ate WANs, where a central administrator must install individual keys on every computer.
Public and Private Keys
Entrust comes in two pieces:
Entrust Manag
er
and Entrust Client. The former maintains an easy-to-administer list of users' private and public key pairs. With the Entrust Manager software, you create a public and private key pair for each new user. Your organization publishes the public key in a central directory; you give the encrypted private key to the user in a separate file along with installation instructions. The Manager manual even includes a sample letter that gives a new user all the necessary local information.
The administrator also retains an encrypted copy of the private key in a special file that he or she must keep secret. If someone leaves the company, forgets a password, or calls in sick, the manager can reconstruct the user's key from this file. This is an effective form of corporate key escrow that doesn't compromise any individual.
Other key-escrow plans involve adding to each message a special field that includes the session key encrypted with some master key. If the master key is compromised, then all communica
tions are shut down. Entrust's master file can also be stolen, but you can protect it by physical means. There's no way to mount an attack by gathering the special fields encrypted with the special escrow key.
The Entrust Client can encrypt, decrypt, or sign files using either DES or Nortel's proprietary CAST algorithm. The public-key encryption uses the Rivest-Shamir-Adleman (RSA) algorithm. Especially nice is the ability to encrypt a file so that several people, or a group, can read it. The file is encrypted with a session key, which in turn is encrypted with the public key of each of the recipients. This allows you to place a file in a public directory and give access to any number of people.
The software also interacts with Microsoft Mail and cc:Mail, although we think it could be made more invisible. We'd like to be able to set it to routinely encrypt all information without requiring intervention.
The package we tested was Entrust Lite, a cut-down version aimed at companies with up
to 200 users. Entrust Lite maintains public-key certificates in a simple file on a central server. The full-strength version can handle much larger systems that stretch across multiple domains and networks, and it supports a full X.500 certificate-maintenance system.
Entrust is one of the most thorough encryption and key-maintenance systems available. The key-backup system allows an organization to recover lost keys without involving a third party. The software is designed to work seamlessly across borders. The export version may be limited to 40-bit keys, but it works with the full-strength U.S. version. This makes it a good choice for managing keys around the world.
Entrust's greatest weakness could also be considered a strength. It's a stand-alone mechanism that must be invoked by the user or by customized software using the Nortel API. Some programs, like Lotus Notes, offer much more transparent encryption, but only for their own documents. Entrust can handle any document--if you remember to
use it.
PRODUCT INFORMATION
Entrust Lite for Windows......single user, $125
...............................five users, $375
.......................more than 50 users, $ 50 per user
(all prices include manager software)
(for Windows 3.1x, 95, and NT; Unix; Mac)
Nortel (Northern Telecom)
Secure Networks Group
Ottawa, Ontario, Canada
Phone: (613) 765-5607
Fax: (613) 765-3520
HotBYTEs
- information on products covered or advertised in BYTE
Pro
Good network-wide
encryption, key
backup, key
expiration,
seamless export
Con
Key backup can't
be overridden
screen_link (29 Kb
ytes)
A work in progress: As Entrust encrypts a set of files, it keeps the user informed.
Peter Wayner is a BYTE consulting editor living in Baltimore, Maryland. You can reach him on the Internet at
pcw@access
.digex.net.
Don't Lose Your Crypto Keys
