Thanks largely to its initial Wild West image, there are many people who think the last place they would trust the security of their financial affairs is the Internet.
But the growth of electronic commerce and the widespread use of the Internet for business communications have been mirrored by concerted efforts to ensure the Internet can be relied on for safe, secure communications.
Mr Paddy Holahan, vice-president of business development at Irish software security firm Baltimore Technologies, says there are four criteria for any commerce: integrity, authenticity, confidentiality, and non-repudiation. All four of these can be addressed by electronic commerce, he says, particularly by encryption and digital certificates.
Confidentiality is particularly important for Internet banking, and is usually achieved through what is called public/private key systems. These are based on the idea of two separate keys, or strings of data bits. The longer the key the harder it is to break the code.
The first key, the so-called public key, can be made known to anyone, for it can only be used to encrypt data. A second key, known as the private key, is required to decrypt the resultant encrypted data, and is kept secret.
When you want to communicate with a bank, for example, the bank sends your Web browser its public key, and all information you subsequently send is encoded using this. Although information passing over the Internet passes through many computers, all of which can potentially read the data, none can decrypt the data without the bank's private key. Confidentiality is assured.
Assured, that is, if the keys are long enough. The US has banned the export of browsers which support keys longer than 40 bits, and studies estimate intelligence agencies can decode 40-bit encoded data by trial and error techniques in less than one second.
Every extra bit in the key doubles the amount of time it takes to break the code, and experts now recommend key lengths of 128 bits, which would take millions of years to decode with even the latest super computers. Such secure keys are built into standard browsers for use in the US, and despite a US ban on exporting such secure systems there are several 128-bit encryption products around the world. These systems are often used by commercial users, but the public is still largely limited to 40-bit encryption.
So much for confidentiality, but how do you know you are talking to the bank and not to someone masquerading on the Internet as the bank? This is done using digital signatures, also called digital certificates.
A digital certificate is like an electronic signature, guaranteeing the identity of the sender. The certificate is issued by an authorised body, called a certification authority or trusted third party, and Web browsers are configured to recognise these certificates. Banks and others who want digital certificates must satisfy the certification authority that they are who they say they are before getting a certificate.
The main criteria for becoming a certification authority are public trust and electronic trust the authority must be acceptable to the public and safe from hackers. Mr Holohan thinks it will be easier for a publicly trusted body to attain electronic trust, than for an electronically trusted company to attain public trust. He therefore sees the Government, individual banks, Telecom Eireann, An Post, and chambers of commerce as likely candidates for becoming certification authorities.
Eireann is also believed to be interested.
Down the line, it is possible that every Internet user will have a reputable digital certificate, guaranteeing his or her identity in cyberspace and removing the need for PIN numbers. For security purposes this has a lot going for it, but in a country where the public is wary of ID cards, what's the likelihood of universal digital ID cards being adopted?
Eoin Licken can be reached at eoin@stilet.to
