More Articles like this in:
  • Communications & Media Law
  • Intellectual Property Law
  • Science & Technology
  • IT & the Internet

    Security For Online Transactions

    Author: Simpson Grierson       

    Despite some e-commerce market places struggling to attract business, the inherent potential for B2B (business to business) and B2C (business to consumer) transactions seem huge.

    Nevertheless, online commerce faces some challenges, as it struggles towards widespread use. The most common of these challenges is knowing whether your online transaction is secure.

    Some recent developments are aimed at enhancing the security of online transactions. These include:
    - the use of digital signatures and public key infrastructure ("PKI");
    - the establishment of certification authorities to verify the identity
    of parties transacting using digital signatures; and
    - Government initiatives in the area of e-security.


    What are digital signatures?

    Digital signatures are created using cryptography, a form of applied mathematics which encrypts and decrypts messages. Most commonly, digital signatures use a key based method, referred to as public key infrastructure ("PKI").

    In PKI, public and private software "keys" are created to allow secure communication between two parties. The private key can create a digital signature or encrypt data, and the public key verifies a digital signature or decrypts the data. Only the signing party knows the private key whereas the corresponding public key is made known to all people relying on the digital signature or encrypted data. However, because private keys and public keys are simply a string of numbers, there needs to be a means of verifying that a particular public key corresponds (in the case of an electronic signature) with the signing party's private key, and that a particular set of keys belongs to the person intended to be bound by the signature.

    Certification authorities

    When you go to a website, say Bricks&Mortar.com to buy cement, how do you know the site is really Bricks&Mortar and that your communications will be secure?

    This is where certification authorities ("CA's") play a vital role. CA's are trusted third parties that issue digital certificates. The digital certificate provides the recipient of the certificate with the public key for a digital signature and at the same time certifies that the person named in the certificate holds the relevant private key. Root certification authorities monitor the CA's, and establish policies and procedures for their member CA's to adhere to.

    Identrus has emerged as the leading root certification authority, particularly in the area of global financial institutions. Underlying the Identrus system is a uniform global system of participating rules and operating procedures that bind both sides of a transaction. By using PKI technology, Identrus provides a basic validation service that also offers the ability to warrant the identity of the transacting parties.

    Financial institutions in New Zealand that have signed up to Identrus include ABN Amro, Citibank, Deutsche Bank, Westpac Trust Banking
    Group and ANZ. ANZ recently announced the launch of a $100
    million e-business drive in New Zealand which will include the
    provision of digital certificates as part of its new e-commerce services.

    But concerns still linger as to who monitors the CA's and
    root CA's to ensure they are complying with their own security policies and procedures. Many Governments are now considering to step in and get involved in developing appropriate standards.

    Gatekeeper - Australian Government Security Project

    The Australian Government has recently announced plans to develop a digital signature process to be used by Australian businesses in dealing with state and federal agencies. The new digital signature, called the ABN-Digital Signature Certificate or "ABN-DSC" is intended to facilitate Government to business online service delivery. All federal agencies will be expected to use the ABN based digital signature for authenticating online transactions with businesses.

    ABN-DSC is part of the Gatekeeper project established by the Australian Government in October 1997. The aim of the project is to develop a national framework for the authentication of users of electronic online services through public key technology (PKT). The main aims of Gatekeeper are:

    - to establish a rational voluntary mechanism for the implementation
    of PKT by Government agencies;
    - to facilitate interoperability and allow users to choose from a panel of
    service providers whose product and method of delivery have been
    evaluated and accredited to meet prescribed Government standard
    for integrity and trust; and
    - to provide an operational mechanism to manage federal agency
    activities and interests in the area of PKT.

    New Zealand Government Initiatives

    Unlike Australia, electronic security initiatives from the New Zealand Government have been less forthcoming. The Ministry of Economic Development feels there is a danger in placing too much emphasis on the need for Government intervention in areas such as e-security and authentication, simply because of the novel nature of e-commerce.

    But this doesn't mean that the Government is turning a blind eye to e-security issues. Work is currently underway on a pilot implementation of a New Zealand public key infrastructure for the Government Communications Security Bureau. Eventually, this may be extended to cover the whole public sector. Plans are also underway by the Government to publish guidelines on what to look for in a digital certification authority. A draft policy was to be completed by the State Services Commission's E-Government Unit by the end of April 2001. The policy will be presented to Cabinet for sign-off by the end of June 2001.

    And the future?

    Traditionally, security has been regarded as a necessary expense that had little or no revenue component. Today, the new business paradigm views security as an essential cost-saving mechanism and a key to safeguarding a company's reputation. E-commerce is only now beginning to capitalise on the benefits of information security. The challenge for business is to keep up with developing trends in online security, and government policies in this area.

    This is a general summary only and should not be taken as a substitute for specific advice.

    x-tech group Simpson Grierson
    Web site: x-tech group Simpson Grierson

    Contacts
    Michael Sage, Partner, michael.sage@sglaw.co.nz
    Earl Gray, Partner, earl.gray@sglaw.co.nz
    Jan Kelly, Partner, jan.kelly@sglaw.co.nz
    Karen Ngan, Senior Associate; karen.ngan@sglaw.co.nz
    Sarah Ford, Solicitor, sarah.ford@sglaw.co.nz

    April 2001

    June, 2001