) authenticate the identities of the participants in secure electronic communications; (ii) ensure the integrity of the data communicated between the parties; and (iii) support non-repudiation of the transaction by the relevant parties. In the digital signature key pair the private key is used by the subject to sign data objects and the public key certificates are used by others to validate or verify the digital signature. The application of a digital signature to data allows the recipient in an electronic communication, through the use of the signer's public verification certificate, to: (i) ensure that the sender is who he/she claims to be, (ii) ensure that the data received is identical to the data sent, and (iii) protect the receiver from the sender denying having sent the data. Encryption is the cryptographic transformation of data from clear text to cipher text which cannot be read or interpreted until decrypted and returned to clear text. Public key based encryption mechanisms solve the problem of securely sharing a single key, which is inherent in symmetric key based encryption systems by encrypting that shared key using public key cryptography. Encryption is used to: (i) apply access control to data; and (ii) maintain the privacy between the communicating entities. In an encryption key pair, the private key is used by the subject in the process of decrypting information which was encrypted for them by other users, and the public key certificate is used by others in the process of encrypting data for that subject. An important aspect of public key cryptography that makes it well suited to support electronic commerce is that a party with knowledge of one key in a key pair is not able to deduce the corresponding key in the pair. Therefore, users can safely publish their public keys and thereby allow others to encrypt data for them and verify their digital signatures without fear of others determining how to decrypt data encrypted for them or forge their digital signature. Key management is the process of managing all aspects of the use or "lifecycle" of keys and corresponding certificates and involves issues such as: key pair generation, public key certificate issuance, key usage, key expiry and key update, public key certificate revocation, and repository access to users. A Public Key Infrastructure (PKI) is the set of all the components and processes involved in the management of public keys within a particular security domain such as in a single corporation or business entity. A PKI may include the following components: Subscriber - the user or entity who is issued certificates within the PKI (subject of certificates). The subscriber is represented in the PKI by their desktop software, or hardware token, which generates the subscriber's signing key pair, maintains the key and certificate data and may also include an archive of older keys and additional functionality. Certificate Authority - the entity which issues certificates within the PKI and therefore vouches for the binding of the subscriber's name to the public key contained in the certificate. Repository - the process which retains the PKI information issued by the CA (ie. certificates and certificate revocation lists) and makes such information available to relying parties and users. Registration Authority - the entity responsible for verifying the authenticity of a subscriber's claim of identity. In a corporate PKI, for example, the human resources department may satisfy this function. Another entity which may be well suited to be a registration authority is a national postal service. Relying party - the entity which verifies the validity of certificates and relies on same. Any user validating the digital signature of another user, or encrypting information for others, is acting in the role of a relying party. Frequently, users who are relying parties may also be subscribers. Sponsor - an entity responsible for qualifying or otherwise determining which individuals should be issued certificates. In a corporate PKI, for example, department or project managers may satisfy this function. As a minimum a PKI includes the CA system, the client software on the user's desktop (addressing both the requirements of that user as a subscriber as well as a relying party), and a repository. Registration Authorities and Sponsors may also be used but are not relevant in all environments. Ancillary trusted third party services which may also be provided include timestamping and cyber-notary services as well as the issuance of attribute certificates. If these services are provided, additional components need to be added to the PKI. These include: (i) a Time Stamp Authority ("TSA") as a trusted third party to provide a "proof of existence" for a particular message at an instant in time; and (ii) Notary Authority ("NA") as a trusted third party that certifies the correctness of specific data submitted to it. TSA and NA services are especially important if full non-repudiation services are required. The issuance of attribute certificates to certify capabilities in conjunction with public key certificates to certify identity requires an additional component, the Attribute Certificate Authority ("AA") which operates much the same as a CA. For example, attribute certificates may be used to assign signing authority levels to inviduals within a corporation. It need not be the case that the CA, TSA, NA and AA are the same entity but each is an example of a trusted third party involved in some aspect of providing the complete set of security services required for successful electronic commerce. PKIs are not only of use to private businesses but are also of interest to governments in facilitating its provision of services to its citizens. In fact, various governments have started the process of establishing PKIs and creating legislation to oversee the development of certification authority services. As more and more private and public PKIs are established, the need to address the requirement of users associated with one PKI or security domain communicating securely with users associated with another PKI and security domain needs to be addressed. This concept is known as cross-certification between the two domains. The objective of cross-certification is to extend the domain of trust and facilitates management of certificates between two domains and the validation of not only single certificates but also chains of certificates which form a path between the communicating parties. The current state of PKI development is that there are systems deployed which are capable of performing cross-certification and early installations have done some initial testing of the technology; however, the business and legal issues associated with cross-certification have yet to be adequately addressed. From a technical and legal perspective, it is important that the operation and procedures and processes followed in the operation of a PKI be documented and that the respective obligations of the relevant parties be defined and risk allocated. Each potential subscriber and relying party must be able to assess how much reliance to place on the digital signature supported by the certificate of a CA. A CA must be able to define: (i) the level of liability it is prepared to bear in providing its services, (ii) the manner in which it will be compensated for such services, and (iii) the internal mechanism by which it will measure the integrity of its services. Many of these requirements will be addressed in a document referred to as a Certification Practice Statement (CPS) but as the CPS serves various functions and full public disclosure of the operations of the PKI may not be desirable or appropriate in all cases, particular pieces of information may be carved out and presented in other documents such as a Subscriber Agreement, Trading Partner Agreement, CA Services Agreement or other similar documents. Another important document is the applicable Certificate Policy. This document is tied to a CPS, is consistent with the X.509 standard, and identifies the proper use of a certificate and is necessary for the purposes of cross-certification. In each PKI, the needs of a particular business or businesses and the intended use of the security infrastructure will define how such matters are documented. CONCLUSIONS While PKIs will form the backbone of all forms of electronic commerce, the area which presents the greatest challenge from a business, technical and legal perspective is when such activities involve contracting over the internet. In the spectrum model, contracting over the internet can be viewed as a threshold. Prior to this threshold, communications do not necessarily create binding legal obligations or are usually supported with paper-based documentation. This may be because the parties are all within one organization in an employer-employee relationship or because the communications do not represent a contract but merely facilitate the performance of a contract which was previously executed in writing. However, once the threshold is crossed, the issues discussed herein must be addressed. For many businesses, until legal and business standards are established and generally accepted, it may be appropriate that business relationships continue to be expressly and clearly documented in a conventional paper-based manner. Nevertheless, electronic commerce has become a reality and will affect all businesses in the future. Some constructive steps that each business can take include the following:
Early planning will reduce the uncertainties and challenges associated with crossing the threshold. |
Technical, Business and Legal Issues in Establishing a Secure Environment for Electronic Communication and Commerce
This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed March 26, 2008
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
Was this helpful?