Concluding a 2-part series, we look at the over-cooked attempt of HKSCC, the HKEx's monopoly settlement system, to introduce an internet access system for investor participants.

e-Certifiable
3 November 2000

In yesterday's article, we gave you the history of HKSCC's efforts to bring investors into direct participation in the clearing system, giving control over the custody and settlement of their shares, using a phone-based system similar to phone-banking to affirm trades and authorise settlement.

So much for the phone system. CCASS has notched up only 7,345 Investor Participants in over 2 years of trying. Net-savvy readers of Webb-site.com must be wondering if you can deal with CCASS via the web. The good news is that on 3-Oct-00 an interactive site was launched. The bad news is that it's one of the least user-friendly systems you will ever see.

In order to use the site, you need more than a PIN. That's good enough for the banks, where your money is, but not for HKSCC, which has over-engineered the solution. Instead, they insist on an electronic digital certificate or "e-Cert" from the Hongkong Post office. So far, this is the only Certification Authority recognised by the Government under the Electronic Transactions Ordinance, which became law this year. When you remember that Kwong Ki-chi, now head of HKEx, was the head of the Information Technology and Broadcasting Bureau, which sponsored the law, then you can see why he would be keen to use this system.

A digital certificate is basically an electronic ID card. Indeed, to get one, you have to trot down to the post office with a real ID card, where a clerk, after recovering from shock, will eye-ball you and start filling in forms and give you (guess what) a sealed PIN number, a thick instruction guide and a CD-ROM. If you are a Mac user - forget it. For now, only a Windows 95 or later PC will do. One monopoly supporting another, you might think.

You have to sign a long agreement and provide your e-mail address. A couple of days later you get an e-mail from the postman telling you that your e-Cert is ready for collection. Find the CD-ROM, follow the instruction guide, run the setup program and then go to the post office web site and pick up the certificate, providing your PIN number. The software on the CD-ROM allows you to generate your own "keys". You should always choose this option, rather than the "central key generation service" because otherwise you can't be sure the post office hasn't kept a copy of your private key (they say that they don't).

So now, we are the proud owner of one of the first e-Certs in Hong Kong. As far as we know, CCASS is the first HK-based consumer service to use digital certificates for identity verification purposes (rather than just for secure e-mail or payment processing) and CCASS has confirmed that we were its first ever user. The things we do for you!

All about PKI

The way e-Certs work is based on "Public Key Infrastructure". You have a personal private key and a public key on your computer disk. You can "sign" documents with your private key, and anyone else can "verify" your signature with your public key, which is included in your certificate, which you make available to the public. That also ensures that your document has not been altered since you signed it.

The whole thing rests on a fascinating branch of mathematics discovered in 1977 (the year Elvis Presley died) which we won't bore you with here, suffice to say that if you are the first to figure out a way to easily factorise very large numbers (to break them down into the prime numbers which, when multiplied together, produce the original number) then the governments of the world will either hire you or kill you.

The certification authority (in this case, the post office) will "certify" your identity by signing your certificate with its own private key. Get a copy of that key and you would cause some serious trouble - you could issue any certificate you liked. So the post office's private key must literally be kept under lock and key.

You can also use a person's public key to encrypt messages, so that only he can open them with a private key. For those who know what they are doing, here's David Webb's digital certificate. Download it, install it, and send him some encrypted mail.

PKI and CCASS

So you've got your e-Cert, and now you are ready to go to the CCASS web site. Click here to see what we mean. The first problem we found is that there were absolutely no instructions. We clicked "continue". Still no instructions, but now an "applet" (a program which runs on your PC) was downloaded from CCASS, and it wanted a password in the browser. 

After some phone calls, we discovered that it wanted us to export a copy of our digital certificate into a separate file, complete with private key, then tell the applet where to find it. It then asks you to enter the password which is used to provide some protection of the private key in case it is ever stolen. This password goes into a browser form.

Who you gonna trust?

Here's the weakness. To make their system run, CCASS requires you to trust the "applet" program which is downloaded to your machine. This applet has "full permissions", which means that anything the programmer wanted the applet to do, it can do. A rogue programmer could easily tell the applet to send your password and your private key across the internet to anywhere in the world (or the "Trojan horse" approach). And under the new law, that stolen private key could then be used to sign binding contracts in your name, to interact with any other company which accepts e-Certs, and to read encrypted e-mail addressed to you, until you find out and get the e-Cert cancelled (or "revoked") by the post office.

The whole point of digital signatures is security - so why should you have to trust HKSCC for this? After all - who is going to certify that their program is clean? Would you use trust such an applet from an unknown shopping site? Or a portal? How about an applet from your broker, or the police, who might like to intercept your encrypted e-mails? Clearly if you have to trust your counterparty not to steal your private key then this begins to invalidate the reason for using a digital signature in the first place.

There IS a better way

We checked with an expert from a UK company which specialises in PKI applications. He told us that what CCASS is doing is unnecessary, and that there are ways of using digital signatures to authenticate your actions which do not involve applets, but just use the standard browser software on your PC. With a browser approach, you can rely on thousands of security testers (or hackers) who would have found any weakness in the major browsers by now. So you can be confident that the browser's system is a lot safer than any custom-made applet.

As transactions become paperless, digital signatures are our future. They will be much more practical when the private keys are embedded in smart cards which do all the secure processing and encryption. Coupled with thumb-print readers or other biometric devices instead of passwords, this will make online transactions and contracts simple and very secure. It will no longer be possible for a "Trojan horse" applet to swipe your private key from your hard disk.

In the meantime, HKSCC should realise that while we still have to go through this lengthy and complex procedure to get an e-Cert and then a risky procedure to use it, very few people are going to bother. HKSCC has jumped the gun and should revert to using the tried and trusted password system (or PINs) in a secure browser window.

While they are at it, we need 24-hour access to the system - that's one of the key benefits of the web. When travelling, we should be able to log in from anywhere at any time and settle our trades, not just 10 a.m. to 3.45p.m. Even the Government works longer hours than that!

© Webb-site.com, 2000

Topics in this story

Sign up for our free newsletter

Recommend Webb-site to a friend

Copyright & disclaimer, Privacy policy

Back to top