Cylink builds PKI for USPS secure postage

Cylink Corp. announced last week that it has developed a public-key infrastructure (PKI) for the U.S. Postal Service's program that secures communications for users downloading and printing postage from their PCs.

Under USPS' Information Based Indicia Program (IBIP), which is in pilot testing now, users will log on to a secure server, order and pay for postage, download the postage, store it in a secure device attached to the PC and print it directly onto an envelope. The goal of the program, which is targeted at small office/home office users, is to provide a secure way of delivering postage via PCs rather than mechanical postage meters.

PC postage products such as E-Stamp Corp.'s Internet Postage software, which was announced in April, actually generate the stamp that is printed on an envelope. The stamp includes a 2-D bar code, called an information-based indicia, which contains the postage, a date stamp, destination and tracking data, and a digital signature that makes the indicia difficult to counterfeit.

The PKI developed by Cylink for the IBIP program will use digital signatures to authenticate the postage device and secure any postage transaction that enters it. "We don't need encryption for IBIP because we only care that the transactions are digitally signed so we know the source and know that [the device] hasn't been tampered with," said Andrew Morbitzer, director of market development at Cylink. "Digitally signing does that."

The motivation behind the IBIP program is security and user convenience, according to USPS. "We've provided secure correspondence for years, and we are always looking to use new technology to serve our customers," a USPS spokes-man said. "PKI is one tool we use to enhance service." USPS plans to authorize other vendors in addition to E-Stamp to participate in the IBIP test, the spokesman said, but he would not say when this might happen.

Under its PKI contract, Cylink will provide a device manufacturer, such as E-Stamp, with a master certificate. E-Stamp would create a unique certificate by signing the public key of each device; this would be done by using the device's master public-/private-key pair. The signed public-key copy would be held by USPS, which would act as the certificate authority, but the matching private key would be kept secret.

The intention of the IBIP program is to prevent meter fraud, so strong cryptography is essential to prevent someone from stealing the private key, taking the software and printing an indicia, said Santosh Chokhani, chief executive officer of CygnaCom Solutions Inc.

Cylink's certificate authority is based on the Public Key Information standard proposed by the Internet Engineering Task Force, which calls for support of X.509 certificates. The system is designed so that other certificate authorities can understand and read one another's certificates.

Cylink used Sun Microsystems Inc.'s SPARC-based server, which offers auditing and accountability of transactions as well as the ability to recover interrupted transactions.

Eventually, USPS will take over the operation and administration of the PKI and will be able to use the PKI to support other programs, Morbitzer said. "The PKI we delivered is a general-purpose PKI certificate authority. That means the Postal Service now owns a complete PKI that it can use for many applications," he said. "IBIP can run on this PKI, as can four other unrelated programs." Cylink's PKI can scale to millions of certificates, he added.

The IBIP pilot is scheduled to run through year's end, and if all goes well, it will go live next year. Now limited to the Washington, D.C., and Northern Virginia area, the pilot will expand to the San Francisco area next month.

Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.