Cable operators could find themselves poised to provide the
essential security ingredient for electronic-commerce and Internet-protocol
telecommunications that, so far, has eluded others on the Internet.
While some Internet firms are sounding alarms over security
deficiencies that still scare consumers away from commerce over the Web, cable vendors are
taking steps to foster public-key infrastructures, network-based security and other
techniques to guard transactions, phone calls and file transfers on the Web.
"The cable industry definitely has an opportunity to
put PKIs into operation on a large scale," said Dan Eakins, vice president of
business development and marketing at BlueSteel Networks Inc., a supplier of
security-specific integrated circuits that is set to be acquired by Broadcom Corp.
"Broadcom has already integrated security functions
based on our platform into its new line of ASICs [application-specific integrated
circuits] for DOCSIS [Data Over Cable Service Interface Specification] modems," he
added.
With computer-processing capabilities based on BlueSteel's
proprietary semiconductor-circuit designs, these Broadcom chips do more than support the
baseline security systems required for implementation of cable-modem and PacketCable IP
telecommunications services. They also provide a framework to adopt IPSec (IP
security)-based PKIs that extend beyond the cable-controlled environment, Eakins noted.
A PKI uses encrypted "session keys" that are
distributed to users seeking entry into a secured transaction by a third-party
authentication service. This avoids relying on storing fixed decryption codes in end-user
devices and, at the same time, it assures service and applications providers that the
end-user is who he or she claims to be.
"Layering in another level of security to protect
transactions that extend beyond the headend out onto the Internet is really essential for
cable," Eakins noted.
Broadcom's move comes as other leading chip suppliers take
similar action. They assume that wide-scale availability of computers, modems and
hand-held devices powerful enough to support downloading security systems into client
devices will make it easier for service providers and financial institutions to activate
whatever security systems are appropriate to their needs.
Intel Corp., for example, is introducing a new family of
network-security-enabled adapters to add security to local-area networks and the
internal-networking components of e-commerce systems.
The new adapters support IPSec, and they are optimized for
Microsoft Corp.'s forthcoming "Windows 2000" operating system, which is designed
to offload security processing onto devices such as Intel's "PRO/100 S" adapter.
Challenging Intel head-on, Royal Philips Electronics'
Philips Semiconductors introduced a new 256-megabit-per-second processor for IPSec
processing. The company is also supplying a new tool set with the chip that allows
companies to customize the intellectual-property blocks within the chip's architecture to
support specific applications.
With the DOCSIS platform, the cable industry has a head
start over other providers of high-speed Internet services to residential users in being
able to seed its market base with cost-efficient, chip-based security support.
Cable also can quickly tap advances in network-based
security that Cisco Systems Inc. pledged to bring to market as an integral component of
its routers and other devices.
"The real promise comes with developing a set of
products that really work together," said Roger Farnsworth, senior manager for
security solutions at Cisco's security Internet-services unit
Microsoft is teaming up with Cisco to foster wide-scale
adoption of the protocols that make security capabilities possible across a large segment
of the IP-connected market, starting with security components embedded in Windows 2000.
These include support for an encrypting file system, an
"easy-to-manage" PKI and interoperability with authentication systems used by
leading security vendors such as CyberSafe Corp. and RSA Security Inc., said Brian
Valentine, senior vice president of Microsoft Windows.
"Microsoft wants to take the bar up on this,"
Valentine said. "If vendors don't get over this problem or if they create more
problems, it's going to stall this huge growth" in e-commerce.
Microsoft entered Cisco's "Security Associate
Program" in a commitment to making its "Windows 2000 Professional" and
"Windows 2000 Server" operating systems interoperable with Cisco's
network-security solutions.
This includes support for "Active Directory" in
Windows 2000, which "ensures a real quick uptake" for the distributed-directory
environment that's enabled by this protocol, Farnsworth said.
"With distributed-directory servers, users log in and
receive the directory information they need from the nearest repository," he added.
Directory-based security -- which allows security policy to
be centrally defined and applied via a group-policy-management model -- will eventually be
melded with identification procedures associated with PKI security at the network level in
order to establish a "strong identity" component within Internet traffic,
Farnsworth said.
"Elements of security overlap somewhat now, but we
need to provide for a way to know who's in the network and whether they conform to the
policy profiles associated with the applications they're accessing," he added.
Another key component now entering the mainstream
networking environment is Simple Certificate Enrollment Protocol, adopted by such security
vendors as Baltimore Technologies plc, GTE Corp.'s CyberTrust, Cylink Corp., Entrust
Technologies, RSA, the Sun Microsystems Inc.-Netscape Communications Corp. alliance and
VeriSign Inc., which helped to develop the protocol with Cisco.
SCEP, which is also integrated into Microsoft's
"Certificate Server" software, provides a common means of managing secure
delivery of the certificates that are used in various PKI systems, Farnsworth said.
"None of these things work together today," he
added. But with a common protocol, suppliers of the certificates that enable users to
obtain keys to decrypt messages within a given PKI environment can enroll devices in the
network. For example, they could enable virtual-private-network components to communicate
with each other as new entities come into the PKI.
PKIs are now easier to establish within a single enterprise
environment. But Cisco faces a bigger challenge in trying to serve cable companies as they
move to provide ever more hosted, value-added applications to their customers.
"The SP [service provider] has to accept multiple
credentials, and their services are more content-based than applications in the
private-enterprise domain, which complicates the ID process," Farnsworth said.
Now, service providers can gather information from
different sources and use the Differentiated Services Protocol (Diff-Serv) to channel
applications resources. But this process must be made easier through the availability of
perimeter tools and the means to manage them within a "secure shell," Farnsworth
added.
Progress in network-based security is indeed vital, MCI
WorldCom Inc. senior vice president Vinton Cerf said. "We are looking with great
interest at vendors that are putting digital-control keypads on their equipment so that it
can be authenticated," he said. "We need a lot more content filtering and
authentication inside the firewalls, as well as outside."
But, he added, "We don't have public-key security. If
only we had smart cards with digital keys."
It would take muscle to force the Internet-industry
factions to settle on a single PKI platform approach, Cerf added.
But proof that such muscle exists can be found in the fact
that more than 70 percent of all cash flowing into the economy comes from automated teller
machines. "I'd love to see the banks get together and try to persuade us to use smart
cards with a public-key system," he added.
Earlier this month, Visa International cut a deal with
Internet-security supplier Spyrus to provide a uniform PKI environment for Visa's member
banks. Under the agreement, Spyrus will develop PKI products built around the
Spyrus-backed "Open Platform," a system architecture for globally interoperable
smart-card systems.
Open Platform is meant to ease the development of
smart-card solutions by providing a rapid-development environment, including card
specifications, terminal specifications and workbench tools.
Visa Cash will allow financial institutions to pre-load
money onto customers' smart cards for use on any Open Platform-compliant terminals, such
as those that might be used in pay phones, at bridge tollbooths or in devices with links
to the PC for Internet purchases, Visa senior vice president for emerging technologies Jim
Lee said.
It remains to be seen, though, how fast Visa banks or other
entities looking for solutions to support the mass-market transactional environment of the
Internet will embrace Open Platform.
So far, noted K.S. Shankar, a security strategist at IBM
Corp., "We don't see a lot of major PKI deployments."
After speaking to more than 40 customers involved in PKI
integration, Shankar cited strategic-planning errors and the lack of uniform approaches to
PKI-based security policy.
The root problem with planning is that PKI implementers
start from a feature-driven perspective fueled by vendor marketing messages, rather than
clearly defining what their security needs are from the top down. "There are a lot of
RFPs on the street for PKI implementation, but most don't state what the problems
are," Shankar said.
While these vendor efforts should eventually rectify these
issues for service providers in the Web market at large, cable should be able to move
faster to exploit the potential of e-commerce within its operating domain -- assuming that
operators invest in the infrastructural components its vendors are providing.
