Security standards to merge

A group of information technology vendors last month announced plans to merge a commercial security standard for sending e-mail messages with one used primarily by the Defense Department - a move designed to encourage more federal agencies to use secure e-mail technology. Led by RSA Data Security Inc. nine vendors including Microsoft Corp. and Netscape Communications Corp. plan to combine the Secure Multipurpose Internet Mail Extensions (S/MIME) protocol with the government's Message Security Protocol. The National Security Agency developed MSP primarily for use by DOD for sending secure e-mail over the Defense Message System.

Protocol Incompatibilities

But S/MIME which is widely used by civilian agencies and MSP are not compatible. As a result if a DOD user sends a message to someone outside DOD the message must first go through a gateway that interprets the message and strips it of security mechanisms before it is sent to the other user.

Merging the two protocols would allow civilian and military users to communicate with each other and would extend more sophisticated security features to current S/MIME users including supporting the use of encryption and digital signatures providing for documents to be identified according to their level of sensitivity and allowing for handling complex security for large mailing lists according to vendor representatives who have joined with RSA.

In addition the resulting standard would support various encryption algorithms including DOD's customized algorithm or those more commonly used in commercial settings.

"What we're trying to do is work to develop a security specification to allow for e-mail to be both signed and encrypted easily and seamlessly " said Lynn McNulty RSA's director of government affairs. "It says agencies can buy e-mail products that have a full set of security features that will allow them to interact" with commercial and other agency users.

While DOD's standard is needed for many high-end e-mail security applications many government agencies require less stringent messaging security said Frank Hecker the lead systems engineer for Net-scape's federal government sales group. Netscape products now support S/MIME with the RSA algorithm and the company is working to support S/MIME used with DOD's Fortezza algorithm he said.

"Netscape believes that commercial security e-mail standards such as S/MIME can meet many government requirements today " Hecker said. "There will always be the high-end government requirements for certain areas...that can only be met by government-designed technology. But for the majority of government applications commercial messaging technology is here either today or will be there in the future."

J.G. Van Dyke and Associates a Maryland-based software development firm that has worked with NSA to develop the uses of the MSP protocol for the government is working to develop a reference implementation of the MSP-enhanced S/MIME security protocol. The resulting software library will let developers integrate the new S/MIME protocol into products.

RSA expects to release a prototype of the MSP-enhanced S/MIME protocol next year with installation in 1999. Other vendors that have joined with RSA include Entrust Technologies Inc. Lotus Development Corp. SPYRUS Worldtalk Corp. and VeriSign Inc.