Cylink builds PKI for USPS secure postage

Cylink Corp. announced last week that it has developed a public-key infrastructure (PKI) for the U.S. Postal Service's program that secures communications for users downloading and printing postage from their PCs.

Under USPS' Information Based Indicia Program (IBIP), which is in pilot testing now, users will log on to a secure server, order and pay for postage, download the postage, store it in a secure device attached to the PC and print it directly onto an envelope. The goal of the program, which is targeted at small office/home office users, is to provide a secure way of delivering postage via PCs rather than mechanical postage meters.

PC postage products such as E-Stamp Corp.'s Internet Postage software, which was announced in April, actually generate the stamp that is printed on an envelope. The stamp includes a 2-D bar code, called an information-based indicia, which contains the postage, a date stamp, destination and tracking data, and a digital signature that makes the indicia difficult to counterfeit.

The PKI developed by Cylink for the IBIP program will use digital signatures to authenticate the postage device and secure any postage transaction that enters it. "We don't need encryption for IBIP because we only care that the transactions are digitally signed so we know the source and know that [the device] hasn't been tampered with," said Andrew Morbitzer, director of market development at Cylink. "Digitally signing does that."

The motivation behind the IBIP program is security and user convenience, according to USPS. "We've provided secure correspondence for years, and we are always looking to use new technology to serve our customers," a USPS spokes-man said. "PKI is one tool we use to enhance service." USPS plans to authorize other vendors in addition to E-Stamp to participate in the IBIP test, the spokesman said, but he would not say when this might happen.

Under its PKI contract, Cylink will provide a device manufacturer, such as E-Stamp, with a master certificate. E-Stamp would create a unique certificate by signing the public key of each device; this would be done by using the device's master public-/private-key pair. The signed public-key copy would be held by USPS, which would act as the certificate authority, but the matching private key would be kept secret.

The intention of the IBIP program is to prevent meter fraud, so strong cryptography is essential to prevent someone from stealing the private key, taking the software and printing an indicia, said Santosh Chokhani, chief executive officer of CygnaCom Solutions Inc.

Cylink's certificate authority is based on the Public Key Information standard proposed by the Internet Engineering Task Force, which calls for support of X.509 certificates. The system is designed so that other certificate authorities can understand and read one another's certificates.

Cylink used Sun Microsystems Inc.'s SPARC-based server, which offers auditing and accountability of transactions as well as the ability to recover interrupted transactions.

Eventually, USPS will take over the operation and administration of the PKI and will be able to use the PKI to support other programs, Morbitzer said. "The PKI we delivered is a general-purpose PKI certificate authority. That means the Postal Service now owns a complete PKI that it can use for many applications," he said. "IBIP can run on this PKI, as can four other unrelated programs." Cylink's PKI can scale to millions of certificates, he added.

The IBIP pilot is scheduled to run through year's end, and if all goes well, it will go live next year. Now limited to the Washington, D.C., and Northern Virginia area, the pilot will expand to the San Francisco area next month.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.