The wider adoption of XML and PKI based smart cards as the standard for digital signatures, promises to make digital certificates and signatures a viable technology for the masses, says Vikash K Agarwal

The use of digital signatures has been more or less restricted to client-server authentication for websites or digitally signed e-mails

The digital economy is evolving from the days of small purchases using credit cards to complete e-banking over the Net. There have been solutions to conduct transactions over the Net, but none have been able to garner popularity. A credit card number and a secure transmission protocol like SSL (Secure Sockets Layer) works well to buy books, etc, on the Net, but identifying yourself to the bank using just a number is not convincing enough to allow full control of your financial transactions.

Digital signatures have always looked very promising and are even accepted by law in certain countries. These signatures are based on encryption-decryption using a unique key pair called public key and private key. The fundamental principle being that any data encrypted or protected using one key of the pair can only be decrypted or opened using the other key. There are also algorithmic standards that ensure this mathematically. The public key makes up the digital certificate. This certificate is used to sign and send data to the certificate owner, who can then open it using the private key held only by him. No one else can access the data. PKI (Public Key Infrastructure) is a common term used for digital signatures and associated infrastructure required for its maintenance.

Despite this, the use of digital signatures has been more or less restricted to client-server authentication for websites or digitally signed e-mails. The advent of the recent XML (Extensible Markup Language) standard for digital signatures and PKI based smart cards and tokens promise to make digital signatures a viable technology for the masses.

The X-cellent option
The most important reasons for the increasing popularity of XML are that it is text-based, can easily represent hierarchical data to any level and is extensible. All systems are willing to accept a text-based message in XML, which does not carry anything proprietary from the sender. Thus, a client using a Windows machine on an Intel processor can easily send XML messages to a bank’s Linux server running on a RISC processor.

The XML standard for digital signature is a W3C recommendation RFC-3275. This document specifies the rules and syntax for using digital signatures in XML. Two or more parties who are XML-enabled, can agree to use this standard and start recognising digitally signed messages from each other. Compare this with a scenario where a bank (using, say, a solution from Baltimore) wants to send an e-transaction to another bank (using a Verisign solution) or a client (using his vendor’s solution) wants to send a message to his bank. All use the standard digital signature algorithms known and recognised by each other, but still cannot exchange any messages, since a messaging standard acceptable to all is missing. Each party has to agree with the other for it to work. Agreeing with one means disagreement with others or a bloated application, which soon becomes unmanageable.

Not only is the standard designed to hold digital signatures and associated data as XML, it also takes into account concepts like multiple signatures on a single transaction, which is very common and critical in organisations above a certain size. The flexible design allows data being signed to be non-XML or outside the main

signature XML message. Compatibility is a natural advantage in adoption of a standard, and the XML-DSIG standard promises to do just that, with XML being the icing on the cake.

A ‘smart’ alternative
Smart Cards are plastic cards or tokens with a microprocessor or embedded memory chip. The capability to read, write, store and process data makes them ideal for storing something like private keys and certificates. The PKI smart cards are further customised for the purpose of digital signatures. They often have built-in capability of secure key-generation, signing and encryption and are tamper evident.

Additionally, PKI smart cards require a PIN to use it. Anybody attempting to crack into a smart card based system needs to get the physical possession of the card as well the knowledge of the associated PIN. This gives it an edge over traditional password-based systems.

Major operating systems like Windows now have built-in basic support for smart cards, which is needed by these vendors for their products to integrate easily. Additionally, cryptographic interfaces like

MS-CAPI (Cryptography Application Programming Interface) and Cryptoki are now well-defined for application vendors to create applications that utilise PKI smart cards.

The hard work is already done. It’s just a matter of time before an XML enabled financial application interfaces directly with financial service providers like banks, to send and perform transactions on the Net. Complex technology requires a user-friendly application to reach the consumer.

Vikash K Agarwal is the technology architect at Tally Solutions, India