*** NEW: Product download now available ***
Introduction - Why use encryption software?
A) Why use encryption software on Networks?
Encryption software is the last and most important barrier in information security. If a hacker or an insider has broad access to large parts of a network, that means unrestricted access to the all the files and documents therein unless they are encrypted. In a situation like a Human Resources Department, leaving those personal files open to wrongful use is illegal in many countries under the terms Data Protection legislation. In a PENS system, though, each area of the network is divided into smaller encrypted sections called domains which hold a lot of personal files, all encrypted using a personal encryption key and all password protected. True security using encryption software.
B) Why use encryption software on Laptops?
As more and more companies buy and use laptops, the number of laptops being stolen increases greatly. They are small and light and worth a lot of money: a classic target for thieves. However, it’s not just the hardware that’s being taken, it’s all the information on it too. In some cases, that information is worth more to the thief, much more, especially if he is stealing to order. That’s not just hype either, the world’s governments have legislated for this and in the UK, for example, the new Data Protection Act has made it a very serious offence to let lax security allow personal information, at the very least, to be lost in this way. This makes sense; an insurance salesman may have thousands of contact records with names, addresses, occupations, perhaps even health details and house contents. A guide book for larceny. Information is power as much in the criminal world as in the business world.
It is clear therefore that serious steps are required to safeguard yourself and your organization.... one of the most important will surely be the deployment of serious cryptography and encryption software.
What does PENS do?
What is PENS?
PENS is an on-the-fly encryption software system with either 56-bit DES or, new for Version 1.5, 128-bit IDEA and Triple DES algorithms for data encryption and 1024-bit RSA for key exchange and authentication. Users are given their own encrypted domains with which they can protect their files. They can also let other users enter these domains - should the administrator allow that - making worksharing easier. All they have to do is send their keys to the person who requires them.
How does the user encrypt?
‘On the fly’ means that the user need do nothing: when a file is saved or closed in a PENS domain, PENS automatically encrypts it. If the user drag-and-drops a file into his\her domain, the PENS encryption software will, again, automatically encrypt it.
How does the user decrypt?
When a valid user opens an encrypted file, PENS automatically turns it back into clear text.
What is Single Sign-On (SSO)?
The problem with security for a lot of people is that it adds to the complexity of using a PC. Users do not want to have to log on to NT/2000 or 95/98 (new in version 1.5) and then have another authentication hurdle to negotiate to get into their encrypted domain. Single Sign-On (SSO) synchronises the two passwords so that only one is required.
Does it secure Remote Users?
PENS encryption software is compatible with NT RAS (Remote Access Server). PENS Users are protected by the fact that encrypted files are only decrypted at the individual computer so even if someone could hijack the connection, they could not read what was being communicated on it. In addition, all those important files on the remote desktop or laptop are, of course, encrypted.
Does it encrypt network traffic?
No, but any PENS-encrypted file is still encrypted during transit, only becoming clear text when it reaches a valid desktop. So, there’s no chance of someone successfully eavesdropping on the network. In addition, PENS can interact between 95/98/NT/2000 workstations and NT, 2000, Netware and Linux Samba servers at the same time.
What About Administration?
What is the Two-Man Control Principle?
PENS has been designed so that enterprises have the option to stop one person gaining complete control over network security. For example, the Administrator does not know what users’ passwords are: so, to gain access to a user’s domain, he\she must complete the Change User Password Function in conjunction with the ‘Master’, rather like the way in which nuclear missiles are controlled by two separate key-holders. They both enter their usernames and passwords and PENS will then let them change the relevant user’s password.
How are user profiles controlled?
They are, of course, centrally administered. All profiles are set during install but can be changed at any time - taking effect after user next logs on - to heighten or lower a user’s domain management power, or to add new domains or shared keys.
How do you heighten or lower a user’s domain management power?
This is achieved through the creation and changing of User Classes. These - WHICH DO NOT INCLUDE ADMINISTRATORS - are:
How does User Profile Management help in administration?
Again, the command-line option gives the administrator the power to change a whole chunk of user profiles at once via an automated process.
How do you recover passwords?
Passwords cannot be recovered but, as explained above, if a user cannot remember his\her password, the Administrator and Master must together run the Change User Password Function of the Administrator Tools; authenticate themselves to the PENS encryption software and then create a new one-time password for the user. The user will then use that password to gain access to PENS and immediately create a new, secret password.
How do you share domains?
This can be done in two ways.
First of all, the ordinary user can - if allowed - create a key transport file in user tools. This is simply a menu option and all they have to think about is the password to protect the file. This is then sent to the intended recipients. It is up to the user to get the password to those who need it.
The second option is to have an administrator do it. Administrators can import transport key files into user profiles without needing to know the file’s password, thus avoiding any security compromise. Then the recipient simply enters the password on logon and they will then have access to the other user’s domain.
How is Single Sign-On (SSO) controlled?
There are three choices for the administrator in deciding how single sign-on should work. Portcullis feel that it is important to let individual administrators choose what part SSO should play in their IT set-up.
Anything Else?
What happens if there is a power failure during encryption or decryption?
This is a problem that has always troubled encryption software systems as such an incident can create files which are irrevocably encrypted. However, PENS has improved its fault toleration. During encryption and decryption, it creates a temporary file with the original in it so that after a power failure the original is automatically restored. In case you’re worried, after a successful process that temporary file is securely wiped.
How much memory does PENS take up?
PENS encryption software has a ‘footprint’ in memory of just 1.5K.
How much bigger is a file once it’s encrypted?
0 bytes: PENS encryption has absolutely no effect on file size.
What About The Future?
Will there be any other encryption options available?
This depends on user demand. At the moment, we are considering the implementation of CAST, RC4 and RC5.
Will we be able to use smart cards with PENS?
Under Windows NT and 2000, PENS will support a smart card. The smart card can be used as "secure storage" for sensitive PENS keys. This will also make it superfluous to compute the user’s key encryption key (KEK) from his password, which could be the weakest link. Instead a randomly generated KEK will be stored on the smart card.
Besides improving PENS’ security, the use of a smart card also provides a higher level of security for NT and 2000. Thus, the login to the system will be based on a PIN, because it will be possible to store the original NT/2000 password on the smart card, or even better, to let PENS generate a random NT/2000 password. This allows the use of the full password length of NT/2000 and passwords that could not be remembered by human beings.
Smart card management will be very simple, or in other words, very cost effective. The user can intialise the smart card by himself, so there is no need for a smart card management centre. As in previous versions, the action of the administrator (master) will only be necessary if the user forgets his PIN. Resetting the PIN will still follow the "Two-Man-Control-Principle".
Other objectives are use of cost effective readers and smart cards. For this purpose, PENS uses its own smart card API, which makes it independent of a certain supplier.
Will PKI be integrated into PENS?
Yes, it will. Again, we expect this to be released by 2001. For the moment, we are not able to go into the actual details of its implementation.
Interested?
We hope so!
If you want further information, or simply wish to discuss PENS and/or encryption software with us, why not contact us?
Alternatively, why not download an evaluation copy of the PENS encryption software system from our download site?
|
