Cylink builds PKI for USPS secure postage

Cylink Corp. announced last week that it has developed a public-key infrastructure (PKI) for the U.S. Postal Service's program that secures communications for users downloading and printing postage from their PCs.

Under USPS' Information Based Indicia Program (IBIP), which is in pilot testing now, users will log on to a secure server, order and pay for postage, download the postage, store it in a secure device attached to the PC and print it directly onto an envelope. The goal of the program, which is targeted at small office/home office users, is to provide a secure way of delivering postage via PCs rather than mechanical postage meters.

PC postage products such as E-Stamp Corp.'s Internet Postage software, which was announced in April, actually generate the stamp that is printed on an envelope. The stamp includes a 2-D bar code, called an information-based indicia, which contains the postage, a date stamp, destination and tracking data, and a digital signature that makes the indicia difficult to counterfeit.

The PKI developed by Cylink for the IBIP program will use digital signatures to authenticate the postage device and secure any postage transaction that enters it. "We don't need encryption for IBIP because we only care that the transactions are digitally signed so we know the source and know that [the device] hasn't been tampered with," said Andrew Morbitzer, director of market development at Cylink. "Digitally signing does that."

The motivation behind the IBIP program is security and user convenience, according to USPS. "We've provided secure correspondence for years, and we are always looking to use new technology to serve our customers," a USPS spokes-man said. "PKI is one tool we use to enhance service." USPS plans to authorize other vendors in addition to E-Stamp to participate in the IBIP test, the spokesman said, but he would not say when this might happen.

Under its PKI contract, Cylink will provide a device manufacturer, such as E-Stamp, with a master certificate. E-Stamp would create a unique certificate by signing the public key of each device; this would be done by using the device's master public-/private-key pair. The signed public-key copy would be held by USPS, which would act as the certificate authority, but the matching private key would be kept secret.

The intention of the IBIP program is to prevent meter fraud, so strong cryptography is essential to prevent someone from stealing the private key, taking the software and printing an indicia, said Santosh Chokhani, chief executive officer of CygnaCom Solutions Inc.

Cylink's certificate authority is based on the Public Key Information standard proposed by the Internet Engineering Task Force, which calls for support of X.509 certificates. The system is designed so that other certificate authorities can understand and read one another's certificates.

Cylink used Sun Microsystems Inc.'s SPARC-based server, which offers auditing and accountability of transactions as well as the ability to recover interrupted transactions.

Eventually, USPS will take over the operation and administration of the PKI and will be able to use the PKI to support other programs, Morbitzer said. "The PKI we delivered is a general-purpose PKI certificate authority. That means the Postal Service now owns a complete PKI that it can use for many applications," he said. "IBIP can run on this PKI, as can four other unrelated programs." Cylink's PKI can scale to millions of certificates, he added.

The IBIP pilot is scheduled to run through year's end, and if all goes well, it will go live next year. Now limited to the Washington, D.C., and Northern Virginia area, the pilot will expand to the San Francisco area next month.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.