pgp education series: the dawn of pervasive...

PGP Education Series:The Dawn of Pervasive EncryptionBy Jon Callas, PGP Corporation and Jim Reavis, Reavis Consulting Group

Sponsored By:

An IT Briefing produced by

Jon Callas—Jon Callas is the Chief Technology Officer, Chief Security Officer, and a founder of PGP Corporation. He served as Chief Sci-entist at PGP Inc. and as CTO of the Network Security Division for Network Associates Technologies Inc. He previously served as Directorof Software Engineering at Counterpane Internet Security and was a co-architect of Counterpane’s Managed Security Monitoring system.Most recently, Mr. Callas was Senior Systems Architect at Wave Systems Corporation. His career includes work at Digital Equipment Cor-poration, World Benders, and Apple Computer. He is the principal author of the Internet Engineering Task Force’s (IETF’s) OpenPGP stan-dard and writer and frequent lecturer on systems security and intellectual property issues.

Jim Reavis—Jim Reavis is the President of Reavis Consulting Group and editor of the CSOinformer newsletter. He is also an AppointedAdvisor to the President of the Information Systems Security Association (ISSA). For more than 12 years, Mr. Reavis has worked in theinformation security industry as an entrepreneur, writer, speaker, technologist, and business strategist. He founded SecurityPortal in 1998,and has been an advisor on the launch of many industry ventures.

By Jon Callas and Jim Reavis

© 2004 TechTarget

PGP Education Series: The Dawn of Pervasive Encryption

BIO

This IT Briefing is based on a PGP Corporation/TechTarget Webcast, The Dawn ofPervasive Encryption. To view the Webcast, simply click on the link.

The Dawn of Pervasive Encryption covers these topics:• PGP Encryption: The Gold Standard• What’s Driving Encryption?• Comparison: Pervasive Web and Pervasive Encryption • PGP Universal: An Enabling Technology• Sending Secure Email• Impact of Secure Messaging on Society• Summary• Common Questions

About PGP Corporation

The recognized worldwide leader in secure messaging and information storage, PGP Corporation develops, markets, andsupports products used by a broad installed base of enterprises, businesses, governments, individuals, and cryptographyexperts to secure proprietary and confidential information. During the past ten years, PGP® technology has built a global rep-utation for open and trusted security products. The PGP Corporation family of products includes PGP® Universal—an auto-matic, self-managing, network-based solution for enterprises—as well as desktop, mobile, and SDK solutions.

PGP Universal is the world’s first security architecture to shift the burden of securing email messages and attachments fromthe desktop to the network in a way that is automatic and entirely transparent to users. Secure up to 100% of your internalemail and business partner communications today. Go to www.pgp.com for more information.

About TechTarget IT Briefings

TechTarget IT Briefings provide the pertinent information that senior-level IT executives and managers need to make educat-ed purchasing decisions. Originating from our industry-leading Vendor Connection and Expert Webcasts, TechTarget-pro-duced IT Briefings turn Webcasts into easy-to-follow technical briefs, similar to white papers.

Copyright ©2004 PGP Corporation. All rights reserved.

Design Copyright ©2004 TechTarget. All rights reserved.

For inquiries and additional information, contact:Tina HillsDirector of Product Marketing, Webcasts, [email protected]

www.pgp.com

http://webevents.broadcast.com/wsp/index.asp?nEventID=11339&loc=01&ru=

http://webevents.broadcast.com/wsp/index.asp?nEventID=11339&loc=01&ru=

PGP Encryption: The Gold StandardThe history of PGP technology dates back to 1991,when inventor Phil Zimmermann released the firstversion of the product. Over more than a decade,PGP technology has built a global reputation foropen and trusted security products. Currently, awide majority of all encrypted email relies on theOpenPGP standard, otherwise known as RFC 2440.

PGP Corporation is the global leader in digital infor-mation security, and PGP products are used by abroad installed base of enterprises, businesses, gov-ernments, individuals, and cryptography experts tosecure proprietary and confidential digital informa-tion assets. As described in this paper, the Companyoffers a diverse collection of digital security prod-ucts, ranging from PGP Universal—an automatic,

self-managing, network-based solution for enterpris-es—to desktop, mobile, and SDK solutions.

What’s Driving Encryption?Corporate Governance and LegislationBoth corporate governance and legislation havebegun to mandate increased use of encryption, rein-forcing its recognition as a best practice acrossindustries (see Figure 1). Recent developments in thecomputer industry indicate that encryption is need-ed now more than ever before. From the viewpointof Chief Information Security Officers—tasked withdeveloping, refining, and improving their corporatesecurity assurance programs—encryption hasbecome an important best practice for corporategovernance. Security professionals are also some-times called Chief Risk Officers because they take arisk management approach to protecting corporateinformation assets.

1 IT Briefing:PGP Education Series: The Dawn of Pervasive Encryption Sponsored By:

PGP Education Series: The Dawn of Pervasive Encryption

Figure 1

GovernmentGovernment has also changed its attitude to one ofactively promoting encryption rather than discour-aging its use, thereby helping to validate the tech-nology. However, the same encryption techniquesused to secure electronic communications can alsohide those individuals intent on using the technolo-gy for illegal or unethical activities. As a result, gov-ernment legislative bodies throughout the worldnow recognize that computer networks and theinformation assets they contain must be protected.New regulations now require organizations to main-tain comprehensive network and messaging security.

Moore’s LawAs shown in Figure 2, Moore’s Law1 and its effectson the price-performance ratios of computer plat-forms have provided a boost in terms of more cost-effective processing power for executing encryptionoperations. Moore’s Law predicts that every year wecan accomplish more on a mainstream computerbecause of increased processing power. With currentmarket conditions making it possible to acquire a 2.5or 3.0GHz processor for less than $1,000, developers

can rethink the way they approach design issuesinvolving encryption. Encryption techniques thatused to be very expensive—partly because of pro-cessing requirements—can now be used within astreamlined infrastructure supporting pervasiveencryption. Increased throughput in modern com-puter hardware also makes it possible to incorporateencryption techniques that were impractical evenfive years ago.

Architectural Innovations and StandardsFrom an architectural perspective, there has been ashift from the model of monolithic code existing onone workstation to a distributed model based oncooperating, federated computing proxies. PGP Uni-versal’s architecture relies on technologies that arereasonably mature. Rather than requiring new tech-nologies, PGP Universal uses existing technologiesdifferently, moving the operation of securing com-munications from the desktop to the network level.Because PGP Universal uses established technolo-gies and standards, developers and system design-ers are not required to redo existing system architec-tures to achieve interoperability.


Figure 2

1Moore's Law predicts that the transistor density on integrated circuits doubles every couple of years. This exponential growthand ever-shrinking transistor size result in increased performance and decreased cost. http://www.intel.com/labs/eml/

http://www.intel.com/labs/eml/

Pervasive Encryption: Replay of the World Wide WebAnyone older than high-school age realizes that theInternet has been in existence for a number of years;however, in the early days, only a small number ofpeople primarily in the academic and research com-munities used it (see Figure 3). A convergence oftrends—increasing ease of use of the World WideWeb, the introduction of search engines, and newoptions for and the speed of connectivity—catapult-ed the Web from an obscure communication channelto a major, pervasive worldwide medium forexchanging information and transacting commerce.

The acceptance and widespread adoption and use ofencryption have, to some degree, followed a coursesimilar to the acceptance and widespread adoptionand use of the Web. As illustrated in Figure 4,encryption was initially considered an arcane play-ground primarily for the elite who were comfortablewith the complex mathematical algorithms on whichmost encryption ciphers are based. The average per-son often did not understand how encryptionworked and rarely had occasion to use it.

In the last decade, however, the situation haschanged dramatically. Most people now have sometype of access to the Internet and to email. For indi-viduals to be able to send secure email effectivelyand easily to a wide range of email-capable devices,users must be shielded from the complexities ofencryption by the supporting technology. This situa-tion is similar to the way the Domain Name Service(DNS) and search engines hide the technical innerworkings of the Web. Use of an automatic encryp-tion proxy can bridge this gap and enable easy-to-use secure messaging.

The impetus for PGP Universal arose from that samedesire to automate and simplify the encryptionprocess. As Jon Callas describes it, "The first idea thatI had for PGP Universal came from a dinner tableconversation with a friend of mine on how—even asexperts—we were not able to use encryption correct-ly, that we would forget to encrypt a reply every sooften, that we would tend not to use it because itrequired one extra step. I started into a somewhatanimated, ‘You know what I would do? If I could goand build something brand new, this is what I woulddo.’ This was, in fact, building something that is aproxy agent—something that does the security forme so that I don’t have to think about it."


Figure 3

Figure 4

PGP Universal and Pervasive EncryptionMany users may be reluctant to adopt encryption asa part of their routine communications unless theprocess is relatively painless. To gain acceptance,encryption needs to be something that happens inthe background, invisible to users (see Figure 5).

To deliver this degree of transparency, encryptionneeds to be transformed from a desktop functionperformed by an individual user to a network serv-ice that encrypts data for all users. PGP Universalprovides an automatic encryption proxy to simplifyand expedite the encryption process. Organizationscan leverage this process, which, in turn, will multi-ply the instances of encryption and the keys thatsupport it, resulting in a significantly more securenetwork environment.

The relationship of the Open Systems Interconnection(OSI) protocol stack layers, shown in Figure 6, illus-trates the mechanism by which PGP Universal works.PGP Universal moves the complexity of encryptionfrom Layer 7—the application layer—down to Layer4—the transport layer. In this part of the system thereare simpler ways to perform operations because the

interfaces are more fully defined. Moving the processto the transport layer also eliminates the expectationthat any of the numerous email-capable client devicescurrently available will perform encryption opera-tions. The increase in the number of handhelddevices, both wireless and wired, makes it difficult todevelop secure-messaging solutions that accommo-date every client. The diversity of systems adds to thecomplexity of the challenge as well.

To design a security system that works pervasively,the security mechanisms must be able to work effec-tively in nearly every situation. Moving the securityfunctions to the network takes advantage of the factthat all users already communicate with the networkusing secure connections such as Secure SocketsLayer (SSL). A key advantage of this approach, there-fore, is that any device able to handle POP, IMAP,SMTP, or MAPI over SSL can use PGP Universal. Forexample, PGP Universal interoperates with smartphones that use a standard email client with SSL sup-port. Moving this functionality to the network resultsin systems that are more stable, more secure, and lesssubject to frequent architecture changes.

Security policy typically fails when email recipientsdo not have secure messaging. PGP Universal offers



Figure 5

Figure 6

a secure webmail option for email recipients withoutan installed encryption solution. In such cases, PGPUniversal retains the original secure message andsends an "in-the-clear" email message notifying therecipient that a secure message is available. The PGPUniversal Web Messenger feature then allows recipi-ents to use their Web browser to create a secureSSL/TLS session and retrieve their message througha webmail-like session. The goal is to create securitymechanisms that are more powerful as well as easierto build, easier to deploy, and easier to maintain.

The simplest way to deploy PGP Universal is shownin Figure 7. Here, PGP Universal operates in theDMZ, securing messages entering and leaving theorganization with the SMTP email protocol. Whenmessages are transmitted, PGP Universal automati-cally encrypts them. When secure messages arereceived, PGP Universal automatically decrypts them.The software performs full key management, key cre-ation, and key lifecycle management as well as digitalsignatures for all users on the PGP Universal system.

Placing these functions at the edge of the network’semail subsystem ensures minimal disruptionbecause security is added without manual interven-tion once PGP Universal is deployed (see Figure 8).

This approach is particularly useful for large enter-prises that are required to archive messages. Froman email end user’s perspective, this approach alsoensures transparency because there is no software toinstall or other configurations to change. PGP Uni-versal automatically encrypts the email as it leavesthe organization and adds a digital signature, ifrequired. Such a configuration resembles that of atypical corporate firewall—once it is implemented,end users are not aware of its existence. In addition,PGP Universal’s Self-Managing Security Architec-ture reduces the need for ongoing IT managementand support once it is deployed.

According to Jon Callas, "This is really where theinnovation of PGP Universal comes in. GatewaySMTP encryptors and decryptors are not news. Theyare things that people have done in the past—some-thing that people have thought about for years.What we did is say, ‘Let’s proxy everything. Let’stake POP, let’s take IMAP or SMTP, and let’s make itwork for Microsoft MAPI protocols, too.’"

"With this approach," Callas continued, "you connectto PGP Universal with SSL just like you connect toany other email server. PGP Universal takes your con-nection and sends it to the real email server. It doesn’t


Figure 7

have to store your messages; it operates on them intransit. In that particular case, it can take your mes-sages and not only have them encrypted right out ofthe network, but also while they are in your network.The benefit of this approach is that you end up withyour information and your partner’s informationencrypted even when it is on the server. This resultsin ciphertext everywhere and plaintext on your com-puter. You can still do all the searching and indexingthat you did before because PGP Universal is han-dling your client and what it would consider to beplaintext. It is inserting little markers, telling you thatit was decrypted, telling you that the signatures wereverified correctly, and so on."

Communicating securely with users outside theorganization is difficult. Even when outgoing emailsecurity policy is followed, there is no guaranteerecipients will reply securely. PGP Universal Satelliteresolves this problem by offering two-way policyenforcement—extending security to inbound emailmessages originating outside the organization. PGPUniversal Server downloads PGP Universal Satel-lite—a small, no-user-interface, invisible piece ofsoftware—to the recipient’s Windows or Mac OS Xdesktop client along with a key and associated secu-rity policy. Once installed, PGP Universal Satellite

automatically encrypts and decrypts and enforcespolicy on all email sent to and from the PGP Univer-sal Server.

PGP Corporation applied knowledge gained fromdeveloping firewalls and virtual private networks(VPNs) to developing PGP Universal Satellite.Essentially, PGP Universal Satellite transparentlypushes network encryption out to the client itself.Once installed on the client, it operates much like afirewall, listening to the email protocols. PGP Uni-versal Satellite offers an additional advantage aswell: end users can manage the private key of theirkey pairs, if desired. In what is called Client KeyMode, all cryptographic operations are performedby the end-user computer on which PGP UniversalSatellite is installed. The private key never leaves theuser’s computer; the user’s computer also handlesall private key management. This approach ensuresthat signing keys remain within the user’s directcontrol at all times, meeting the most stringent non-repudiation requirements.

Pushing encryption out to the client allows the serversto gain more throughput. A potential disadvantage tothis approach, however, is the fact that individualusers have to manage the process. From its earliest


Figure 8

days, cryptography has suffered from a serious limita-tion: no matter what mechanism users chose to locktheir data—a passphrase or a token, for example—they could find themselves unable to access their dataif they forgot that passphrase or token.

To address that limitation, PGP Universal offersanother option called Server Key Mode. In ServerKey Mode, the server from which PGP UniversalSatellite is installed performs cryptographic opera-tions. When PGP Universal Satellite is used, theserver temporarily—yet securely—sends the privatekey to PGP Universal Satellite. This approach pro-vides for transparent roaming on additional author-ized computers or email-capable client devices with-out manual migration of the key. For example,Server Key Mode enables end-to-end security andauthentication when used with personal digitalassistants (PDAs) and smart phones.

Implementation of PGP Universal can be deter-mined on a user-by-user basis, with some users rely-ing on server-based encryption (Server Key Mode)and others set up to use client-based encryption(Client Key Mode). The decision of how to handlethe issue of users managing keys may be mandatedby corporate security policy or regulatory require-

ment, or administrators can opt to ensure the serverkeeps track of all keys so no one can lose them.

Sending Secure EmailFigure 9 illustrates the technique of sending a secureemail using PGP Universal between two fictionalcharacters: Bob and Sue.

In this example, Bob composes an email messageusing a standard email client in the same manner healways composes messages. When the message iscomplete, he clicks "Send." In earlier versions, PGPemail plug-ins required senders to click a "SendSecure" or "Please Encrypt This" button to activatethe encryption function. Responses from producttesters suggested that removing this requirementwould make the product easier to use, which is whyBob now simply clicks "Send."

Bob’s message gets picked up by PGP Universal,either by PGP Universal Satellite on the clientmachine or through SSL to a PGP Universal Server.The server examines the destination of the messageand recognizes it is being directed to Sue. The serveridentifies Sue’s domain and examines LDAP infor-mation associated with the account to determine


Figure 9

that the policy to Sue’s domain is to encrypt themessage, but not to sign it. To accomplish this goal,the server needs to have a key for Sue.

The server might have Sue’s key itself, access herkey through a global PKI-like certificate server, com-municate with an LDAP server at Sue’s company toretrieve her key, or ask another PGP Universal Serv-er for the key. If the server finds a certificate for Sue,it can obtain the public key from it, encrypt the mes-sage, format it, and send it on to the recipient (Sue).

PGP Universal’s approach is format-agnostic becauseit does not require a PGP key or PGP certificate butcan also use an X.509 certificate or S/MIME-format-ted email. OpenPGP and S/MIME are fully realizedIETF standards. The National Institute of Standardsand Technology (NIST) mandates the use of eitherprotocol for communications between the govern-ment and government contractors. Similarly, thereare both S/MIME and OpenPGP versions of EDIspecifications. Although these two standards havebeen vying for prominence for some time, indicationsare that both will continue to be used in the shortterm. As XML-based formats become increasinglyimportant in the next few years, PGP Universal willinteroperate with these formats effectively as well.

Returning to the earlier Web metaphor, there are twoprimary ways to place an image within a Web page:in GIF format or JPEG format. When viewing theimage, the user doesn’t know or care what the formatis. In the same manner, people working with secureemail often want to be able to move freely betweenstandards, using either S/MIME or OpenPGP whereappropriate. PGP Universal makes it possible to per-form pervasive encryption regardless of the choice ofstandards at the organizational level.

In the PGP Universal world, the certificate typedefines what the message type should be. If the PGPUniversal Server determines that Sue has an X.509cert stored in the VeriSign public directory, theunderlying assumption is that Sue will probablywant to receive an S/MIME message, and PGP Uni-versal codes it that way. If Bob sends a single mes-sage to two people, such as Sue and Alice, and Suehas an X.509 certificate and Alice has a PGP certifi-cate, PGP Universal automatically sends anS/MIME-formatted message to Sue and a PGP-for-matted message to Alice. In this way, Sue and Aliceeach receive secure messages delivered in the formatappropriate to their respective email configuration.

If a recipient doesn’t have a certificate, the PGP Uni-versal Server has several options. The simplest tech-nique is to send the message in plaintext format,

which might be appropriate for certain domains. Forexample, the server might receive a message going toan AOL account and determine that the messageshould be encrypted if it can locate the recipient’s key,but if not, should be sent to the recipient in plaintext.

In some enterprises, policy states that messagesshould be exchanged with business partners throughthe email VPN and, if security cannot be ensured,the message exchange should fail. If Bob attemptedto send a plaintext message to someone where thispolicy is in effect, for example, PGP Universal couldbounce the message back to him. However, in manycases, the message must be delivered even if therecipient, Sue, has no knowledge of email security.In this case, PGP Universal sends a message to Suereading, "Bob would like to send you a secure emailmessage. Please click this link." The SSL HTTP linkthen connects Sue to a secure webmail server builtinto PGP Universal.

Authentication in this scenario can be handled intwo different ways: The server may presume thatSue will be the first person to open the message Bobsends ("first time good"). Or, the server may sendBob a message containing a randomly generatedpassword that must be given to Sue by some meansother than email ("out of band"). Depending on thecircumstances, one or the other of these approachesmight be appropriate to maintaining the necessarylevel of messaging security.

In either case, Sue authenticates to the PGP Univer-sal Server where she can access a webmail-like sys-tem. She can read the email, reply to it, and down-load PGP Universal Satellite, which will coordinatewith PGP Universal Server. Thereafter, wheneverSue sends email back to Bob’s domain, PGP Univer-sal Satellite will encrypt it automatically. Any otheremail she sends will be handled normally. Sue canalso download attachments and interact in otherways with the Web-based system. This Web-basedsystem provides a useful way to maintain securecommunications with infrequent recipients. In situa-tions where secure communication needs to occurconsistently and often, PGP Universal Satellite is amore effective approach.

PGP Universal itself performs the encryption func-tions, leading some to question whether it would bemore efficient to apply encryption-accelerating hard-ware to the task. In practice, encryption-accelerationhardware encrypts at about the same speed as theprocessor on which it is running, so users can gainadditional performance with two machines runningin concert. Using two separate computers can bemore cost-effective than purchasing an accelerator


card, however, particularly because the price-per-formance ratios of current-generation machines areso favorable. Multiple PGP Universal Servers can beclustered, providing performance gains and efficien-cy advantages. Clustered PGP Universal Serverscommunicate by trading keys and policy informa-tion and are centrally managed via the Administra-tive Interface on the Primary Server in the clusterThis setup can be the least expensive way to imple-ment a high-performance PGP Universal platform.

Impact of Secure Messaging on SocietyBusiness agility has become an increasingly impor-tant factor in organizational growth (see Figure 10).In the past, an organization’s business agility wasoften hampered by a variety of equipment require-ments, different line setups, and disparate hardwareneeds, making it more difficult for systems to inter-operate or new ventures to succeed. If an organiza-tion is assured that its key digital information assetsare secured in transit both inside and outside theorganization, it may have the confidence to modifyits organizational structure, launch new business initiatives, and even move into new markets.

Explosive growth in online commerce imposes theneed for improved security in electronic communi-cations as well, whether a business is operating pri-marily online or in a more traditional bricks-and-mortar setting. All parties must be assured thatelectronic communications exchanged between abusiness, its partners, and its customers will be pro-tected. As a result, consumers will gain increasedconfidence in online transactions, leading to a betterclimate for online commerce and increased revenues.

Identify theft is another serious concern for anyonewho spends time online. Although most cases of iden-tify theft still use offline techniques such as pilferingcredit card receipts, projections point to increasedonline activity in this area in the future. Pervasiveencryption can help reduce the risks for consumers aswell as businesses involved in online commerce.

As Jon Callas points out, "When we were buildingPGP Universal, we talked to a number of peoplewho have used PGP secure messaging a lot in thepast. Many have told us that their CEO said, ‘I wantyou to secure everything. I know you can’t do it thisyear. I know you can’t do it next year. But this is thegoal I want to set for you. I want all email encrypt-ed.’ There are companies that have already said,


Figure 10

‘Between us and our partners, we encrypt all of ouremail. That is our policy. If you want to be one ofour partners, you have to encrypt your email.’"

This imperative, frequently now part of an enter-prise strategy, can generate high costs as IT profes-sionals and system architects learn how to imple-ment encryption solutions and users learn to employthem. If the system requires user intervention,there’s always the chance people will forget toencrypt something. If, however, a system allowspolicies to be centrally established and managed andmessaging security policy to be completely defined,the servers can perform encryption automaticallyand transparently to the users. This approach notonly satisfies everyone’s goals, it also allowsprocesses once accomplished by fax or physical mailto be moved to email.

Automating encryption is an important factor in low-ering costs. Typically, security systems do not delivera measurable return on investment. Messaging secu-rity, on the other hand, delivers a substantial returnon investment because it enables the least expensiveform of communication to be used in lieu of morecostly methods. Pervasive encryption performed atthe network level not only provides operational cost

savings, it enhances productivity by eliminating theneed for user training and support while centralizingsystem deployment and management.

SummaryThe demand for pervasive encryption is becomingmore widespread: Both government agencies andsociety are requiring that encryption be routinely usedfor communication over the Internet and intranets (seeFigure 11). The technology and standards that makepervasive encryption possible have reached maturity.As PGP Universal demonstrates, the automaticencryption proxy makes encryption cost-effective andpractical while being transparent to end users. Such asystem becomes part of the network infrastructure,minimizing IT maintenance requirements andautomating the fundamental work of creating keys ordownloading them from other sites.

PGP Universal represents a next-generation, secure-messaging solution that enables pervasive encryp-tion. As pervasive encryption takes hold throughoutthe industry, confidence among individual users andbusinesses will rise, leading to increased use of theInternet for inexpensive, secure communications.


Figure 11

Common Questions

Question: A major historical complaint about emailencryption is the issue of portability and user mobil-ity. For example, a user might have multiple PCs ora smart phone or a BlackBerry handheld device.How does PGP Universal address the problem ofencryption when someone is using multiple devices?

Answer: Using a clientless operation model, PGPUniversal works with any device that can handleSSL. Regardless of the type of device, if it has anemail client with SSL capabilities, the user enjoys fullmessaging security. By using industry-standard pro-tocols such as X.509, OpenPGP, and S/MIME, PGPUniversal is flexible enough to interoperate with themajority of other systems. PGP Universal can workwith companies that have a PKI certificate process aswell as users with smart phones. Users who travelfrequently with laptop computers can plug into thehotel network and exchange email as securely as ifresiding in their office. Regardless of where a user isor what device she or he is using, PGP Universalensures that email is always secure.

Question: Authentication is an important concernbecause people worry about identity theft or"spoofed" email messages. What are the key trendsin the authentication of email messages and howdoes PGP Universal address them?

Answer: Digitally signing messages is the best wayto ensure authentication. PGP Universal includesmechanisms that construct a signing PKI as well asan encryption PKI to positively identify the origin ofa particular message.

Question: The concept of a self-managing keyserverand the supporting architecture could be leveragedfor other types of communication beyond email. CanPGP Universal be used to implement other types ofcommunication applications?

Answer: The four main Internet messaging protocolshave already been implemented in PGP Universal,and a Lotus Notes version is underway. Instant mes-saging essentially represents a set of additional pro-tocols, and a version of PGP Universal that supportsinstant messaging is already in development. ThePGP Universal architecture uses a model by whichthe actual proxy engine can be a pluggable compo-nent so new functionality can be added as needed.PGP Universal can also handle Voice over IP (VoIP).With an infrastructure that has been set up for VoIP,

a PGP Universal Server can transparently take mes-sages, encrypt them, and send them along to therecipient, where they can be decrypted by the othergateway. Once developers fully explore the valueand utility of smart security proxies, they’ll be ableto use this technology to add a layer of security to awide range of existing systems.

Question: For these extended types of applications,would you use one set of keys, one hierarchy orstructure of keyservers to control the operations?

Answer: Yes. In most cases, this would involve dis-tributing objects. Clustering architectures work wellin this regard. One possible approach would be tohave one server act as the certificate server. Theoreti-cally, you could have a variety of servers performingdifferent tasks, such as webmail pickup, messagedelivery, instant messaging, and so on. These serversshare keys. They share all necessary information toperform secure information exchange.

Question: The government has made a 180-degreechange in attitude from demonizing encryption tonow proactively encouraging and even mandatingencryption. Is the pro-encryption position within thegovernment likely to continue?

Answer: The current position will most likely con-tinue. The government is just beginning to under-stand the basic nature of an information economy.To protect information, you must encrypt it. Thathas been the case ever since the invention of writ-ing—whenever you want to protect something thathas been written, you encrypt it. There is no otherreasonable way to accomplish this task.

Question: What is the overhead in terms of band-width, time delay, and processing on the local clientand email servers? How much extra hardware andbandwidth is required to jump from a voluntary (sel-dom-used) encryption policy to a pervasive policy?

Answer: PGP encryption often decreases the size ofa message. The reason is that PGP encryption com-presses the information before encrypting it. Thisapproach not only improves security, but usuallyreduces storage and bandwidth requirements. Wesay usually because some content is already com-pressed. In the absolute worst case, encryption addsless than 10% to the size of a message, and this per-centage is smaller with larger messages.



About TechTargetWe deliver the information IT pros need to be successful.

TechTarget publishes targeted media that address your need for information and resources. Our network of industry-specific Websites gives enterprise IT professionals access to experts and peers, original content and links to relevant information from acrossthe Internet. Our conferences give you access to vendor-neutral, expert commentary and advice on the issues and challenges youface daily. Practical technical advice and expert insights are distributed via more than 100 specialized e-mail newsletters, and ourWebcasts allow IT pros to ask questions of technical experts in real time.

What makes us uniqueTechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest,most relevant content to IT professionals. We leverage the immediacy of the Web, the networking and face-to-face opportunities ofconferences, the expert interaction of Webcasts and Web radio, the laser-targeting of e-mail newsletters and the richness and depthof our print media to create compelling and actionable information for enterprise IT professionals. For more information, visitwww.techtarget.com.

pgp education series: the dawn of pervasive...

Documents