Cheaper techniques take on PKI

You've heard the story about NASA spending millions of dollars to develop a pen that could write in zero gravity while the Soviet Union used pencils.

For many security administrators, PKI (public-key infrastructure) is the zero-gravity pen. But a crop of small companies believe they have the pencils - new products that offer simple, clever techniques to secure messages without a massive, expensive overhaul of an enterprise.

Most of the products' techniques borrow from everyday technology, including HTTP and online storage services, for example. The techniques are the latest to take on the "Napster effect" - that is, focusing on peer-to-peer communications that take as many servers as possible out of a transmission.

The purveyors of the new products, including SafeLoop Inc. and Hilgraeve Inc., have simply chosen to retrofit the wheel, rather than reinvent it.

"PKI is valuable for really secret stuff, but most people don't want the hassle you have to go through in order to use it," said Maclen Marvit, co-founder of Disappearing Inc., an email security service provider based in San Francisco.

"Users have to decide how secure they want their mail and decide where the trade-off is in terms of ease of use," Marvit said. "As the world has moved toward lighter-weight computing, PKI is becoming a tougher sell."

In the process, experts say, alternative techniques will change how security administrators approach infrastructures.

For example, instead of applying security to all e-mail, a la PKI, new solutions allow users to apply the small amount of e-mail that requires security to a separate secure system.

"There's the analogy of home security," said analyst Frank Bernhard of Omni Consulting Group LLP, in Davis, Calif. "You can wire your home and set up an intrusion service and pay for that infrastructure, which is fairly expensive. Or you can lock your doors and put stickers in the windows."

The latter method is more immediate, nearly as secure and not as costly, Bernhard said.

Right under your nose

It's an old story: Low cost and ease of use - not a highly secure infrastructure - sell secure messaging.

SafeLoop's strategy takes the approach of sending messages via HTTP instead of SMTP, thereby hiding e-mail among the billions of Web pages being downloaded at any given time.

"We hide in plain sight," said Art Hunter, president of SafeLoop, of Ottawa. "Most people will spend their time sniffing SMTP because there's nothing interesting being sent through HTTP."

SafeLoop, however, doesn't trust just hiding in the crowd to secure messages. Mail is also cloaked in 128-bit encryption. The key to decrypt the messages is also encrypted and is generated on a user's local machine, not on a central key server.

In addition, the database where the messages are stored is encrypted, Hunter said. Because the messages are sent with HTTP, no copies are stored at servers along the way, as with SMTP mail.

SafeLoop is a closed network of users who are able to exchange secure messages. You must have the SafeLoop software to send a message to a Safe Loop user.

That could be a weak spot: Adding client software means more complexity. But SafeLoop developers argue that the software takes less than 30 minutes to install and configure and offers a simple, Web-based user interface that is far less intrusive and much easier to use than PKI.

"It is extremely easy to use, and I was able to use it immediately with no need for training—unlike PGP [Pretty Good Privacy], which I did have difficulty figuring out how to use," said a SafeLoop user who works as a marketing consultant for an Internet startup and asked not to be identified. She uses the service to send confidential company data that she said she would never consider sending via regular e-mail.

For its part, Hilgraeve, of Monroe, Mich., is using online storage services as an alternative to PKI.

Its new Hypersend service encrypts a document and sends it from a user to Hyper send servers, avoiding as many Internet routing points as possible.

As soon as the receiver picks up the document, it's eliminated from the server.

Users can also request an "encrypted envelope," which keeps mail scrambled, even when it reaches its destination, and can only be decrypted by a "shared secret" password. Hypersend is free for up to 10MB of storage or 100 transactions per month, with fees starting after that.

Jim Bloedau, founder and president of Information Advantage Group Inc., in San Francisco, is using Hyper send and DropChute, another Hilgraeve product that provides secure peer-to-peer communications, to secure his communications.

IAG is a health care company that must comply with HIPAA (Health Insurance Portability and Accountability Act) and provide secure electronic transactions for health care data. Many in Bloedau's industry have assumed PKI would be required to comply with HIPAA, but he said Hilgraeve's system is vastly less expensive and has been deemed HIPAA-ready by federal officials.

"Early on, it looked like some complex thing called PKI would be required. I've been living with that conversation for five years," Bloedau said. "But in health care, there's not the talent, money, patience nor trust of computers really to adopt PKI.

"This system we have now meets the requirements, is far less expensive, and, unlike PKI, it matches the behavior of users," he added. "That's the clever part to me."