Start-up aims to ease sending and receiving encrypted mail

I mentioned a couple of weeks ago that the only really new thing I saw at this year’s Catalyst Conference was the Identity-Based Encryption offered by Voltage Security, a start-up in Palo Alto (hard by the border of Stanford University from whence so many Silicon Valley start-ups emerge).

Even this, though, isn’t that new an idea. IBE grew out of a research project that began in 1984 and resembles a standard public key-private key (called public-key infrastructure or PKI) encryption, but with an offset that makes it much easier to implement.

I’ll give you an example: Imagine there is a user, Jane, at Alpha Co., who wants to send secure e-mail to user Bill at Zeta, Ltd.

Standard PKI implementations require that Bill register with a Certificate Authority and receive a pair of very large numbers. One of the pair is called the private key (which Bill needs to keep secret), and the other is called the public key (which Bill needs to publish to anyone who wants to send him encrypted messages). Often, a company like Zeta, Ltd would act as its own Certificate Authority but there are others that don’t and in this example, Bill needs to find a Certificate Authority with which to register. Meanwhile, Jane is drumming her fingers and twiddling her thumbs waiting for Bill to set up his PKI.

With an IBE scheme such as that offered by Voltage Security, Bill and Zeta, Ltd don’t have to do anything to enable Jane to send him an encrypted message. Alpha Co. would need to install an IBE service (such as Voltage Security’s SecurePolicy suite and Jane would install a plug-in to her e-mail client.

When Jane creates a message for Bill, she simply clicks a button (or checkbox, or other indicator) and the message is encrypted with Bill’s e-mail address (or other designated string, such as address + department, or address + date, for example).

Assuming that Bill doesn’t have an IBE client already, he’ll receive a message informing him that there’s an encrypted message pending from Jane and that he needs to install the client software to decrypt it. Bill would then contact either Zeta, Ltd’s IBE Service or Alpha Co.’s  “enrollment server” (part of the Voltage Suite). Once he authenticates to this service (using standard methods such as Kerberos, or even a PKI certificate), he downloads the plug-in for his e-mail client (currently supported clients include Microsoft Outlook, Lotus Notes, Microsoft Outlook Express, Eudora, Blackberry, Hotmail, and Yahoo Mail) and the decryption takes place. Bill doesn’t need to learn any large numbers, write down pass-phrases or keep a text file with step-by-step instructions – encrypted messages are decrypted in the background based on Bill’s authentication to the mail service.

The total amount of work needed to implement this solution is about the same as with a “standard” PKI offering, the difference is the subtle shift in effort. The sender in the traditional system has a lot of prep work before the message can be sent – find the public key, ensure it hasn’t been revoked, install it to a third-party encryption package that works with your e-mail client and only then are you ready to send the message.

The people at Voltage allege that the bar is too high and that too often the user simply sends the message unencrypted which places the secret information at risk. With IBE, the sender simply clicks on a button (or checks an option box) and the encryption happens – no extra steps are needed. The “extra steps” are foisted off on the recipient, who may have to find and install client software and then get a private key from a server, somewhere. But the recipient has a much higher incentive to do the work than the sender does. Without doing the work, the recipient can’t read the message.

If this catches on, encrypted e-mail would become the norm (which could help slow the growth of spam, as just one side benefit) and identity management would scores points for, once again, delivering the goods when needed.