PGP Goes Universal, to Support S/MIME

[R. A. Hettinga]

<http://www.cbronline.com/print_friendly/c95021cb08870d6580256da20018cbe5>

DATE: 15/09/2003 
PGP Goes Universal, to Support S/MIME 

By Kevin Murphy 

PGP Corp says it has reached a key product milestone, and will today unveil PGP Universal, a system it says radically simplifies the process of encrypting email and attachments in enterprise-wide deployments. 

As we reported two months ago, the latest PGP product will offload the hassle of encrypting and signing email from the client to the network, making PGP, sometimes described as too complex, virtually transparent to the end user. 

Stephan Somogyi, director of products at the company, also revealed that later in the fourth quarter the company will add support for both X.509 certificates and S/MIME encryption to the software. S/MIME is in some respects a competing standard. 

PGP, for Pretty Good Privacy, is a public key cryptography method generally used in email. Usually, each client is responsible for generating their key pair and publishing their public key, so that users can encrypt mail they send them. 

This has helped slow the adoption of public key infrastructure among end users in general. "PKI does not lend itself to easy explanation, it does not lend itself to easy metaphor," Somogyi said. 

In PGP Universal, most of that work is taken care of in other parts of the network. The new suite has software than can be deployed internally between the client and the mail server, or in the demilitarized zone, or both. 

The software is responsible for automatically generating a key for users when they first send mail, and subsequently applying administrator-set security policies on encryption and signing whenever email is sent, Somogyi said. 

Companies could choose to encrypt communications based on policies such as the sender or recipient. Communications between the client and PGP server can be encrypted using SSL, so plaintext is never sent over the wire, Somogyi said. 

For external recipients, who will often not be PGP users, there are two ways of reading encrypted messages. The PGP server in the DMZ can act as a HTTPS server that serves up the (optionally password-protected) text, and offer the recipients a downloadable reader plug-in for subsequent messages. 

Somogyi said that upgrades to the software due later this year will allow support for S/MIME and the X.509 certificate standard used in PKI. 

S/MIME and OpenPGP, based on PGP, are two standards currently being pondered over in the Internet Engineering Task Force. PGP Corp is not convinced S/MIME is as good, but intends to support it anyway. 

But Somogyi said the company will have higher standards of key strength that other S/MIME implementations. "We will not support 40-bit S/MIME," he said. "We will treat these 40-bit messages as unencrypted." 

40-bit S/MIME was famously found to be susceptible to a brute-force attack, using a Windows screensaver program, by security consultant Bruce Schneier, now CTO of Counterpane Security Inc, in 1997. 

At the time, 40 bits was the default key length used in Microsoft's Outlook S/MIME implementation. Now, Outlook 2003 running on Windows 2000 or XP allows 40-bit or 128-bit keys, according to Microsoft documentation. 

Terms & Conditions |Privacy Policy | Add to Favorites 
Copyright | ComputerWire 2003 

š

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com