White Paper Champions Identity-Based Encryption to Keep Pace With Regulations

Despite the rise of regulatory demands governing electronic data, privacy, intellectual property protection and internal governance are also driving organizations to embrace new technologies that protect data "both at rest and in transit," says a new white paper from Proofpoint. "Only a company attempting a high dive into red ink needs a government edict to explain the absolute necessity for secure messaging that safeguards information," the company says in "Encryption Made Easy: The Advantages of Identity-Based Encryption."

Getting a handle on email information exchange should be at the heart of any firm's edata security program. Proofpoint advocates an understanding and leveraging of secure messaging benefits, including:

Keeping sensitive information private; Preventing anyone from tampering with the contents of messages; and Authenticating the identity of both the message's sender and recipient.

Executed properly, encryption algorithms can keep messages private. Encryption, which works by using digital "keys" that "lock" contents until they are "unlocked" by a corresponding decryption key, relies a great deal on how various approaches handle the generation, distribution and management of the keys, the white paper stresses.

Proofpoint outlines the pros and cons of four different approaches to email encryption:

Symmetric cryptography: Using the system, the sender and receiver of a secure message agree on a password, then use that password as a key to both encrypt and decrypt messages. Some companies issue both senders and receivers passwords, which reside on a central server. When a sender wants to transmit a message, he first sends a password-encrypted request to the server that maintains the recipient's name and passwords. The server then generates a random key and encrypts it using the sender's password and sends both password-protected keys to the sender, who then encrypts the message he wants to send using the random key issued by the server. The sender then transmits the encrypted message to the receiver, along with the server-issued receiver key. The receiver gets the encrypted message, which can then be decrypted with the receiver's password-protected key.

Drawbacks: Server traffic can be a "headache," Proofpoint warns, because every secure message transmission involves the central server. Another limitation is the huge number of keystrokes required. For a small workgroup of eight people, 28 unique keys would be required. For a medium-sized company of 1,000 people, nearly half a million keys are needed. For this reason, symmetric cryptography is recommended only for small, contained networks with a low number of users.

Asymmetric cryptosystems: Better known as public key infrastructures (PKI), these use two keys, public and private, to encrypt and decrypt. Determined by user names, network addresses and trust level, PKI encryption policies specify which users are permitted to connect to which network resources or who is allowed to read what email and from which sender. The policy elements are linked to the user's public keys the product of two randomly generated prime numbers via a "certificate." These are electronic documents that contain the name of the owner of a key and information about the validity of the certificate, such as time limits and the owner's public key. The owner's certificate is then electronically signed by a trusted certificate authority (CA). In PKI systems, the public and private keys are always used together.

Drawbacks: While an improvement over symmetric cryptography, PKI is marred by weaknesses, including the complexity involved in managing certificates. PKI demands a great deal of administrative overhead and expensive infrastructure, Proofpoint says, which has helped block PKI from enabling "truly ubiquitous secure messaging." Among the challenges it presents: Before sending a message, a sender must have a recipient's certificate. That means a company must maintain a standard directory of published certificates, which is expensive and time consuming. Another weakness: Validation can be difficult. The client validates the certificate by checking the CA or contracting an online revocation server, but if the client is not online, it can't be checked at that moment. Finally, users have to be pre-enrolled or they can't send secure email to a web server.

Secure web mail systems: Compared to PKI, these are easy to use. Unfortunately, they require users to switch over to a nonstandard email program in order to receive messages. They also require administering a separate email system with messages to be stored for months or years.

Drawbacks: The challenges of administering a second, parallel email system and infrastructure, plus archiving secure messages, can be prohibitively expensive.

Identity-based encryption (IBE): Proofpoint touts IBE as the best of PKI without the downsides. IBE uses the same algorithms as PKI and provides a high level of secure communication. With IBE there are no individual, per-user certificates. An email address or log-in serves as the encryption key identifying the user. Administrators have great flexibility managing and enforcing policies from a central-key server and can easily adjust policies as needed, the white paper says. Using IBE, email can always be encrypted. It enables secure, ad hoc communication and lets users exchange messages without worrying whether a user is enrolled or registered.

For more information, or to see an IBE product demonstration, go to http://www.proofpoint.com/id/Encryptionwebinar805/index.php (http://www.proofpoint.com/id/Encryptionwebinar805/index.php). -- Michael Causey