SNEAK PREVIEWS
Psstt! Security Designed For Your Eyes Only
by Kiran Movva
Encryption is necessary for ensuring data confidentiality between parties.
As the number of PCs and networks continues to grow, so does the need to
transmit confidential data such as critical corporate and personal information.
Whether you're exchanging confidential data over your corporate network
or the Internet, Symantec's Your Eyes Only provides an easy on-ramp to secure
communications. Your Eyes Only is a fast, easy-to-use, affordable, industrial-strength
encryption product for the Windows95 masses. This product, along with its
Administrator console, provides much easier key management within a company
than existing products, such as the commercial vers
ions of Pretty Good Privacy
(PGP). While it cannot selectively encrypt text within an e-mail note or
a document, like Scrambler Technologies' Scrambler, Your Eyes Only is a
great buy.
There are two types of encryption technologies: secret key and public key/private
key. With secret key, the sender encrypts the data with a secret key, and
the receiver decrypts it using the same secret key. The problem lies in
sharing the common secret key electronically. With public key/private key,
a public key identifies the user and becomes available to anyone globally.
(Normally a list of users' public keys is provided internally in corporations.)
A sender encrypts the data with a recipient's public key. However, only
a user with the cor
responding private key can decrypt this data, since the
private key has the ability to recognize its corresponding public key. Thus,
there is no need to transmit any of the confidential portion of the keys.
Your Eyes Only uses five different types of secret key encryp
tion algorithms:
DES (56 bits), Triple DES (effectively 112 bits), RC4 (128 bits), RC5 (128
bits) and Blowfish (128 bits)--all of which you can select during any file
encryption. Even the shortest key presented by Your Eyes Only suffices most
internal confidentiality needs.
To facilitate the exchange of the secret key, Your Eyes Only first encrypts
the data with a unique and random secret key; its length depends on the
selected encryption algorithm. The secret key is then encrypted with the
receiver's public key. When the data reaches the receiver, the secret key
is decrypted using the receiver's private key, and then the data is decrypted
using the secret key (see diagram at left). The only caveat is that the
recipient must have Your Eyes Only software because there is no standard
for forming keys. Your Eyes Only uses its own format for its keys just as
other products do.
For a 550-KB file, it took from two seconds to six seconds to encrypt, and
two seconds to nine seconds to decrypt, d
epending on the algorithm and the
size of the public key/private key pair.
Your Eyes Only installs with minimum hand holding. You are prompted for
a password and user ID, required to run Your Eyes Only. You can create additional
IDs later. You are also asked to pick the size of your public key/private
key pair (The recommended value is 768 bits, but Your Eyes Only can handle
a maximum of 2,048 bits.) Larger key sizes slow down the encryption/decryption
time. Finally, the setup process prompts you to create an "Unlock"
disk, which, in the event you lose your password, lets you or other users
decrypt any encrypted files.
I also tested the Administrator version. When used by itself, it lets a
central coordinator gene
rate public key/private key pairs for users, maintain
passwords, user information and view user audit logs, over the network or
via disks. You can also generate setup disks for users with the key information,
and a default recipient list (key chain). When used with No
rton Administrator
for Networks, you can distribute the software electronically via the network.
A superuser ID and password is set during installation and, like the standalone
version, you can decrypt any data if you lose the password by using the
superuser ID. If a user who received the setup disks from a central coordinator
encrypts data for another user to decrypt, Your Eyes Only adds the public
key of the superuser to the recipient list.
Put a Lock on It
When you first restart your PC after the installation,
you are presented with a Norton DiskLock login prompt. Sometimes there is
a noticeable delay while the prompt loads, so you may see the Windows95
login prompt appear before the DiskLock login. Once you enter the specified
user ID and password, the normal Windows95 login process continues. You
access the Your Eyes Only Control Panel by double-clicking on the service
icon in the Windows95 Tray, or by executing it from the Your Eyes Only folder.
Here you perform administrative functi
ons for your software copy, such as
changing your password or setting up rules for others who may use your PC,
and enabling/viewing the audit logs. Your Eyes Only can audit logins to
the PC to see what files were accessed and which were encrypted. You can
also view audit logs for the PC over the network via the Your Eyes Only
Network Administrator program. Right-clicking on a file in Explorer shows
options to manually encrypt or decrypt a file.
Your Eyes Only's best feature is the SmartLock folder. You can designate
any folder on your hard drive (new or current) as a SmartLock folder. Files
already existing in this folder, and any new files added to this directory
are automatically encrypted. If you try to access one of these files, it
is a
utomatically decrypted and presented to you. If another user tries to
access this file and has not logged into Your Eyes Only at boot-up time,
then the file appears as garbage data and the application trying to access
the file will report an error.
When you encrypt any file or folder, you can select which user's public
keys will be on the recipients list (key chain). Only those users with the
corresponding private keys can decrypt the data. The list of public keys
used to encrypt the file or folder is the key chain. If the intended recipient
is not on that list, you can request the user to export the public key and
send it via e-mail or on a disk. When imported, the user is now shown as
part of your possible recipient list.
The machines on which I did my testing crashed under Windows95 three times
over the course of one week. (Symantec was working on this issue at press
time.) We also experienced problems when secondary users could not log in,
but this problem should be fixed by the time of the product release.
Kiran Movva is a systems analyst at a major energy corporation on the
West Coast. He can be reached at kmovva@nwc.com.
Updated July 8, 1996
|
RSS
