Sizing up coded message options

Feds face numerous ? and nuanced ? encryption schemes for securing e-mail

Government agencies face a communications dilemma. On one hand, officials are asked to share more information with other agencies, businesses and citizens. On the other, they are under pressure to boost data protection.

E-mail, the ubiquitous communication backbone, lies at the center of this quandary. Applications ranging from emergency response to e-government depend on e-mail. But

e-mail's universality and openness, typically considered strengths, can be security weaknesses.

Secure e-mail solutions aim to keep information flowing while providing greater protection. Solutions include a variety of encryption schemes to secure messages as they travel across cyberspace. Each encryption approach has nuances. Some solutions use multiple encryption protocols, allowing customers to select the right security tool for each messaging job.

Vendors report that interest in secure e-mail solutions is growing. Scott Olechowski, vice president of product strategy and development at secure messaging vendor PostX Corp., said governmentwide interest has increased by an order of magnitude.

But money is an issue for agency officials considering acquiring one of these solutions, which can cost tens of thousands of dollars. Another drawback is the cumbersome nature of public-key infrastructure (PKI), on which various secure e-mail techniques rely.

Officials are expected, however, to embrace secure e-mail solutions in greater numbers. Those organizations moving into the evaluation phase have a number of flavors and variations to consider.

The S/MIME approach

Secure Multipurpose Internet Mail Extensions, or S/MIME, is a protocol for secure e-mail exchange that has the endorsement of major enterprise messaging vendors. S/MIME offers end-to-end encryption, meaning that a message is encrypted at the sending client computer and decrypted at the receiving client. Microsoft Corp.'s Exchange server and Outlook e-mail client support S/MIME, as do IBM Corp.'s Lotus Domino and Notes.

S/MIME also plays a role in the Pentagon's Defense Message System. The medium-grade version of DMS makes use of S/MIME, according to a spokeswoman for the Defense Information Systems Agency. DMS high grade, meanwhile, uses a protocol developed by the National Security Agency.

S/MIME offers a high level of security but through a complex solution, analysts say. To operate effectively, S/MIME depends on PKI. These architectures make use of private and public cryptographic key pairs, which are linked via a digital certificate, for encrypting and decrypting information. The pairs also are used to generate and verify digital signatures. Digital signatures help ensure the integrity of a message's content.

A 2003 report from Butler Group, a division of Butler Direct Ltd., cites the complexities and costs of establishing the necessary PKI to support S/MIME as a factor that inhibits the use of secure e-mail solutions.

Even organizations that already have PKI face secure e-mail challenges. "The integration between PKI and an e-mail system at the enterprise level is...a nontrivial task," said Sean Steele, director of business development at Tovaris Inc., a vendor of e-mail security products.

Companies, however, seek to simplify PKI management. IBM officials implemented technologies to make it easier for users to obtain certificates, said Kevin Lynch, IBM's Domino security development manager. If a user already has a public/private key pair and wants to use S/MIME, an administrator can go to the Domino directory, select the user and add a certificate, he said. Domino prompts the administrator to select a Certificate Authority (CA). If the administrator chooses to use Domino's integrated CA, a digital certificate is automatically generated in the widely used X.509 format.

S/MIME e-mail gateways provide an alternative to S/MIME embedded in enterprise messaging solutions. Products such as Tovaris' SecureMail Gateway are installed next to the firewalls of the sending and receiving organizations. Secure Sockets Layer (SSL) encryption supplements this gateway-to-gateway security. Messages arrive at and depart from the SecureMail Gateways via SSL. S/MIME gateways automate key management to simplify PKI.

PGP, SSL vie for role

Pretty Good Privacy (PGP), especially the OpenPGP protocol, generally has been associated with desktop computer security. But PGP Corp. has moved into the server segment with its PGP Universal product. The objective is to make OpenPGP the vehicle for bringing secure e-mail to a broader enterprise audience.

Similar to the S/MIME vendors, PGP Corp. officials seek to ease PKI management. The company's Self-Managing Security Architecture creates keys on the fly, according to Andrew Krcik, the company's vice president of marketing. The company recently improved PGP Universal so that it can generate X.509 digital certificates and certificates created in PGP's own format. PGP Universal offers gateway-to-gateway or end-to-end recipient protection.

SSL, meanwhile, guards transmissions from client to server. It often complements gateway solutions and other secure e-mail approaches. Products such as Ipswitch Inc.'s IMail server and Sun Microsystems Inc.'s Sun Java System Messaging Server use SSL as their main security protocol.

SSL e-mail solutions can notify an e-mail recipient that a secure e-mail has arrived. The notification contains a Web address that directs the recipient to a secure e-mail store, with server-based and Web browser-based SSL providing the secure link.

PKI workarounds

Many secure e-mail approaches seek to tame PKI, but other methods work without it.

That's the case for secret-key-based solutions. Secure e-mail wares from companies such as Authentica Inc. and Sigaba Corp. offer e-mail encryption without requiring administrators to establish a PKI. These products have piqued the interest of officials at some federal agencies.

"Sigaba and other [companies'] applications for secure e-mail don't necessarily need a full-blown PKI," said Barry West, chief information officer at the Federal Emergency Management Agency. He said such solutions avoid PKI's cost and complexity.

Secret-key solutions are pushing beyond protecting e-mail in transit to controlling e-mail once it lands in the recipient's inbox. Authentica's product, for example, lets administrators determine whether recipients can print, copy or forward content. And messages can be deleted at any time, according to company officials.

Identity-Based Encryption (IBE) offers another alternative to PKI-based solutions. The encryption technique lets organizations use identities such as e-mail addresses in public keys. IBE has been a subject of university research for years, and it has a commercial implementation. Voltage Security Inc. officials began shipping IBE-based products last year.

Fred Cohen, principal analyst at the Burton Group, said IBE has "positive attention in the media" but called the approach problematic. The biggest problem, he said, is the potential for identity theft.

But Wasim Ahmad, Voltage's vice president of marketing, said an authentication step is required to "verify that you do indeed own the identity — before any keys are issued or refreshed." He said this can be accomplished through a user name and personal identification number or two-factor authentication via a hardware token.

Hybrid solutions

Some vendors have opted to blend encryption approaches in their products. Hybrid solutions bolster interoperability and allow users to deploy techniques where they are most advantageous.

PostX, for example, supports S/MIME for organizations using PKI. But the company also features its own encryption approach — PostX Envelope, which lets recipients receive secure e-mail without installing client software. SSL, meanwhile, provides a pull option that can be useful for securely delivering large attachments, Olechowski said.

By supporting multiple solutions, customers can use new approaches and protect their investment in existing secure e-mail techniques. This could help some agencies overcome an aversion to experimenting with new technology, industry experts say.

"The government always deals with sunk costs," said retired Adm. Archie Clemins, who was recently named to the advisory board of MessageGate Inc., a secure messaging vendor.

Moore is a freelance writer based in Syracuse. N.Y.