FEATURES

Nortel's Entrust

To view theReport card.

Entrust/Admin easily recovers users' key pairs when they forget their passwords or believe them to be compromised. The recovery generates a new profile for the user, while preserving access to files previously encrypted for that user. In much the same way, files encrypted for a user who is no longer employed by the company still can be read. These functions are under the tight control of the Entrust administrator--who, of course, must be a highly trustworthy individual. Further illustrating Entrust's use of checks and balances, Entrust/Officer can audit the administrator's activity via an Audit Record Viewer.

Far from full-featured, the optional Entrust/X.500 Directory bas ically is geared toward getting Entrust up and r unning. Its text-based interface is clumsy, and search options are primitive. If you've got an existing X.500 directory, or plan to implement one soon, use that instead.

It's possible to split the server processes across machines. Entrust/Manager should run on a highly protected host dedicated to the task with inbound network access prohibited. Entrust/Server and the X.500 directory should be placed on fast machines that have network proximity to client workstations.

Standards-Based Security Entrust is not only secure, it's open. You can't beat Entrust's use of nonproprietary, open standards. It utilizes some of the most widely recognized protocols and algorithms, including those from RSA Data Security, the National Institute of Standards and Technology (NIST) and ITU Telecommunication Standardization Sector (ITU-T). Entrust/Client communicates with Entrust/Server via TCP/IP and LDAP. X.500 directory support means you may not have to create an entirely new user list just to oversee key manag ement.

The only proprietary piece of Entrust is the Nortel CAST encryption algorithm, used by default. If you object to CAST, you can substitute Digital Encryption Standard (DES), which is used in many applications. Be aware, however, that CAST outperformed DES by a ratio of 2:1 in our tests.

Entrust won't bog down your network. Entrust/Client sends minimally sized requests to Entrust/Server, which then contacts the directory and Entrust/Manager applications on the client's behalf. Creating a client profile moves only approximately 8 KB of data between client and server. Unrestricted search-and-verification of names in the directory does not generate more than 46 KB of network traffic. Even with light network loads, client lookups are fast. From a directory of 5,000 users, a single user entry could always be found in less than three seconds, and wild-card searches returned 100 entries in less than five seconds.

Installing Entrust/Client is simple, althoug h you can't do a fully automated client installation securely. The client requires that long strings be typed manually during installation. These authorization codes are created in Entrust/Admin and must be carefully guarded until they activate the software and initially identify the user to the system. Entrust/Admin also issues new authorization strings during any key recovery process.

Clients must be purchased for every user; the authorization strings serve double duty as a software-metering mechanism. A single profile identifies a single user, who then may use the software from any number of clients under any platform. Fortunately, when an individual's keys are revoked (for example, when they leave the company), the profile license may be reused.

Current client platforms are Microsoft Windows 3.1, 95 and NT, Apple Computer Macintosh and Unix. We'd like to see a version of Entrust in a browser plug-in/add-in for verifying signatures or decrypting Web server content. Also, a stripped-down, command-line-only version for MS-DOS clients wou ld help address users who want to verify a signature or decrypt a file on older platforms.

Nortel is way ahead of the pack in providing standards-based, cross-platform public key certificate management for corporate use. All components are exceptionally well documented. The client user interface is natural--and blazingly fast. Entrust finally supplies encryption and digital signatures that you can manage, and that users will find helpful.

How Secure Is Entrust, Anyway? It's pretty darn secure. The 56-bit DES and 64-bit CAST encryption algorithms Entrust uses are probably robust enough for most business uses. They are much better than the anemic password-protection schemes used in popular office-automation applications and PKZIP. Sure, DES- or CAST-encrypted files could be hacked with a lot of compute power and time, but sloppy password management and access controls present a much larger risk.