The UK Post Office has revealed details of its Trusted Third Party secure e-commerce service, ViaCode, marking the end of Royal Mail’s monogamous affair with hard-copy ‘snail-mail’. Using encryption technology from Entrust Technologies, the security software company spun out of Nortel, ViaCode will offer businesses the ability to send secure, legally signed documents.
Viacode will exist to provide businesses with an alternative to operating their own Public Key Infrastructure. Royal Mail will act as the Trusted Third Party (TTP) of its PKI, registering and managing digital certificates from client companies as well as integrating the Entrust software with a user’s existing applications. Viacode will cost up to 1 pound per week per user individual within a company.
The government-owned organization is pushing the toughness of its registration process as a key feature, claiming its UK uniqueness. Royal Mail will rely on its long-established brand to recruit custom, and will hope it can match its massive hardcopy user base with ViaCode users. To back up its claims of trustworthiness, Royal Mail will guarantee the service up to a value of 100,000 pounds.
In launching this service Royal Mail goes head to head with similar services such as that offered by British Telecommunications Plc, which has an agreement with VeriSign Inc to phase in secure e-commerce services for business users.
Royal Mail will register and manage a database of subscriber certificates – records that include subscribers’ public encryption keys and other information about them.
To send a secure email using ViaCode, a sender first creates a digital signature by running a source document through an algorithm to produce a message digest, which is then encrypted with the sender’s private key. The signature is then bundled with the source document and the sender’s certificate, and the three are encrypted together, using a randomly generated symmetric key.
The sender then places this encrypted message into a digital envelope. This is created by encrypting the randomly generated symmetric key with the recipient’s public key, which is taken from their certificate. The sender then sends the encrypted message and digital envelope together. The interface to accomplish this procedure consists of two extra buttons on the sender’s email application – one to create a signature, one to encrypt.
The recipient first decrypts the envelope with their private encryption key to get the symmetric key, which is then used to decrypt the document, sender’s signature and certificate. To verify no interception and tampering has taken place, the recipient creates a new message digest and compares it to the received digest when any discrepancy will be noted. รก
