Bringing Electronic Commerce to Japan

BUG leads the way in digital data security

The biggest concern most of us have about doing business on the Internet is ensuring transaction security. Sapporo-based BUG Inc, the first company in Japan to import "industrial strength" RSA Data Security software from the US, is a leader in digital ID certification.

by Steven Myers

On February 22, Verisign, a California-based provider of digital authentication services and products, made news by announcing that it would join with the NTT Group companies -- NTT PC Communications Inc., NTT Data Communications Systems Corporation, and NTT Electronics Technology Corporation -- to form VeriSign KK. (See "NTT, VeriSign tie up to establish VeriSign Japan," May 1996, page 9.--Ed.) The VeriSign Japanese subsidiary (headquartered in Tokyo's Aoyama district) will offer localized versions of VeriSign's digital authentication services.

Because of this and other high-visibility activities, NTT often has been depicted recently in popular media as the major player in the growth of electronic commerce (EC) in Japan. Much of the groundwork for bringing the necessary EC technology to Japan, however, has been laid by a small Sapporo-based company called BUG Inc.

Data security

In September 1995, BUG (pronounced "B - U - G," not "bug") became the first company in the world to import data security software from RSA Data Security, Inc., of the US. This achievement in itself marked a significant step forward in the development of electronic commerce in Japan. Previously, the exportation of "industrial strength" data security software had been totally prohibited by the US government, which classifies cryptography products and technologies under the "munitions" category of exports. (See "Breaking Through the Encryption Barrier," December 1995, page 12.--Ed.)

After acquiring permission for export of RSA's data security technology, BUG proceeded to successfully import the RSA BSAFE and TIPEM toolkits. The packages will allow Japanese vendors to provide the same level of data security as their US counterparts, greatly facilitating not only electronic commerce transactions within Japan, but also between Japan and the US.

In February, BYSE, a BUG subsidiary corporation, became VeriSign's local registration authority (LRA) for issuing Netscape Commerce Server digital certificates in Japan. This development, along with the release by Visa and MasterCard of their SET specifications (Secure Electronic Transaction; a global electronic commerce standard for secure payment and settlement), also in February, essentially marked a new beginning of the CA (Certifying Authority) business in Japan. Although the CA business has existed in Japan for about two years (through BYSE's certification of Apple Macintosh design standards), it can be expected to expand rapidly for electronic commerce in Japan now that use of the RSA public-key cryptosystem has become relatively commonplace.

Digital certificates

The basic idea of public-key cryptography is that each user of the system is issued a two-key set, consisting of a private key (which the user keeps hidden) and a public key (which anyone can access). While either key can be used for message encryption or decryption, they work in tandem: a message encrypted with one key can only be decrypted with the other key.

One way to send a private message, for example, would be to look up the public key of the intended recipient, and use that key to encrypt your message. Even if the transmission is intercepted by a third party, the unauthorized recipient cannot read the encrypted message because your intended recipient's private key is required to decode it. Similarly, if you encode a message with your private key, all recipients can verify that it is really from you because only your (and no else's) public key can decrypt it.

A Digital ID system is used to generate confidence in the authenticity of a user's public key. The basic idea is that each user of a key set must apply personally for those keys and provide proof of identification to an official issuing organization, known as a Certifying Authority (CA). The certifying authority then issues a Digital ID (also called a "digital certificate") that binds the identity of that user to his or her public key. In order to impersonate another person, therefore, an impostor would need not only the user's keys, but also that person's Digital ID and access to his or her account.

When a Digital ID is issued, it must be signed by the issuing CA. That CA's signature will, in turn, have the signature of its issuing CA. This authentication hierarchy can be followed (and verified at every step, using the public keys of the various CAs) until a single "top"" Certifying Authority is reached, one whose public key is widely known.

By becoming one of the first official Certifying Authorities in Japan, BUG has positioned itself securely in the vast CA hierarchy that is expected to develop over the next few years. In fact, it should be near the top of the pyramid owing to its "early mover" advantage.

The significance of the announced SET protocol (developed jointly by Visa and MasterCard, with participation from Microsoft, IBM, Netscape, and VeriSign) is that it places heavy emphasis on Digital IDs and the hierarchical CA system. With the backing of these two credit card heavyweights (plus, now, American Express), SET is poised to become the de facto standard for electronic transmission security. This will quickly create a huge demand for organizations like BUG that are involved in CA and e-commerce consulting. It is likely that BYSE will become a CA operations center.

ID classification

To better understand the role that the BUG subsidiary BYSE will be playing as a VeriSign local registration authority, it is helpful to examine the VeriSign classification scheme for assigning IDs. Briefly, VeriSign categorizes certificates into four broad categories, based on the level of "trust" involved:

Class 1 is used for simple mailer applications; it cannot be used to conduct secure electronic commerce activities.

Class 2 certification incorporates a slightly higher level of trust than class 1, but is still not sufficient for secure electronic transactions.

Class 3 certifies a vendor to conduct electronic transactions. A company that intends to carry out electronic commerce activities over the Internet must supply specified proof of its commercial existence to receive class 3 certification.

Class 4 certification application requires the personal presence of the applicant. This is the highest level of trust for secure digital transactions.

In the US, required documents for class 3 would include articles of incorporation, a business license, and a letter from the site's Webmaster. In Japan, the corresponding documents would include the tGkibo tGhon, inkan shomeisho, and the Webmaster's letter.

BYSE's task, then, is to check and confirm that an applying organization is indeed legitimate, and that the supplied information is all correct. From the installed Netscape Commerce Server at the customer site, then, the applicant e-mails its Digital ID request to BYSE, which uses the DNS in the request to check against the InterNIC database entry and confirm that the request comes from a bona fide WWW server. When an ID request has been approved, it is passed on to VeriSign, which then issues an ID to BYSE for that customer. From that point on, Web users who access that customer's page will see the Class 3 VeriSign certificate and be assured that the site can be trusted for electronic cash transactions.

The future

According to Hiroyuki Hattori, president of BUG, the current focus at BUG headquarters is on continuing to design applications and solutions for data security. Having introduced the RSA data security toolkits to Japanese companies, BUG foresees a rapid rise in Japanese business transactions over the Internet, as initial fears about security are gradually dispelled.

With its strong initial success in development, consulting, and licensing projects, it would not be at all surprising to find BUG at the forefront of the Japanese market for electronic commerce as digital transactions come into maturity over the next few years.

Sidebar

For a more information about digital IDs, see the "FAQ: Answers About Today's Digital IDs" document on the VeriSign Web site at http://www.verisign.com/faqs/id_faq.html#7. For an introduction to modern cryptography, read "RSA's Frequently Asked Questions About Today's Cryptography" at http://www.rsa.com/rsalabs/faq/.

Founded by four Hokkaido University graduates in 1977, BUG Inc. is perhaps one of the best-kept secrets in the Japanese computer industry. The company has many times found itself on the leading edge of new technologies, and BUG has compiled an impressive history of product releases over the past 15 years. For an English listing of BUG's accomplishments, go to http://www.bug.co.jp/about/index-e.html.

Led by President Hiroyuki Hattori, BUG currently employs over 150 people at its main office in Sapporo and three branch offices. It also has two subsidiaries, BYSE and FIX Inc. BUG has acquired a strong reputation in the Japanese market for its high-quality graphic design and publishing products, and for its overall technical prowess in developing Japanese system software for the Macintosh.

Contact information:

BUG Inc.
1-14 Techno Park 1-chome
Shimonopporo, Atsubetsu-ku
Sapporo 004, Japan

Phone: +81-11-807-6667
Fax: +81 -11-807-6645

e-mail: rsaproj@bug.co.jp

WWW: http://www.bug.co.jp