NetResults and Scorecard How we ranked the apps in different categories, key findings, vendor contact info. The need for encryption Why you should encrypt. Tips for successful encryption deployment RSA's take on the challenge. Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security White paper that explains why you'll need a 90-bit key for the next 20 years and shows how much money and time it takes to crack 40-bit and 56-bit keys. Review of Entrust/Lite Network World, 3/11/96. Cobb is a certified information systems security professional and head of Cobb Associates, an information technology and security consultancy in Titusville, Fla. He can be reached at cobb@ digital.net.

By Stephen Cobb
Network World, 7/7/97

Hacked systems. Stolen laptops. Secrets sold by disgruntled employees. You've turned to firewalls, electronic locks, passwords and ID cards for protection against these threats. But your job isn't done if you're not encrypting sensitive data.

Encryption, which renders data unintelligible to anyone but the person holding the correct descrambler key, is rapidly becoming your best hope for keeping secrets secret. In fact, the five products we examined surpass previous generations of file-encryption software.

The products we reviewed range from offerings best-suited for single systems to packages that scale up to the enterprise. However, none of the programs we used can talk to each other, which means anyone getting an encrypted file from you will need the same package, unless your program creates self-extracting encrypted files that can be opened by entering the correct password. This situation will not change until there is wider implementation of emerging standards such as Secure/Multi-purpose Internet Mail Extensions, IPsec, Internet Security Association & Key Management Protocol and Secure/WAN.

Our review shows that Entrust Technologies, Inc.'s Entrust/Integrated Cryptographic Engine (ICE) is your best bet for enterprise security, which is why it took Blue Ribbon honors. The package encrypts and authenticates files and e-mail and gives you the option for more industrial-strength protection including hardware tokens.

Symantec Corp.'s Norton Your Eyes Only has grown into a comprehensive, mature and full-featured package that comes in single-user and network versions. RSA Data Security, Inc.'s SecurPC is a solid package that now has network support, while McAfee Associates, Inc.'s PCCrypto supports self-extracting encrypted files but encrypts archives instead of files or folders.

Finally, Querisoft, Inc.'s fledgling SecureFile uses digital certificate technology to authenticate senders and receivers. The package's tight integration with Microsoft products, which have been criticized in the cryptographic community, has negative and positive implications.

Entrust in public-key infrastructure

The package also automatically encrypts the contents of designated folders using any one of an impressive range of encryption schemes, including Nortel's proprietary Carlisle Adams and Stafford Tavares algorithm, the Data Encryption Standard (DES), Triple-DES and RSA's RC2. You can limit access to encrypted folders to yourself or anyone on a list of recipients verified by their digital signatures. Entrust/ICE also can automatically encrypt selected files at system shutdown and decrypt them at start-up.

Entrust/ICE is well integrated with Windows 95 and NT 4.0 but requires you to license at least Entrust/Lite. When we looked at Entrust/Lite last year (NW, March 11, 1996, page 57) we said it delivered a full range of high-speed encryption, authentication and verification services in a single application that is relatively easy to install and administer. Only one Entrust logon is required to access the combined encryption and file-signing features of both products.

For your eyes only

In addition to file encryption, YEO offers a BootLock feature, which encrypts your system information to prevent intruders from accessing your hard disk. While it offers powerful protection, BootLock can render your hard drive inaccessible if something goes wrong. We strongly recommend you create an Emergency Unlock disk for insurance.

Like three of the other programs we looked at - McAfee's PCCrypto being the exception - YEO adds encryption commands to the Windows 95 and NT Explorer pop-up menu. However, YEO takes the extra step of adding an icon to the task bar for accessing the YEO Command Center, which is where you configure every aspect of data access on your PC. You can select RC4, RC5, Blowfish and Triple-DES to encrypt files, and there is an exhaustive set of password rules. The public and private-key sizes can be set anywhere from 256 to an impressive 2,048 bits.

Any files put in a designated YEO SmartLock folder are automatically decrypted when opened and encrypted when closed by authorized users. The plain text copy of an encrypted file is automatically deleted, and you also have the option to wipe ordinary files from your disk with YEO's Secure Delete File command. SmartLock folders don't encrypt program files, though this can be done manually.

We had mixed feelings about the fact that SmartLock folders do not display an icon that's different from regular icons. This might add a certain amount of security-by-obscurity, but authorized users might like to see at a glance which folders are encrypted, instead of opening the Properties dialog box to check if there is an extra property sheet called ''Your Eyes Only'' for that folder.

Other nice touches in YEO are a hotkey-activated, password-protected screen saver and the ability to customize the user logon message.

YEO also offers useful features for multiple user and networked PCs. If other people use your computer, you can add them as secondary or guest users, varying the amount of access they have to your hard disk and connected network drives.

A YEO Administrator version enables you to manage encryption across an entire network. You can create users, set their rights and selectively turn on or off all options from a single console. You can define users in groups with a set of options and rights based on that group and configure password rules for everyone. When users forget their password, you can assign them a one-time password.

Furthermore, YEO Administrator lets you set a ''superuser'' password, which gives you the ability to override ordinary passwords. This helps avoid a data-ransoming situation in which someone tells you to pay up or you won't get the password protecting access to an important-but-encrypted file.

YEO Administrator also distributes preconfigured user modules and any updates or configuration changes, which are automatically installed when users logon. An agent at each workstation uploads audit logs to the console so you can monitor all security-related activities.

RSA: The Microsoft of security

SecurPC encrypts files and folders on hard drives, diskettes and network drives. Before encrypting selected files, you are asked for your password, which can be kept in RAM to avoid repetitive reentering, but comes at the risk of enabling an interloper to decrypt files if you leave your system unattended and unlocked.

An encrypted file is given the extension .!!! with the original extension added to the file name in brackets. You use the AutoCrypt List to automatically encrypt and decrypt designated files and folders when you shutdown or start Windows. However, it would be useful to have a files of type entry in the AutoCrypt List dialog box so you could designate all files of a certain type for encryption.

While SecurPC won't encrypt executable or system files, it will create self-extracting encrypted files. This means the file can be sent to any Windows PC even if it isn't running SecurPC. However, Macintosh users need the version of SecurPC for their platform in order to use this feature.

To maximize performance, SecurPC uses RC4, a fast stream cipher. During setup, RC4 creates a secret key based on random mouse movements and keystrokes. The secret key is used with the user password to protect the randomly generated RC4 keys. As a safety measure, network administrators can recover encrypted files if a user's password or userpref .!!! file is lost or unavailable. An Emergency Access feature creates an emergency key that can be split into parts, each held by a different person. A minimum threshold number of key parts is then required to decrypt a user's files. Administrators can also verify who encrypted the files.

Spreading out from viruses

PCCrypto places files within encrypted archives with an .ENC extension instead of encrypting files or folders. These archives can also be converted to self-extracting files.

During installation, a program group is created on the Windows Start menu and PCCrypto is accessed from there. When running PCCrypto, you can open Windows Explorer's Select Files dialog box. You can use multiselect to add files, but you can't use wildcards or add folders. Unfortunately, there are no file types in the files of type dialog box. However, you can encrypt the contents of the Window's Clipboard and choose to use a 40-bit PC1 algorithm, a fast stream cipher or a 160-bit Blowfish algorithm.

You can also compress plain text before encryption. The password to protect encrypted data can be up to 50 characters long and include spaces, numbers and symbols.

Files in encrypted archives are displayed in a PCCrypto list box, allowing you to choose which you wish to decrypt. You're prompted for the password and warned if decrypting will overwrite an existing file. You can have details of PCCrypto operations along with your comments of up to 60 characters entered in a log file that is encrypted and password-protected. Finally, there is a facility on the wipe page to permanently erase data from your disk drive. Data that can be wiped includes disk files, file slack and free drive space, though you cannot use the wipe function on network drives.

Tightest of Windows ties

Once installed, SecureFile commands are accessed from the Windows Explorer where you can encrypt and sign files with your digital signature or encrypt files for decryption by any of the people whose certificate you have added to SecureFile.

The package can work with any standard X.509 Version 3 certificates and store them in a convenient book. Currently, certificates are generated by SecureFile itself, but the package will support certificates issued by independent Certificate Authorities when they become available.

After a file has been encrypted, signed or both, SecureFile adds a .enr, .sgn or .sec extension. You can have the original file automatically deleted, but we were slightly uncomfortable that the program overwrites preexisting files without warning when an encrypted file of the same name is opened. You cannot encrypt folders using wildcards, but a handy wizard makes it relatively easy to secure files spread over different drives or folders. Only files on mapped network drives can be encrypted, as the wizard does not give you access to Windows' Network Neighborhood.

While SecureFile's tight integration with Windows is appealing in terms of ease-of-use, its reliance on Microsoft's CryptoAPI could be a drawback. In order to use SecureFile, you must install Microsoft Internet Explorer 3.02 or later because SecureFile uses several updated CryptoAPI Dynamic Link Libraries that are distributed with Microsoft's free Internet browser.

The fact that workable solutions such as the five we examined are available is reducing your ability to argue against using encryption. Using encryption as your last line of defense against malicious intruders or misguided insiders makes a lot of sense in today's increasingly interconnected world, particularly when you factor in the fallibility of other security technologies. It not only makes sense, but it also could save a lot more than your data.