ProofSpace plugs PKI hole with more precise identifiers

ProofSpace plugs PKI hole with more precise identifiers

Security software caters to HIPAA concerns

In the wake of government legislation giving weight to digital certificates and electronic signatures (HNN 7/12/00), increasing consumer demand for privacy guarantees (HNN 6/14/00, 7/12/00), and the ever-pending HIPAA regulations, security vendors are leaping to offer products that incorporate public key infrastructure. PKI is an asymmetrical encryption method that offers stronger authentication and protection than symmetrical encryption. One company, however, is focused on bringing to market a product it claims will enhance PKI-based authentication and make electronic data as permanent as stone engravings.

Digital certificates and signatures are currently limited to identifying the person doing the transaction and thus lack the additional safeguard of permanently identifying what that person did and when they did it, according to Paul Doyle, CEO of Chicago-based ProofSpace. The company’s ProofMark product fills in those blanks by recording and encrypting each transaction or set of transactions as they occur, including the user authentication method, with a transient key pair that is assigned to a time interval rather than to a specific user.

“PKI is based on protecting private keys,” Doyle said. “Trust services go through a rigorous process to authenticate and protect private keys, and there’s all this risk around the private key. We removed that risk because our technology is based on pushing the private key out to time ‘now.’”

With ProofMark, only one private-public key pair is active during a specific interval of time. Data transactions during that interval are encrypted using the on-duty private key, and ProofMark contains the on-duty public key that then identifies the time interval of the transaction that triggered the ProofMark process. When the interval is over, the expiring private key signs the new public key, creating a chain of asymmetrical encryption. The default key size is 1024 bits and can be customized to 2048 bits.

The software is built into the application layer and becomes part of the system infrastructure to provide security on the Internet, intranet, or local network, according to Doyle. The firm claims that ProofMark has an advantage over third-party trust-based services because, as a shrink-wrapped product that can be licensed, it provides independently verifiable proof that an event has taken place and does not require the services of an outside vendor or certificate authority for substantiation.

“PKI has worked as a trust model, even when you are trying to use it for auditability, meaning that two parties involve a third trusted party as witness,” Doyle said. “Then you have to be dependent upon the third party to provide service in the future. We create electronic records that can be independently verified. A ProofMark is to electronic data what indelible ink is to paper. That level is built into the infrastructure.”

The firm is initially targeting three markets: healthcare, financial services, and business-to-business. According to Doyle, ProofSpace is negotiating with vendors who supply digital certificate services in general, and with major vendors in the healthcare industry in particular, to incorporate the ProofMark technology into a platform for healthcare that will meet the HIPAA regulations as well as other privacy requirements.

The software is scheduled for launch this fall and has 10 beta testers, including a Fortune 50 company that Doyle declined to name. The firm is targeting larger providers in healthcare because the organizations that produce the most paper are likely to be the early adopters of the technology. Pricing will start at 5¢ per ProofMark. The first volume discount comes at 2 million ProofMarks; at 10 billion, the cost per mark goes down to 0.03¢ per ProofMark. Unlimited site licenses are also available.

“Our strategy going forward is to gradually expand from our primary markets into other verticals like government, b2gov, and e-government,” Doyle said. “In addition, once we start to get broad adoption horizontally, we can start to layer applications on top, such as versioning control and digital rights administration.”