I’ve written in a past post about the success that the Global Legal Entity Identifier Foundation have had with the adoption of Legal Entity Identifiers or LEIs. The success is real. There were 1.3 million LEIs sold at the end of 2018 and there are more and more countries adopting regulation to increase the uptake of LEIs.
The main reason?
Transparency in financial reporting. Transparency that can mitigate or even possibly avoid the likes of the 2008 financial crash.
Legal Entity Identifiers do this by identifying an organisation in a transaction. Today, they can include information on company hierarchies (who owns whom) and relevant people within the organisation.
All of these entities and people have to be vetted using practices adopted by the GLEIF with advice from the Financial Stability Board or FSB.
How does this tie into digital certificates? First, let’s take a quick look into what a digital certificate is in the first place.
What Are Digital Certificates?
A digital certificate is a tool to encrypt information between entities. Entities in this case could be people, organisations or ‘things’ such as devices.
It uses public key cryptography as its mechanism to encrypt information. The way it works is, the recipient and sender of a transaction have a set of public and private keys (digital keys that is). The public keys are available on a trusted database (often held with a Certificate Authority who also issues the certificates). The private keys are kept private on the device of the sender and recipient.
The sender will encrypt their message with the recipients public key which can subsequently only be decrypted using the corresponding private key. If the private key is compromised then anyone can open and read the sender’s message while also being able to reply with the identity of the recipient so it’s vital that the private key stays private!
A sender can also digitally sign their message using their private key to prove that the message only came from them. The recipient would be able to verify this message using the public key of the sender.
When using a digital certificate for encryption like an SSL/TLS Certificate, both the signing and encrypting will happen.
When using a digital certificate for digital signatures, you can do both but you can also JUST sign or JUST encrypt a document like a PDF, Word Document or excel.
Here’s an image of how the process works for signing and encryption.
Figure 1 – source
But we have a massive issue in the world of online transactions and communications today.
Too many transactions are fraudulent. Criminals pretend to be people using phishing emails or hack into IoT devices using man-in-the-middle attacks and they’re able to reroute money this way. Digital certificates have had their own stick in the past when trying to verify identities as is the case for high assurance digital certificates like EV SSL.
This is where Legal Entity Identifiers come in.
Where Can LEIs Be Used in Digital Certificates?
LEIs in SSL
One of the ways that criminals can intercept online communications is by creating fake websites and tricking users into submitting personal information.
This can be done with fake domains that look very similar to the domain they are trying to emulate.
3bay.com instead of ebay.com for example.
In a B2B transaction we can require that any URLs sending or receiving sensitive information requires a HTTPS encrypted connection tied to a Legal Entity Identifier. So, not only do we know that the information is encrypted but we can be sure that we know who is sending and receiving that information.
OV and EV SSL Certificates contain a field where organisations usually enter their name. It is possible today, to register a duplicate company name in a different jurisdiction and use that name to obtain an OV or EV SSL Certificate, thereby creating a “secure” browsing experience on a fraudulent phishing website, as was discovered by security researcher Ian Carroll.
With Legal Entity Identifiers, no two are the same – even if the company name is the same. There is a publicly available database for me to lookup LEIs and confirm the true identity behind this certificate.
Figure 2 – ManageLEI’s own SSL Certificate contains our LEI Number
In terms of wider public use, asking users to check the LEI codes on every website they enter information is perhaps not feasible. But imagine a world where browsers like Chrome integrate with the LEI database and show you company names, perhaps even linking to the real website in the browser.
A future like this is possible.
For now, at least with high level B2B transactions, this practice can add transparency and assurance that wasn’t previously available.
LEIs in Digital Signatures
More than £145 million had been lost in 2018 due to authorised payment fraud. This includes 3,866 cases reported where the criminal claims to be from the police, bank or other legitimate organisation and tricks an individual into transfer significant sums of money.
David Munroe was tricked into sending £4,000 to Lagos, Nigeria after hackers intercepted and changed details of an invoice to make it look like a contractor he was working with.
This kind of thing happens every day.
Regulations like eIDAS are aimed at reducing the risk of fraud and improving cross-border transactions but so far, only require high assurance digital certificates to sign and encrypt data on things like PDFs. When you’re looking at individuals signing things like mortgage agreements and invoices, verifying a person with something like a passport isn’t too difficult with today’s technology.
But, if we need to verify people or things within the framework of an organisation, then we need something more.
Legal Entity Identifiers can help to solve this issue. LEIs can give individuals a piece of mind when they receive an invoice or other contractual agreement. Say your bank sends you a mortgage agreement, you can check to see the LEI matches the organisation and once verified, you can sign and encrypt the document before sending it back.
Much more secure in my world.
Luckily, today, it is possible to put LEIs in digital certificates for document signing thanks to partnerships with RapidLEI and PBSA.
LEIs in Code Signing
Most apps are created and uploaded to app stores on behalf of a company. Today, app stores like Apple or Google Play don’t need much information on the organisation to justify letting their apps into their stores.
Perhaps part of the reason why we have so many fraudulent apps in the stores today. Some of which distribute malware and other viruses. Just this month, 25 million android devices were infected with malware because of malicious apps.
If code signing certificates were issued to LEI numbers instead of organisation names, we could increase transparency of apps too. And if Apple and Google only accepted apps with LEIs then we could allow public reporting of organisations that are releasing malicious apps.
Perhaps Google or Apple would penalise LEI numbers who are reported to have released malicious apps on a number of occasions and these organisations would be blocked from releasing further apps. Unless the organisations change their company name and register a new LEI (which would also have to be vetted on hierarchy and therefore still likely to be linked to the old LEI), they won’t be able to release any new apps.
It doesn’t stop the problem but it does allow better reporting and managing of it. Personally, I think it has huge potential to decrease the number of malicious apps entering the app store today.
LEI in Email Security
According to a study done by PhishMe, email phishing is responsible for 91% of all cyber-attacks. With the number so high, its astounding that nothing has been done about it yet.
Companies like Google and Microsoft provide support for email encryption but there is still no solid evidence to prove the identity behind a sender. And there are a tonne of online videos that show you just how easy it is to create a fake email account and send emails.
Digital certificates can be used to sign and encrypt email but the technology is not widely supported by email vendors like Microsoft Office (supports signing but not on mobile for example).
At least today, it would be difficult to implement a widely used technology to identify email senders but if we focus on internal emails only, an organisation could quite easily create a mechanism where all internal emails are signed with a digital certificate containing their identity and the organisation’s LEI.
A Small Piece of the Identity Puzzle
They mention digital certificates in particular:
“We believe that digital certificate technology based on strong cryptography is critical to the smooth operation of the evolving digital economy. The proliferation of digital certificates, whether issued by governments or the private sector, has allowed organisations and individuals to get on and do business digitally.”
They have recognised that there is no publicly accessible database of digital certificates and that even greater complexity lies with updating private and public key pairs every time a certificate expires. Also, every certificate only contains information true at the time the certificate was ordered. For greater accuracy, the LEI database allows for key data to be updated and still attributed to the LEI number even before it is due to be renewed.
LEIs certainly do not solve all the challenges associated with digital certificates today but they have the potential to congregate data and allow better governance and transparency. They can also significantly improve an already broken KYC system.
Cristina is an experienced professional with a diverse career that has played to her strengths as a pragmatic, multilingual manager and educator with a passion for building trust through clarity and communication. Founding ManagedLEI was a natural step for Cristina as an intrepid entrepreneur and under the Trusted Identity banner she has many exciting plans for the future of ManagedLEI and it’s anticipated associated financial and digital security products and services.