Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

PGP Offers New Encryption Software for Corporations

By PETER WAYNER

On Thursday the Pretty Good Privacy software company announced a new version of its popular encryption software with features that make it easier for companies to deploy encryption throughout their organization. The new software provides a way for the manager of a company's electronic infrastructure to catalogue and distribute keys so that employees can scramble their electronic mail as easily as they might include an image or change the font of the message.

The new version, called PGP for Business Security 5.5, also includes some of the most advanced mechanisms for "key recovery," a technology for surveillance that has been the focus of a major debate between the Federal Bureau of Investigation and many software companies and Internet users. The PGP software allows the corporation's management to enforce policies that may be as stringent as banning all e-mail that the management can't read.

In the past several years, the use of encryption algorithms to scramble data has been a major point of controversy and it has been the lightening rod attracting debate about the level of privacy that people can expect in cyberspace. The FBI has proposed banning secret codes that they can't break because such could interfere with law enforcement officials' ability to gather evidence. This approach, however, has received widespread opposition from people who feel it is needlessly complex, unlikely to work, very expensive and unconstitutional.

The new PGP software sidesteps these arguments because it makes these features available voluntarily. Many corporations may want the power to read an employee's files for the same reason that they might want copies of the keys to filing cabinets.

Steve Schoenfeld, the director of product management, said in an interview on Wednesday that many corporations asked PGP to provide this access in case an employee is sick, injured or fired.

The new version also includes some of the most sophisticated techniques for enforcing this policy through the corporation. The most novel may be a new version of software controlling a company's SMTP server, the machine that acts as the central mailroom for a corporation. PGP provides a software agent that will read all of the mail to make sure that it complies with the corporate policy. This may include requiring all messages to be signed with digital signatures or include a backdoor that the management can use to read the message. If the software agent discovers a message violates the policy, it can either return it to sender or simply log a copy.

PGP implements the backdoor with a central key. Each message is encrypted with both the public key of the recipient and the public key of the management. The message can only be read by someone holding the corresponding private keys, in this case the recipient and the management. The software allows the management to use different master keys for different departments by customizing the software.

The master key removes the need for a central database to hold a copy of all of the keys used, but it does not remove the danger of someone compromising this master key. All key-recovery schemes share this weakness and many computer security experts feel that the weakness could leave corporate networks in a more vulnerable position because it would give an industrial spy a single point to focus an attack.

If the corporation discovers that its key has been compromised, then it must rapidly try to upgrade the key throughout the system. Schoenfeld said that a future version will make it easier for the corporation to recover from a loss. The current version introduced this week must be recompiled to include a new version.

This forced recompilation is another feature that a company's management can use to enforce a uniform policy. When a company installs PGP 5.5, it will choose which features it wants to give employees. The rest will be stripped out so an employee couldn't use them . The PGP literature, for instance, suggests that a company may want to prohibit "conventional encryption" with two private keys or perhaps encryption without a backdoor in place.

The PGP management is clearly trying to accommodate the wishes of the branches of the United States government responsible for intelligence gathering and law enforcement. Both the FBI and the National Security Agency exert a great deal of influence on the products shipped by software companies by regulating the export of the software. Currently, products that include key recovery systems are easier to export, presumably because they make it easier for law enforcement officials to eavesdrop.

It is unclear how the marketplace will react to the new product. Earlier attempts by the Clinton administration to push a less sophisticated key management system, known by the nickname Clipper, failed to attract much interest in the private sector. Key recovery systems that leave control in the hands of a corporation's management, however, are more likely to be adopted because they could be quite useful if an employee is sick or out of the office.

Still, the new technology for enforcing policy may be much stronger than necessary to deal with accidents. While many people understand a company's need to recover files, courts have occasionally recognized a person's desk as a private place protected from unconstitutional searches. Similarily, surrepticious monitoring of phone calls is considered controversial enough that companies usually notify callers if recording equiptment is in use. It is difficult to predict which policies corporations will choose, but PGP gives them a wide spectrum of options.

Bruce Schneier, an encryption expert and author of the popular book Applied Cryptography, said that the new announcement "sounds like everything the FBI ever dreamed of." He also predicted that criminals will find ways to circumvent the restrictions while honest people may be more vulnerable to illicit use of the master key.

Schoenfeld said he disagrees because corporations will be able to voluntarily choose how much key recovery to implement and may choose none. "There's a tremendous difference", he said, "between forcing everyone to do something and giving corporations the tools to manage their security."

[ Back | Home | Products | Security News | Security Links | Download | Resources | Press | Employment | Contact | About ]