Bricking up the 'Net to make it safe for business
Among the more intriguing aspects of the Internet are the capabilities it provides to 'Net surfers to gain access to limitless information, visit exotic locales without ever leaving the safety of their keyboards and even interact with other people electronically, revealing only the information that they want to reveal about themselves, and in some cases, trying on new identities for size.
But it's also the anonymity of all of those people surfing the 'Net, and the voyeuristic qualities of the whole experience that make consumers more than hesitant to expose themselves, their credit card and financial data, and other personal and business-related information that will be key to making applications like electronic commerce and telecommuting a success. And if cable modems on broadband data infrastructures are to take off, they will need to be propelled by a public and a marketplace of vendors that feel secure about their use.
How secure is the Internet right now, and what's being done to make it a safer place to do business?
Safety is a relative term, says Milind Khare, program manager with Intel Corp.'s Architecture Lab, which has been involved with security issues as part of the efforts of the Broadband Link Team, a group that's helping make recommendations regarding standard cable modem specifications.
"The issue is not really technology, it's more of a perception issue," says Khare, "and it will take time to change perceptions.
"I'm sure that you ate in a restaurant in the last month where you handed your credit card number to a waiter that you had never seen before in your life. And you trusted that person with your credit card number for approximately five or 10 minutes."
In an attempt to reach that same level of consumer and merchant comfort with electronic commerce on the Internet, there are currently several different approaches to credit card transactions. In a conventional approach, some vendors take orders over the network, but then require the user to dial into a regular 800-number in order to effect payment.
Other sites are using standards such as SSL, or the secure sockets layer, which is a standard set by Netscape Communications that has been adopted by a number of other players. SSL encrypts the session that takes place between the client and the server, encrypting the user's credit card number as it travels to a particular merchant, so that only a particular server can decrypt the information.
Essentially, SSL utilizes public key/private key cryptography to encode the data. With this method, a pair of mathematically matched keys is used to encrypt and decrypt the data. If something is encrypted with a particular public key, only the private key of that pair can decrypt the information, and vice versa. The beauty of the system is that the public key can be published without compromising the security of its other private half.
Companies like Visa and Mastercard are championing a specification called SET (secure electronic transaction) to secure credit card payments, which should go a long way in encouraging customers to use their plastic on the Internet. In the case of the SET protocol, a particular merchant won't be able to read the encrypted credit card number, but will contact its acquiring bank, which in turn, contacts the issuing bank that holds the customer's account. The issuing bank then verifies the credit card number.
Of course, there are security issues which go beyond protecting personal information. For one, in blind, electronic transactions, how can a consumer's - or a merchant's - identity be verified? In the electronic world, "digital certificates" take the place of a physical piece of ID such as a driver's license or a credit card which a consumer would present to verify his identity in the physical world.
The components of a digital certificate include the person's name, the public key and a digital signature, which verifies that the data is authentic. In essence, a user would "sign" some bits with their private key, while the merchant could verify the "signature" with the user's public key. Merchants would also use digital signatures to verify their identity on the Internet.
While these techniques represent only a sampling of the security measures being explored to shore up electronic commerce, there are plenty of security problems to overcome.Data contamination and theft
Though the Internet has yet to become a major conduit for electronic commerce, it has already become the ultimate research library, with new pages on the World Wide Web springing up daily. The proliferation of companies, institutions and individuals placing their content on the Internet brings up another security issue, however, the contamination of data.
If companies are to protect content that resides at their Web sites, they must restrict access to that content. At present, that usually means that people must log onto Web sites with a user name and a password in order to gain access to a portion of the site. If you think that this seems problematic, it is.
An article recently posted on the Internet tells of the whopping security gaps revealed by the editors of CMP's WINDOWS Magazine, as they deliberately set out to uncover both corporate and institutional Web sites that were unsecured. The vulnerable locations, according to the article, included security gaps on sites produced by notables in both the financial, and the electronics communities.
The editors, using "popular" search engines, found sites that were sitting ducks: in many cases, a hacker could use a Web browser to obtain lists of files on the Web server's disks, or even copy the information in those files.
"In some cases, these problems would permit outside users to delete or modify files as well," according to information released by the magazine. The magazine's executive editor, David W. Methvin, called the results of the experiment "scary."
"We were able to find glaring security gaps virtually across the board," said Methvin.
Even more disturbing, some security measures that are in place may not be working.
One site that the editors visited utilized Secure HTTP (hypertext transfer protocol) to protect credit card information as it was used to make purchases via the Internet. "But security holes may have left credit card information wide open to thieves once it reached the server," according to the group's findings.
On the bright side, the article also lists strategies that companies crafting Web sites can adopt to protect their information, including cleaning out sample program files that can act as backdoors for would-be hackers, installing all security-related server updates released by vendors, and restricting access to individual directories.
There are, however, Internet security watchdog organizations which monitor the 'Net for major disruptions and specific types of hacker activity.Cable's concerns
Moving outside of the borders of the Internet itself and into the access network, cable operators are faced with an additional security challenge in the structure of the cable bus architecture which providers supplying point-to-point connections are not. In the downstream, the same data, whether it's baseball stats, gardening tips, or the marketing strategies of one telecommuter's company, will be flowing past everyone's house that is connected to a particular node.
With that in mind, security is an issue which operators are not willing to compromise on.
"In the future, any modem that we look at will have to have some form of public key encryption," says David Fellows, senior VP Engineering and Technology with Continental Cablevision, which was due to receive a public key Link Layer Encryption enhancement this summer, in the form of a software download, to the LANcity modems the MSO recently purchased.
To protect data at the data link layer, cable operators are pretty much of one mind that Link Layer Encryption should be used to bulk encrypt the data traveling between customers' cable modems and the headend. The data modem standardization process, however, is still in flux.
"Within the (cable) domain, it's pretty well-accepted that DES (data encryption standard) ...encryption will be used," notes Khare.
The DES chip in the customer's modem, and the DES chip in the headend, would exchange secret keys for privacy.
There is a hitch with DES 56-bit encryption, though: the U.S. government has banned the export of anything that uses keys of more than 40 bits in length because of security concerns. In fact, the technology is classified in the same category as munitions.
Governmental security agencies want to make sure that they can read any traffic that flows across the Internet, if necessary, to enhance law enforcement and U.S. intelligence activities.
The battle brewing between government and public interests has led to the creation of the concept of "key escrow," whereby authorities would allow the export of applications or software that use encryption exceeding 40 bits, if the key is escrowed by the government, with the proviso that an escrowed key would not be opened without a court order.
That approach is not without problems, either.
"If you are a foreign government," says a source with one vendor, "and you are using software that is made by a U.S. company, but your key is escrowed with the U.S. government, I don't know how well that sits with you.
"We are still debating, along with other modem vendors, on how to deal with that: either leave out the encryption, or weaken it."Firewalls
Moving farther up in the network, past the cable operator's headend, individual customer companies may want to take charge of their own security needs at the application layer, with an additional layer of encryption. At that point in the network, firewalls, which restrict access from the Internet, could be put in place by companies with telecommuters, for example.
A firewall is a piece of hardware and/or software that acts like a "choke point," says Khare.
"The firewall is your face to the Internet, and all the traffic comes in through it. If you wanted to allow specific employees to come in through the firewall, there are products that can set you up that way," he adds.
Digital Equipment Corp., a vendor which offers security solutions, has set up firewalls to protect its data and its employees as they interact with the Internet.
Digital is applying Web technology in two ways, according to Lois Levick, director of Digital's Cable Industry Network Competency Center. The first is what most people are familiar with, the Internet, which acts as a marketing and information resource for people inside and outside of the company.
The second is what can be called the internal Internet, or Intranet. The Intranet is designed for use and access by employees only; however, with Digital's tunneling software, the company can select certain partners and customers to access information in the Intranet, adds Levick.
In fact, Digital provided Internet security for companies which participated in CableNet '94 at the Western Cable Show. More than 45 companies had their data protected by firewalls and other security measures for the duration of the demonstration.
In the CableNet application, Digital's Screening External Access Link, a set of hardware and software components that control and monitor access among secure private networks and non-secure networks, acted as security enforcer.
As cable operators begin to provide different types of data services to their subscribers, says Levick, they will define those services based not only on elements like transmission speed, but also, on the class of security offered.
To determine the type of security solution to implement, cable operators need to closely evaluate the applications to be offered, and the business they're pursuing.
"What is the cost, and what is the value?" asks Levick. "What, as an operator, am I trying to accomplish?"
If it's gaining the public's trust and performing electronic commerce, then security will be key.