NIST Releases Software to Promote Secure e-Commerce Products

The National Institute of Standards and Technology’s Information Technology Laboratory today released software to assist industry in building more secure systems to promote electronic commerce.

Vendors of products can use the NIST software to help ensure that their product offerings can work with those of other firms. Such "interoperability" will provide customers greater choice and flexibility in selecting secure products. Interoperability is also critical to promote widespread availability of security features to support secure on-line transactions.

The software can be used by industry vendors to ensure the interoperability of their products implementing advanced "public key infrastructure" (PKI) technology. This technology provides a strong means to support electronic business transactions over the Internet.

"The release of this software marks an important advance in PKI technology. Now product developers can easily test their products and systems to ensure interoperability with other systems," said Donna Dodson, who heads the NIST Security Technology Group.

NIST’s new software is a reference implementation of PKI components conforming to the Minimum Interoperability Specification for PKI Components, Version 1 (MISPC V1). It is available in two forms: ready-to-run executables for Windows 95™ systems and source code.

Santosh Chokhani, president of Cygnacom Solutions, notes the project has already had an impact. "This project helped us validate the MISPC and supporting standards." Cygnacom Solutions developed the reference implementation under contract for NIST.

The MISPC is an interface specification for PKI components based upon emerging international standards. MISPC V1 identifies a small set of features from these specifications as the minimum feature set for interoperability for PKI components. The specification’s certificate format conforms to the International Organization for Standardization/International Telecommunications Union X.509 standard and the Internet Engineering Task Force’s Internet X.509 Certificate and Certificate Revocation List (CRL) Profile. Transactions are based on the IETF’s Certificate Management Protocoland use the Lightweight Directory Access Protocol (LDAP) to distribute certificates and CRLs.

This reference implementation is designed as a proof-of-concept to help product developers and researchers. The implementation is a laboratory tool, permitting researchers to become familiar with PKI transactions and components without significant investment. The software is a concrete demonstration of the functionality described in the MISPC, V1. Finally, it provides a baseline for interoperability testing of PKI components. A developer may substitute locally developed components for components in the reference implementation for testing.

NIST’s software includes implementations of three PKI components: a Certification Authority (CA), an Organizational Registration Authority (ORA), and a PKI client. The program is available in executable form for Windows 95™ systems; source code for PKI operations is available as well. With an LDAP directory and an electronic mail system, these components can issue, revoke and retrieve public key certificates. The reference implementation enacts several scenarios for certificate issuance. Clients and ORAs may request certificates. Both clients and ORAs may request certificate revocation. The CA distributes revocation information by issuing X.509 CRLs. Electronic mail transports the requests and responses. Clients and ORAs retrieve certificates and CRLs using LDAP.

NIST’s Information Technology Laboratory developed the MISPC V1 with 10 industry partners under the auspices of cooperative research and development agreements (CRADAs). The 10 partners were AT&T Corp., BBN (now part of GTE), Certicom Corp., Cylink Corp., Dyncorp Information & Engineering Technology Inc., Northern Telecom (now Entrust Technologies Inc.), IRE, Motorola Inc., SPYRUS and VeriSign Inc. NIST is developing an enhanced specification, version 2, with 16 industry partners: AT&T Corp., CertCo, Certicom Corp., Cylink Corp., Digital Signature Trust Co., Dyncorp Information & Engineering Technology Inc., Entrust Technologies Inc., Frontier Technologies Corp., GTE, ID Certify, Mastercard International, Microsoft Corp., Motorola Inc., SPYRUS, VeriSign Inc. and Visa International. The MISPC V2 will include new transactions to support issuing public key certificates for key management.

The software is available free of charge to anyone in the United States and most other countries.

To request the reference implementation or obtain information on the MISPC, please use the following URL: http://csrc.nist.gov/pki/mispc.

As a non-regulatory agency of the U.S. Department of Commerce's Technology Administration, NIST promotes economic growth by working with industry to develop and apply technology, measurements and standards through four partnerships: the Measurement and Standards Laboratories, the Advanced Technology Program, the Manufacturing Extension Partnership and the Baldrige National Quality Program.