To keep communications confidential, J.P. Morgan & Co. has been using encryption software from Entrust Technologies Inc. with some of its customers.
The New York-based banking company was interested in using public key cryptography and chose Entrust's software because it was "based on open system standards," said Charles Blauner, a vice president of security and Internet architecture. Morgan has been working with this technology for over 18 months.
Entrust has developed a security infrastructure that uses two sets of public keys-one for encrypting messages and files and the other for the user's digital signature. This is designed to prevent repudiation of transactions, which can be a tipoff to fraud.
Nonrepudiation is assured "because we don't back up your signature key. You're the only person who has your signature key," said John A. Ryan, chief executive officer of Entrust, a company recently spun off by Northern Telecom of Canada.
Entrust's public key infrastructure enables a company to secure desktop computers and electronic mail as well as manage and distribute public keys and digital certificates.
Morgan wanted to start with a small proof-of-concept project to try out the Entrust system. The mortgage securities area was already looking to change its communication process to electronic mail. Traditionally, the documentation and related processes of turning mortgages into securities revolved around express mail services.
"They asked us to help secure their E-mail process," Mr. Blauner said.
Entrust finds that a lot of its customers are interested in secure electronic mail as well as basic computer security, Mr. Ryan said. The company also expects security for electronic forms "will be the next big hit," he added.
J.P. Morgan's goal was to reduce the time it took to handle the process by eliminating the need for physical transport of documents. The results were dramatic, cutting the negotiation time from two to three weeks to two or three days, Mr. Blauner said.
Using software development tools from Entrust, the bank was able to design the program so that "a business person would just have to hit a button and the file would automatically be encrypted for the specific business partner involved, and E-mailed to them," Mr. Blauner said.
The bank provided the necessary software to the six business partners in this project. Because of the small number of users, issuing of the public and private keys was not too complex an issue for the bank.
The bank also is serving as its own certificate authority, or CA, a "trusted agent" role that others prefer to outsource.
"We internally manage all of the identities so that Morgan issues all of the certificates for both the internal users and the business partners," Mr. Blauner said.
One reason Morgan decided to be its own CA was to ensure interoperability. Standards in the area of digital certificates are lacking, so there is no assurance that certificates from different CAs will work together.
Confidentiality is also a problem. To identify one another, the customer and the certifying company must agree on some private information known only to them. It is sort of like a lender asking for a customer's mother's maiden name.
Outsourcing of certificate management would require secret information to be disclosed to a third party. "Morgan wouldn't want to do that because it's critical to maintain client confidentiality, even if we're talking about the smallest piece of information," Mr. Blauner said.
"There's no good way to leverage a third party without jeopardizing my client relationship," he added.
"Being your own CA is not a trivial activity," said Michael Zboray, a vice president and research director with Gartner Group, a Stamford, Conn.- based research firm. Another motivation for J.P. Morgan may also be not wanting to have to manage a three-way relationship among itself, customers, and the certificate authority, he added.
It is not uncommon for companies using public key cryptography for to be their own CAs in high-value transactions, Mr. Zboray said. "On the other hand, when it comes to public Internet commerce-based applications, it's almost universally going to someone like Verisign," which is trying to create a mass market in digital security.
For a second pilot, Morgan looked at the way institutional investors were accessing their portfolios. They typically looked at their information by using private telephone lines and a hardware encryptor.
By replacing the old system with public networks and encryption software, the bank realized two main benefits-lower cost and greater flexibility, Mr. Blauner said.
The bank won't consider using digital signatures for business transactions until smart cards are used for storing users' private keys. "All the current implementations today-whether it's Entrust or any of their competitors-store the private key that you would use for the signatures on the hard drive of a machine, and they protect it by encrypting that file," Mr. Blauner said.
"The problem here is that if someone steals that file and over the course of time breaks the encryption, I as the owner of that key never know that," Mr. Blauner said. The bank expects to use Entrust's software and smart cards for transactions in the future, Mr. Blauner said.
"For really high-stakes electronic commerce, a two-factor authentication system ... is just about mandatory," Mr. Zboray said.
Besides the concern about storing keys on personal computers, the bank also sees other hurdles that need to be cleared before using digital signatures.
"None of the existing certificate authorities have addressed the liability issues in a way that would be satisfactory to an organization like J.P. Morgan," Mr. Blauner said.
The bank plans to install a more robust version of the Entrust system by third quarter and make the infrastructure available for other applications.
"The use of technology has to be based on a pull from the business," Mr. Blauner said. "I've never seen a successful implementation where a technologist tries to force the latest and greatest technology on a business."
When the former Nortel Secure Networks was spun off as Entrust in January, J.P. Morgan Investment Management became a minority shareholder in the company.
