PKI Implementation Issues: A Comparative Study of Pakistan with some Asian Countries

Nasir Mahmood Malik et al / International Jo urnal on Compu ter Science and Eng ineering Vol.1(2), 2009 , 105-110  105 PKI Implementation Issues: A Comparative Study of Pakistan with some Asian Countries Nasir Mahmood Malik, Tehmina Khalil, Samina Khalid, Faisal Munir Malik Department of Computer Science, Bahr ia University, Islamabad, Pakistan emailnasir@yahoo.com, tehmina _khalil08@yahoo.com , noshi_mir@y ahoo.com, faisy20@yahoo.com Abstract -The paper includes Public Key Infr astructure (PKI), its need and requirements and introduction of some renowned PKI products. However, the major thrust of this work is that how PKI ca n enhance security of various systems. The paper is intended to serve as a guide on how to adequately prepare for some of the challenges that may be encountered especially in developing countries like Pakistan. The detail of PKI implementation issues is also included in the paper along with future challe nges regarding impl ementation of PKI. Furtherm ore, paper includes technical issues hi ndering the implementation of PKI through compa rison of PK I issues in Pakistan and some of Asian countries mainly Taiwan, Japan and Singapore. The paper also highlights the PKI issues and learnt lessons regardi ng PKI implementati on and can act as a comprehensive guide for successful future PKI deployments. Keywords: Public Key Infrastruct ure, PKI, Issues, Cryptography, Survey, Survey Comparison 1. Introduction In contrast to physical world, internet is anonymous and it is very diffi cult t o find out wh o is at the ot her end of t he communication. PKI is a widely accepted global standard for Internet secu rity today, a s the major challenges f or online communication include estab lishing an online trust similar to physical marketplace and comm unication bindin g contracts for online transactions. That is wh y information security is a wide area of interest for researchers today but the implementation of PKI is a ch allenge for most of the developing countries. Also to ach ieve interoperability it is a necessity that countries sho uld establish PKI as per the widely accepted standards. This paper is an attempt to provide guidelines f or PKI impl ementati on and to invest igate various issues in Pakistan and com parison of this analysis with some of the similar case studies of Asian countries mainly Taiwan, Japan and Singapo re. Organization o f the paper is as fol lows, the second section in troduces cryptography, PKC and PKI with some of its p roducts. In the third sectio n, analysis of PKI status in Pakis tan is explaine d. Fourt h and fifth s ections gi ve background infor mation of this survey, meth odology and comparison with some of the Asian countries. Finally, conclusions drawn , few recommendat ions and future actions are given. 2. Cryptography Cryptography is most ly associated with encryp tion/ decryption and there are two main categorie s of cryptography i.e. symmetric cryptography using a secret-key and asymmetric cry ptography usi ng a publi c key base d encryption algorithms respectively. Th e difference between these algorithms is that symmetric al gorithms use the same key for encryption and decryption (or that the decryption key is easily derived from the encryption key ), whereas asymmet ric algorithms use a different key for encryption and decr yption, and the decryp tion key can not be deri ved from t he encryption key [1]. Typical asymmetric algorithms com pared in the forthcom ing sections incl ude DSA (Di gital Signa ture Algorithm), Diffie-Hellm an (DH), and RSA (Ron Rivest, Adi Shamir and Len Adleman). By using the characteristics of these symmetric and asymmetric algorithms various PKI products a re developed by different vendors whic h are widel y available in the market. 2.1 Public Key Cryptography (PKC) Public Key Cryptogr aphy, also known as asymmetric cryptograp hy, is a form of crypt ography i n which the key used to encrypt a m essage differs f rom the key used t o decrypt it. In PKC, a user has a pair of public key an d private key. The private key is k ept secret, while the public key may be widely distr ibuted. Incoming m essages are encrypted with the recipient's pub lic key and can only be decryp ted with his/her corresponding key i.e. private key. The keys are related ma thematically, but private key cann ot be practicall y derived from the public key , mostly , asymmetric algorithm s are used in PKC [2]. 2.2. Public Key Infrastructure (PKI) A framework f or creating a secure m ethod for excha nging informat ion based on p ublic key cryptograp hy. The foundation of a PKI is the certificate author ity (CA), which issues digital certificates that auth enticate the identity of organizat ions and indi viduals over a publi c system such as the Internet. The certificates are al so used to sign m essages, which ens ure that messages h ave not been t ampered with [3]. Due to these servi ces provide d by PKI m any PKI products are developed a nd some of the reno wned prod ucts are given in the forthcom ing section. ISSN : 0975-3397 Nasir Mahmood Malik et al / International Jo urnal on Compu ter Science and Eng ineering Vol.1(2), 2009 , 105-110  106 2.3. PKI Products There are different ways to get PKI services, since a variety of PKI prod ucts and vendor s are available [4], [5 ], [6]. But the fact is that we don’ t have any perfect a nd generic solution that co uld address all the ten issues of PKI given in [7]. However, we can different iate these products on the basis of some technological differences like how certificates are issued, agility [8], deployed , maintained and revoked. Some of popula r PKI pr oducts incl ude Entr ust, Veri Sign and R SA Security. 3. PKI Status in Pakistan Traditional methods of sign ing agreement orders, etc. must be reproduc ed electronically as well. PKI provides the means to do this. Prop er handlings of legal implicatio ns involved in electronic transactions are most importan t part of PKI implementation. Binding customers and businesses to contracts is the act of non-repudiat ion. PKI shoul d be deployed ba sed on some law e.g. digital signature shoul d be generated acc ording t o some di gital signa ture law a nd then somebody m ust be made l iable if somet hing goes wro ng. Also owner of a public key certificat e can not repudiate a signature that is generat ed with the appropriate signi ng key. The m ajor component s regarding t he current l egal stat us of PKI implementation in Pakistan include: Electronic Transacti on Ordinance (ET O) 2002: To recognize digital documents, cer tificates and signatures as equivalent to pa per documents and written sign ature but this Ordinance has not been updated regularl y. The legislation recognizes all files/data in an y electronic format as documents and that these docum ents shall not be denie d legal p ower and enforceability. Electronic Crimes Act 2004: This Act provides laws for punishment of the electronic crim es and for accompanyi ng matters. The major issue is the regular upd ate of this Act as cyber crim e techniques keep on getti ng sophistic ated. Electronic Certification Accreditation Council (ECAC ): ECAC provides conduciv e legal and policy framewor k that creates an environment of trust, predictability and certainty in the country. CA’s working in Paki stan: One of the major CA working in Pakistan is Nation al Institutional Facilitation Technologies (NIFT) form ed in early 1995 is wo rking as partner with VeriSign an d shar e VeriSign CA services. PK- GRID-CA, own ed by Quaid- i-A zam University, issues X.509 digital certificates to use grid resources unde r secure environm ent. It is servi ng aroun d 10,000 P akistani scient ists all around the world. 4. Survey Background We surveyed m ore than 133 local organi zations havi ng national as well as internatio nal business. Also, major focus was on IT & Telecom/ related companies But in this paper w e have only include d those organi zations were PKI implem entation exist s upto som e level i .e. 55. As shown i n Figure-1, 43%, 26%, 17% and 14% tar geted organizations belong to IT, Financial/B anking, Gove rnment /Public and Telecom sectors respectively. Figure-1: Target Organizations 43% 14% 26% 17% 0% 10% 20% 30% 40% 50% IT TE LE C OM FI NA NC E / BA NKI NG GOV T.  /  PUB LI C But out of these 55 orga nizations as explained in Figure-2, 20 ( 36%) organiza tions have n ot yet im plemented PKI but d o plan t o implem ent in t he near fut ure whereas 35 organizat ions (64%) wer e at various st age of PKI implem entation. Am ong those 35 organizat ions, PKI implementation wa s in progress in 20 (57%) while 15 (43%) organizat ions have alrea dy com pleted PKI i mplem entation. Figure-2: PKI Survey Background Figure-3 show s that the perce ntage of or ganizations whi ch responded t hat they have develope d PKI ap plication on t heir own is much lowe r (25%) th an the percenta ge of those which ISSN : 0975-3397 Nasir Mahmood Malik et al / International Jo urnal on Compu ter Science and Eng ineering Vol.1(2), 2009 , 105-110  107 replied that the y have not dev eloped PKI appl ication on thei r own (75%). This sh ows that most of the or ganizations are comfortabl e when some third party is i nvolved in this process. This is one of t he major reasons that most number of IT sec tor companies ha ve already de ploy ed PKI in their respective organizat ions and are providi ng these sol utions t o its customers as well. Figure-3: PKI Applications PKI  Ap p l i c a t io n  on  th e i r  own,  25% PKI  Ap p lic a t i o n  No t  on  th e i r  own  75% Only those resp ondents wh o have com pleted PKI implem entation in thei r organizat ions were fu rther asked t o answer their PKI deploy ment an d related i nformat ion regarding it. The detail of their respon ses has been compiled and analysis of this com parison is given in T able-1. 5. Comparative Analysis of Issues PKI has become the ob ject of international attentio n and much has been done to realize national and internatio nal standards for PKI, for exampl e X.509. There are, however, serious PKI im plementat ion issues as different countries and different organi zations may ado pt different security p olicies, implementations and standards. This raises the question of interoperability betw een these various implementations, especially in such a way as to create a global trust domain [9]. Asia PKI Forum is an internatio nal organization, set u p in June 2001 with the aim of estab lishing PKI interoperability in Asia. There are seven count ries, China, Japan, Korea, Singapore, H ong Kong, Mac ao, and Chinese Tai pei that are members of this Asia PKI Foru m [10]. Out of these member countries Japan, Si ngapore an d Chinese Taipei PKI Forum has conducted PKI s urveys and o ur questionnaire i s mostly based on these surveys [11], [12], [13]. We analyzed the questionnaire responses in term of the follow ing aspects implem entation status of PKI, applicati ons, products , challenges and obstacles faced during im plementation of PKI in Pakistan. As per our survey result s, Taiwan has an edge when it comes to PK I implementations as 65% o f organizati ons of Taiwan are ha ving PKI whe re as in Singapore, Ja pan, and Paki stan 56%, 42% a nd 25% organizat ions have im plement ed PKI respect ively. In Pakist an PKI implementations are at in itial stages du e to lack of technical knowledge. The ma in reason for higher PKI deployment in Taiwan is du e to compliance of legal and business requirements. This is clearly manifest as the requirements enforced by the busines s partners and legal requirements in Taiwan are 70% an d 29% with higher percentage as com pared to Japan, Singapore and Pa kistan. This shows that if an organization wants to survive in Taiwan it is more likely to deploy PKI as compared to an organization doing business in Japan, Singapo re or in Pakistan. Mo reover, the PKI deployment is main ly done in Pakistan to fulfill security needs as 52% organi zations im plemented PK I to meet security requirements. Also i n Taiwan and Japan PKI is deployed to meet security requirem ents as 92% organi zations in both countries are using PK I to meet security needs. ISSN : 0975-3397 Nasir Mahmood Malik et al / International Jo urnal on Compu ter Science and Eng ineering Vol.1(2), 2009 , 105-110  108 The major P KI protocol impl emented in Tai wan and Singapore is in web applic ation softwa re 76% and 41 % respectively. Also, web applications a re more secure in Taiwan and Singa pore as compared to Ja pan and Pakis tan. Cross-Authenti cation-SSL p rotocol is al most equally used in Japan and Taiwan i.e. 69% and 73% respectively. PKI Table 1: COMPARISON OF PKI IM PLEMENTATION IN PAKISTAN DISCRIPTION PAKISTAN SINGAP ORE JAPAN TAIWAN Organizat ions Implem ented/not Im plemented PKI Organizat ions having PKI 25% 54% 42% 65% Organizat ions not havin g PKI 75% 46% 54% 24% PKI Based Application Cross Authenticatio n-SSL 35% 26% 69% 73% Web Application Software 15% 41% 38% 76% VPN 10% 18% 39% 27% Secure E-mail 40% 15% 31% 51% PKI Functionalities Utilized Authentication 17% 29% 100% 89% Data Integrity 30% 32% 54% 84% Confidentiality 18% 20% 84% 84% Non-Repudiat ion 35% 19% 38% 92% PKI Brands VeriSign 25% 60% 19% 14% RSA 31% 12% 8% 27% Reasons for P KI Deployment Security 52% 9% 92% 92% Business Partner’s Demand 20% 19% 31% 70% Legal Requirement 16% 22% 15% 29% Obstacles in Implementation of PKI Lack of Technical Knowledge 24% 30% 46% 35% Limited Options of PKI Products 18% 25% 23% 38% Integration Difficulty 16% 19% 15% 30% Key Utilization Single Key 33% 77% 53% 8% Dual Key 67% 23% 8% 67% PKI Implementation Duration 1 Year OR Less 7% 34% 36% 40% 1 to 2 Years 40% 25% 7% 3% ISSN : 0975-3397 Nasir Mahmood Malik et al / International Jo urnal on Compu ter Science and Eng ineering Vol.1(2), 2009 , 105-110  109 Protocol m ostly used by Paki stani organiza tions is secure e- mail i.e. 40% that indicates that in Pakistan PKI is primarily used for secure e-mail commun ication. As far as utilization of PKI functionalities is co ncerned, organization s in Japan are putting more emphasis on authentication (100 %), whereas, in Taiwan and Pakistan th e main stress is on non-repudiation 92% and 35% res pectively. While in Si ngapore, Data Integrity functio n of PKI is mostly utilized (32 %). When it comes to PKI brands/vendors , Taiwanese and Pakistani organizati ons prefer RSA (27% an d 31% respectivel y), whereas in Japan and Singapore Ve riSign is mostly used i.e. 19% and 60% respectively. The m ajor obstacles in Taiwan are only the limited options of PKI products and solutions (38%). Furthermore, Taiwa nese organizations face m ore problems while integ rating the PKI implemen tation with the existing IT infrastructure i.e. 30% as compared to only 15%, 16% and 19% in Japa n, Pakistan an d Singapore respect ively. This shows t hat organizatio ns in Taiwan are de ploying P KI solutions due to legal requirements in stead of the difficulties of integratio n. Also, 65% of Taiwane se organizati ons have already impl emented PKI in cont rast to only 42% of Japan’s organizations. But, the major plus with Taiwan is that more technical knowledge is available and only 35% organizations say that they have not impl emented PKI due to lack of technical knowledge in co ntrast to 46% of Japanese organizati ons admit the lack of technical knowledge. PKI implementation cycle is much shorter in Taiwan. About 40% of the Taiwanese organizations say that the c ycle is completed in less than a year as compared to Japan a nd Singapore ( 36% and 34%). While in Pakistan PKI implementation cycle takes much more time as 40% of Pakistani orga nizations comple te PKI implementation in 1 to 2 years. Lastly, the predominant use of dual key utilizatio n in PKI implementation in Taiwan and Pakistan is linked with the security requi rements and business pa rtner requi rements as 67% organizati ons in bot h the count ries are using dual key, as compared to only 8% an d 23% in Japan and Singa pore respectively. Dual Key utilization is safer an d secure way of PKI implementation , while 53% and 77% org anizations in Japan and Singapo re are using single key pair. We can safel y say that im plementat ion of P KI is more m ature, a dvanced and safe in Taiwan rather than in Japan, Singapore and Pak istan. The vast majority thinks th at Taiwan will be the country with most potential for mutual recognitio n in PKI technology. 6. Conclusion PKI Survey of Pa kistan has show n that this tech nology has not reache d to a wi der number of organizati ons/users. The major reason is that there is no commercialy available Certificatin Authority (CA) in Pak istan. As per our survey results, the main reason that Pakistani organizations are n ot going to wards PKI im plem entation is because of it ’s high cost. PKI is considered important for cros s border trade in Pakistan as 53% of organizations a re using PK I for communicating with foreign trading partners. Also, most of the organizati ons are planning to im plement PKI in n ear future. Furthe rmore, lack o f technical know ledge in this fi eld has also made it m uch harder for PKI projects to b e considered as viabl e by the organi zations as i t does take som e basic technological know how to use it. In Pa kistan IT industry, Banks and Financial In stitutes make up most of the percentage t hat deploy P KI. While i n other sectors securit y implementation is not a priority as th ey do not cons ider it a necessity. Finally, Cross Auth enticaton-SSL and Secure E- mail are the most recognized p otential applications of PK I in Pakistan especially for trad ing with foriegn part ners. Moreover, cy ber securi ty laws nee d to be updat ed on re gular basis. But countries like Pak istan do face lots of issues in implementation of these laws throug hout the country especially e-Laws e-Transactions, e-Crimes, digital signatures, digital certicate, digital forensi cs etc are at very early stage of implementation. Lastly, digital sig nature law is still not enforced in the country and accep tance of digital documents is not a norm in Pakistan. Ho wever, the situation is improvi ng and coupl e of publi c and pri vate sector organizations have implemented “paper-less” initiatives. Future Work As per our research, Paki stan has to go a l ong way to achieve sufficent cyber secu rity solutions. So, there is an opportuni ty to explore other securi ty (other t han PKI) opti ons. Also, the major issue for emerging Pakis tani market is the establishm ent of commercial CA as the count ry can not rely on costly PKI products from outside Pakist an for even alo ng with regular updation of cyber law s. We are already working on non-PKI cyber security solu tions and feasiblity study of establishment of commercial CA in Pakistan. References [1] John w. Rittinghouse William M. Hancock, “Cyber Security Operations Handbook”, Secure Com munication, 2003, pp.255- 256. [2] Wikipedia, Public Key Cryptography www.en.wikipedia.org/w iki/Public-key_ cryptography, Accessed on 25 th April, 2009. [3] PC Magazine Encyclopedia, www.pcmag. com, Accessed on 25 th April, 2009. [4] VeriSign Technologies, www.ve risign.com, Accessed on 5 th April, 2009. [5] Entrust Technologies, www.en trust.com, Accessed on 6 th April, 2009. [6] RSA Security Technologies, www.rsasecurity .com, Accessed on 16 th April, 2008. [7] C. Ellison, B. Schneier, “Ten Ri sks of PKI: What You’re Not Being Told about Public Key Infr astructur e”, Computer Security Journal, Vol.XVI, 2000. [8] Peter Hodgkins, Luke Hohmann, “Agile Program Manageme nt: Lessons Learned from VeriSign Managed Security Ser vices Team”, IEEE Computer Society, Agile, 2007. [9] Guo Z. Okuyama T. Marion R. Finley J.”A New Trust Model for PKI Interoperability,” Proceeding of ICAS/ICNS IEEE Computer, 2005. [10] Asia PKI Foru m, www.asia- pkiforum.org, Accessed on 17 th April, 2009 [11] Japan PKI Forum, “Survey of PKI Use in Japan”, June 2002. ISSN : 0975-3397 Nasir Mahmood Malik et al / International Jo urnal on Compu ter Science and Eng ineering Vol.1(2), 2009 , 105-110  110 [12] Chinese Taipei PKI Forum, “Re port of PKI Trend Survey” NII Enterprise Promotion Asso ciation, August, 2002. [13] Public Key Infrastructure Environment Singapore, www.japanpkiforum.jp, Accessed on 19 th April, 2009. ISSN : 0975-3397