Researchers Help Set Security Standards For The Internet

Secure Internet activity requires being able to prove who you are. Security experts agree that the traditional approach of passwords is not always effective. PKI and public key cryptography solve these problems, and Dartmouth researchers are leading the way in helping organizations deploy PKI. A new system developed at Dartmouth called PRQP, which stands for PKI Resource Query Protocol, is now in the pipeline with the Internet Engineering Task Force (IETF) to become the universal way to easily implement PKI-enhanced computing security.

“PKI labors under the misconception that it’s difficult,” says Scott Rea, senior PKI architect at Dartmouth. “PKI is most successful when it runs under the covers or in the background.” And that’s what it does on a lot of commercial websites that accept credit card numbers, ensuring security behind-the-scenes using PKI or “certificate authority” technology.

Dartmouth’s Institute for Security, Technology, and Society (ISTS) has received funding from the Department of Homeland Security to explore ways to make PKI more user-friendly, for individuals and for businesses of all sizes. That’s how PRQP was born.

“PRQP, very simply, provides a more distributed system for PKI; it works in a way to get trustworthy references in order to verify the PKI certificates of individuals or servers,” says Massimiliano “Max” Pala, research fellow with ISTS and the Open Certificate Authority Lab director.

In other words, as PKI becomes ubiquitous, IT professionals need PQRP, which provides a standard way to operate PKI efficiently, and therefore ensures a consistent and robust measure of security.

And, according to Pala and Rea, adoption of PKI is growing, and there is a deliberate program to bring more and more organizations into the PKI fold. Consortiums have been established, grouped around common themes, so that all members within each group can trust each other’s PKI certificates. For example, there are eight organizations now in the Higher Education group, or “bridge,” which includes colleges and universities. It’s called HEBCA, which stands for Higher Education Bridge Certificate Authority, and Rea serves as director of the HEBCA Operating Authority and secretary of the HEBCA Policy Management Authority.

There are also bridges for federal employees and contractors, pharmaceutical companies and researchers, and one for defense and aerospace companies and contractors. All four existing bridge organizations have formed a “federation” to trust everyone within these networks, and there are varying levels of security, because PKI is customizable. Among all four bridges, approximately 15 million certificates have been issued (mainly to individuals, but servers and other network devices can also carry certificates). That figure is expected to double in the next 12-18 months. At Dartmouth alone there are 34,000 active certificates and about 1,500 server certificates issued from the Dartmouth PKI.