The confidentiality, integrity and availability of your on-line
information have never been more at risk. Fortunately, one effect of the
Internet's recent rise to stardom has been an upsurge of network security
awareness. Northern Telecom, Inc.'s Entrust packages are part of a rapidly
expanding category of products that offer effective solutions to some of
the more challenging security problems.
     Entrust promises a full range of high-speed encryption, authentication
and verification services in a single application that's relatively easy to
install and administer. We reviewed the workgroup version, Entrust/Lite,
and found it goes a long way toward delivering on that promise. In addition
to robust security, Entrust offers smooth integration with word processing
and messaging applications, two areas where encryption can be most valuable.
     Entrust yields fast, strong encryption of files using either the Data
Encryption Standard (DES) or the proprietary CAST algorithm. (CAST stands
for Carlisle Adams and Stafford Tavares, the algorithms inventors.) In
addition, Entrust provides digital signing of files through public key
encryption, to verify the files' source and integrity when they reach their
destination. This protects against source spoofing and modification of data
in transit.
     Furthermore, through the use of recipient lists, Entrust ensures that
encrypted information can be decrypted only by the person intended to get
it. And all of this is done without users having to choose or communicate
passwords, which is typically a weak point in encryption schemes.
     Entrust/Lite 2.0 handles workgroups of up to about 100 users for as
little as $50 per user - relatively inexpensive for a commercially
supported product offering this level of cryptographic strength and
functionality. For larger scale networks, the full version of Entrust,
which uses X.500 directory services to provide enterprisewide encryption
key management, varies in price according to the number of users. However,
the client component of Entrust is exactly the same as the full-size
version, and the versions are completely compatible.
     Entrust represents significant progress toward simplifying the often
complex problems of managing encryption. It automatically manages the keys
to encrypted documents while using powerful encryption mechanisms.
     For example, suppose you've written a competitive market analysis in
Microsoft Corp.'s Word and want to password-protect it before making it
available to a group of colleagues. If you use the password protection
built into Word, you have to figure out a secure way of telling your
associates what the password is, and you expose the document to tampering
or disclosure by anyone who can use one of the many Word password-cracker
programs available on the Internet.
     If you use Entrust, there is no need to choose, transmit or remember
document passwords; this is taken care of by Entrust, which also verifies
that the contents have arrived unchanged - in the unlikely event that
someone has broken the powerful encryption code applied by Entrust. The
technology that makes this possible is complex (see story, this page).
However, Nortel has done a good job of making the Entrust interface a model
of simplicity.
     Installation
     Entrust consists of separate Manager and Client modules available for
Windows 3.X, 95 and NT, MacOS and major commercial Unix variants. The
Manager is used to establish and administer user accounts. Access to this
module should be limited to the security or network administrator, who
holds the power to decrypt anything encrypted by any user. This is an
important backdoor for organizations concerned about abuse of encryption.
It prevents rogue employees from attempting to ransom data.
     Despite the terminology, you do not have to install the Manager on a
network server; in fact, you don't have to be connected to a network to
deploy Entrust. You can send secure documents between offices on disk or
via dial-up electronic mail. This gives you considerable flexibility when
dealing with notebook machines. The manuals accurately describe how to make
the most of both network and off-line installations.
     When you install the Manager module, you assign a master password.
This has to be at least eight characters, including at least one digit, one
capital letter and one special character. That means there are roughly  8
possible combinations, or thousands of centuries worth of cracking attack
time, even at one million attempts per second.
     The Client module is used to encrypt and sign files. The Client also
manages recipient lists, consisting of other Entrust users with whom you
want to exchange information.
     A security administrator uses the Manager to set up each Client user,
assigning names and creating small packets of documentation that include an
initial password. The manual does a good job of leading you through this
process, although if Nortel really wanted to spoil us, it would have
included templates for the end-user documentation described in the manual.
We particularly liked being able to display our own custom bitmap banner
automatically every time a user loaded the Client module. You might use
this feature to display a corporate logo or refer to corporate security
policy.
     Client installation is straightforward. You have the chance to select
support for E-mail - although your choice is limited to Microsoft Mail or
Lotus cc:Mail - plus macro support for Word 6.0 that lets you save and open
files directly in encrypted format. Once the Client packages are in place,
users have control over several important options, starting with the
ability to change the password that gives them access to the Client module.
     User-selected account passwords are, potentially, the weak link in
this encryption scheme because someone who discovers your account password
can decrypt files. Entrust offers two defenses. First, the password
provisions are very tough - with a three-tries-and-you're-out defense
against brute-force attacks.
     Second, Entrust allows the equivalent of a removable token, without
which your account cannot be accessed. This is actually the file containing
the user profile, which can be stored on a floppy disk instead of the hard
drive, turning the disk into a portable token.
     Another nice touch is the time-out provision, which logs you out of
the Client program after a user-specified time period of inactivity,
defending against abuse of an unattended machine.
     The Client module allows users to employ Entrust's encrypting and
signing services in a variety of ways. Microsoft Word documents can be
saved into encrypted format direct from the File menu in Word.  A .ENT
extension is used to distinguish these files, which can also be decrypted
with the special Open command that Entrust's macros place on Word's File
menu.
     When you configure Entrust Client to work with cc:Mail or Microsoft
Mail, you can encrypt and transmit files as E-mail attachments from within
the Entrust Client. A file appears as an icon in the message when it is
viewed by the recipient. Double-clicking on the icon calls up the
decryption dialog box, which includes a handy Launch button to load the
decoded document directly into the application. This feature is convenient,
but, as the dialog boxes warn, the E-mail messages themselves are not
encrypted, just the attached files.
     Also, Entrust re-quires identical naming conventions for users of both
Entrust and the E-mail package. This may sound like a reasonable
requirement, but it could involve a lot of effort for larger workgroups. A
system for mapping E-mail names to Entrust Client names would be a nice
enhancement.
     Other types of data can be encrypted, signed, decrypted, verified or
erased securely by using the menus and file selection dialog box in the
Client module, or by dragging and dropping files onto buttons that the
Client module displays. We encountered no problems transmitting a variety
of signed and encrypted files around our LAN.
     The speed with which Entrust encrypts is quite impressive. Our
972,938-byte Word document took 18 seconds to sign, encrypt and compress on
a Compaq 486SX workstation using Nortel's CAST algorithm and 20 seconds
using DES. The resulting file was about 94,800 bytes. By comparison, it
took PKzip 24 seconds to perform standard compression of the same file at
the DOS prompt, without password protection, but PKzip squeezed the file to
69,825 bytes. In fast mode, PKzip took only 6 seconds but compressed the
file to only 113,362 bytes.
     Entrust's documentation is excellent, and installation, while not
trivial, is as easy as anything we have seen in an encryption product.
     There's a lot Entrust does not do. It does not encrypt E-mail
messages, perform automatic encryption of documents on the fly at the
operating system level, or create a special partition in which all
documents are transparently encrypted; you have to invoke Entrust for
specific files.
     But the speed and strength of Entrust's encryption, together with the
automatic handling of key management and document verification, make it
both easy and powerful enough to get a high level of security practical for
any organization.