| Join Our List
|
|
|
|
Dear Sacha,
I've
often wished that I could add something unique and individual to a
document to make it more personal or authentic. That stems from
my sentiment that the typed word can seem anonymous and
impersonal, such that adding something personal would be a security
blanket. This is easy enough to do, provided that I've got
everything on paper.
The
trouble with paper is that I can't e-mail it, so printing my document
and signing it doesn't help if it needs to reach someone in the next
state before lunch. As a result I send it out as it is and the
recipient has to take it on faith that everything is on the up and up.
Today
that's no longer the case. True, signing a document on your
computer doesn't allow for the personal touch or flair, but the
security is hard to beat.
|
| Digital Signatures |
|
Make your mark
The
development of the public key infrastructure (PKI) was a considerable
breakthrough for common encryption and security. Common, in this
context, means it is available to everyone without the need for complex
encryption programs and mainframes to run them. Moreover, it is
real security, not just a security blanket. PKI works for any
electronic documents, such as those used on the ElectronicTender System, as well as e-mails.
The
name, public key infrastructure, is indicative of how it works.
When you use a PKI system you are issued a digital certificate, also
called a digital signature, which consists of two keys. One is a
public key and the other is a private key.
Digital certificates
are issued by certifying authorities (CA), such as
VeriSign or Entrust. Ultimately the security of a digital
certificate relies on how good the CA is, so you should always make
certain that the company that issues you your certificate is reliable.
The
public key, as the name once more suggests, is public. Anyone and
everyone has access to it. This is important because without the
public key the other half, the private key, cannot work. This is
where PKI can become a little confusing, because the public key can be
used to encrypt as well as decrypt a document or e-mail.
The
private key functions just like the public key, with the important
difference that it is, of course, private. Only you have access
to it and, ideally, you've protected it with a password. Like the
public key, the private key can be used to encrypt or decrypt a
document or e-mail.
Password protection for the private key is a
function of PKI. When you get your digital signature you decide
whether you want the private key to be password protected or not.
You should always protect your private key with a password as a matter
of course. The only way PKI can fail is if someone else gains
access to your private key.
If both the public and private key
can encrypt as well as decrypt an e-mail, how does anything get
done? The trick is that both public and private keys also
function as locks.
Others can only use your public key, so if
they want to send you an encrypted message they have to use your public
key to encrypt it. They've locked the e-mail with the public
key. The only way to unlock it is with the matching private
key. Thus, you are the only person who can read that e-mail
because you are the only one with that private key.
Could
the e-mail be sent to the wrong person, even if it is encrypted?
Yes. The security doesn't lie in that the e-mail can't be sent to
the wrong person, but in that the wrong person can't read it.
The
procedure works the same in reverse. You encrypt - or lock - your
e-mail with your private key and send it out. Now you're probably
thinking, "But wait. If the private key unlocks the public key, won't
the public key unlock my private key. That means anyone can read
my e-mail!"
That's exactly right. The private key
provides a different form of security. If someone needs to use
your public key to read the e-mail, they know that it is your private
key that locked it. Since you are the only person with access to
your private key, the e-mail must have come from you. This is
especially useful if you have to use an e-mail address that the
recipient doesn't know.
Obviously this is still a
limitation. Encrypting - or signing - an e-mail isn't the same
thing as making sure only the right person can read it. To do
that you need access to their public key, which means they need to have
a digital signature. Without a digital signature you have
nothing, within the PKI infrastructure, with which to lock the e-mail
just for them.
PKI allows you to use both a public and a private
key at the same time. When you use your private key and the
recipient's public key, the recipient can be certain the e-mail is from
you and they're also the only person who can unlock that e-mail.
PKI is, without a doubt, a remarkable security feature. Now just think, it is just one of the security features that the ETS uses.
|
|
|
Resources |
|
 National Procurement Fraud Task Force
When you visit the NPFTF
page one of the first things that you will see is "About the National
Procurement Fraud Task Force (NPFTF)", which explains why this task
force exists.
We would all like to think that such things don't
happen or, if they do, that they'll never happen here. Not to
us. It is natural and behooves us to have such faith in our
friends and co-workers. Unfortunately, a visit to their press room
shows us that it does indeed happen. Imagine how shocked those
people must have been to learn that their co-workers, perhaps even
friends, were involved in fraud.
This is the reason we, at YSER, place such an emphasis on security and accountability.
|
These
security features are bewildering. It took quite a bit of
rethinking for me to properly grasp how PKI works and I've presented it
here in as clear and straightforward a way as I could.
If you
still have questions, don't hesitate to contact me. Security is
one of the concerns I run into most frequently and you should know that
security is one of the ETS's strongest features.
Please don't
forget to share this newsletter with your friends and colleagues and
encourage them to sign up for it.. Thank you!
Sincerely,
Sacha Hartmann
YSER Inc.
|
|
|
