IMPORTANT: This is not a “Code Review” but only an evaluation of various solutions from the end user’s perspective, as experienced by me.

PLEASE NOTE: There is no intention to offend or please anyone, website addresses of the evaluated software and solutions have been given for anyone to download these and do a self-evaluation.

 

E-Mail Security Solutions:

 

The requirements of e-mail security are as follows:

 

R1. Message confidentiality using encryption - protects your sensitive information from being viewed by anyone other than the intended recipients.

 

R2. Authentication with digital signatures - verifies that the sender and the recipient are exactly who they say they are.

 

R3. Integrity with digital signatures - ensures the contents of your email cannot be altered in transit without detection.

 

R4. Non-repudiation with digital signatures - ensures the sender cannot deny emailing the message at a later date (this is particularly vital with financial transactions being conducted and authorized over email)

 

To meet these challenges various E-Mail security solutions are available in the market.  Some of these solutions meet only 1, 2, 3 or all 4 requirements. These can be type classified as follows:

1.        Password-Based: Software that secure the E-Mail using a password only. (Lets call them type PBE)

2.        PKI-Based: Software that provide security using Public Key of the recipient and the Private Key of the sender . (Lets call them type PKI)

 

Both these types can further be sub-divided into two types:

1. Desktop: User is independent of any third party for message authentication, storage or forwarding. (Lets call them type DT)

2. MiddleWare: UserS must use third entity as message broker, i.e. be authorized and connect to specific server to send and receive messages. The recipient of the message, on receipt of the message, must log on to a specific server then register before he can read the contents of the message. (Lets call them type MW)

     

These software can also be evaluated on the basis of standards they follow in their implementation:

1.        The standard of the E-Mail  securing key, as defined by Internet Engineering Task Force (website: http://www.ietf.org/html.charters/pkix-charter.html), is known as X.509. There are some software that use this standard and there are other that use their own standard. While some may use both. Hence we shall classify them as X509, NON-X509, HYBRID.

 

2.     The standards for encryption are various to pick and choose. However, in PKI the most popular are RSA and Diffie-Hellman.

 

What are the utility functions such as the one that encrypts and signs :

             1.   Encrypts only No signing i.e. No Authentication. (Lets call them type NoSign)

2.        E-Mail Text messages only. (Lets call them type ETM)

3.        Files only.( Lets call them type File)

4.        E-Mail text messages and Files both.( Lets call them type ETM&F)

 

How does it protect the Password or the Private Key of the user?

1.        If the private key is stored on the hard drive, this is not very secure as anyone who knows password can sign as you,  then we shall call them type HARD DISK.

2.        If the private key is stored on a removable and mobile token such as Smart-Card or USB token, to use private key physical token access required, then we shall call them TKN.

 

Does it provide mail client independence or not?

1.        If the software forces the user to use a specific mail client then we shall call it MCD.

2.        However, if the software allows the user to any mail client then we shall call it MCI.

 

Finally, does it force the recipient to buy the software?

1.        If the software forces the recipient to buy the software before verifying the sender’s signature or reading the message we call it Recipient Must Buy i.e. RMB.

2.        However, if the software makes available a free version of the software that recipient can use to verify or read the message we will call it i.e. Recipient Need Not Buy RNNB.

 

Including Authentication:  It has been internationally recognized that E-Mail Authentication is achieved only with PKI.

A true Desktop PKI Security Software is expected to meet the following:

 

PKI Secure Messaging Requirements:

• Message confidentiality using encryption: R1
• Authentication with digital signatures: R2
• Integrity with digital signatures: R3
• Non-repudiation with digital signatures: R4
• External Communication: R5
• Roaming: R6

 

PKI  Technology Requirements:

• Architecture

·         PKI Architectures: PKI

·           1 CA support:

·           2 Revocation Support:

 

·         Cryptographic Algorithms: Algorithms

·           EA Encryption Algorithms:

· DES

· RC2

· RC4

· AES

·           HA Hash Algorithms:

· MD5

· SHA-1

· SHA

·           SA Signature Algorithms:

· RSA

· DSA

 

·         Standards Compliance: Standards

·           1 X.509 Digital Certificate:

·           2 DSA/RSA Signing:

·           3 DES/CAST/IDEARC2/RC4/AES/TWOFISH/RSA Encryption:

·           4 Mobile Cryptographic Tokens(Smart Card, USB Tokens):

 

·         Key Life Cycle Management: Key Life Cycle Management

·          User Initialization: UI

· 1 Offline Creation of Private Key and Self Signed Certificate:

· 2 Offline Creation of Certificate Signing Request: To get the public key signed by CA at a later time.

· 3 Offline Installation of Owner’s Public Key:

· 4 Online Creation of Private Key and Digital Certificate:

· 5 Safe Acceptance of the CA public key: Automatic display of certificate before optional installation.

·          Key Pairs: KP

· 1 Key Pairs Expiration Date:

· 2 Historical Records of Expired Certificates: Storage of expired certificates in marked location.

· 3 Transparency of Keys to Users:

·          Key Backup / Restore: KBR

· 1 Key Backup and Restore:

· 2 Historical Data availability:

·          Password Management: PM

· 1 Different Passwords for different Private Keys:

· 2 Password Rules: e.g. Min Password length etc.

· 3 Password safety: e.g. Support for Password change etc.

·          Certificate Revocation: CR

· 1 Certificate Revocation List Support:

· 2 Off-Line Revocation Checking Capability:

· 3 Historical record of Revoked Certificates:

·         Client Software: Client Software

· 1 Client Side Software Support:

· 2 Easy Client Software Installation:

· 3 Private Keys Protection: Protection extra to password provided.

· 4 Off-line Capability: Write/Sign/Encrypt mail offline, send at a later time.

· 5 Verification of Historical Signatures: Public key attached with the document.

· 6 Transparency: Regular dialogs to inform the user of the beginning and end of an activity.

· 7 User Mobility: Private Key on mobile smart-card or other token.

·         PKI Management: PKI Management

· PKI Management Transactions using the software

·      1 CA Certificate Installation:

·      2 Other’s Certificate Installation:

·      3 Basic Revocation Checking:

·      4 External Revocation Checking:

·      5 Private Key Backup and Restore:

• Platforms

·         Client Operating Systems

· MS Windows 95

· MS Windows 98

· MS Windows ME

· MS Windows NT3.1

· MS Windows NT4

· MS Windows CE

· MS Windows 2000

· MS Windows XP

· Sun Solaris

· Redhat Linux

· HPUX

· IBM

· Novell Client

· MS Internet Explorer

· Netscape Navigator

 

·         Directory Support

· MS Active Directory

· Novell Directory Server

· LDAP Directory Support

 

• Utilities

·         E-Mail Signing

· Text Message

· File Attachment

 

·         E-Mail Encryption

· Text Message

· File Attachment

 

·         Mail Client Independence

·         Mail Account Independence

 

·         Free Signed Mail Verifier for the recipient

·         Free Encrypted Mail Reader for the recipient

 

·         Ease of Use

· Sign/Verify mail directly on current window of any mail client

· Cut from mail client and paste in application window to Sign/Verify

 

·         This comparison report is based on the assumption that the user is using any one of these operating systems: Windows 95, 98, ME, NT4, 2000, XP.

·         Server Centric software have been listed but not considered as the recipient may not have access to a server environment and will be unable to use the software.

R1

R2

R3

R4

PBE

PKI

DT

MW

X509

RSA / Diffie

No-Sign

ETM

File

ETM&F

TKN

HARD   DISK

MCD

MCI

RMB

RNNB

1. http://www.trustedmime.com/ Avlbl from http://www.unosoft.com/

TrustedMIME

√

√

√

√

Server Centric: Users must install Microsoft Exchange and Outlook.

2. http://www.pgp.com/

PGP

√

√

√

√

√

√

3. http://www.zixmail.com/

ZixMail

√

√

√

√

Server Centric. Moreover, there is no way for a recipient who has not purchased the same software to verify a sender’s signature on a mail at a later date.

4. http://www.ensuredmail.com/

EnsuredMail

√

x

x

x

√

Not a PKI software.

5. http://www.hushmail.com/

HushMail

Server Centric: HushMail is a web-based email and document storage system that forces recipient to use its server.

6. http://www.disappering.com/

Omniva Policy Manager

This is only a email sending policy tool. Requires MS Exchange 5.5 or 2000 and EMail client Outlook

7. http://www.articsoft.com/

Content Assurity

√

√

√

√

√

8. http://www.indiciisalus.com/

Xenomail

Server-centric email security software. Requires: Outlook  on Exchange 5.5 and 2000

9. http://www.abylonsoft.com/

Apm4.00Pro

√

√

√

√

√

10. http://www.cryptovision.com/

S/mail

Requires: Windows NT4 (SP6a) or Windows 2000 or Windows XP Server.

11. http://www.guardeonic.com/

SecuSeal

EVALUATION COPY NOT AVAILABLE.  To buy one has to first contact over email.

12. http://www.ritlabs.com/

SecureBat

Not a messaging software. An email client that can be used instead of Outlook etc and uses tokens for authentication with POP3/SMTP servers. The software should be installed on the server and ID issued by server administrator.

13. http://www.tarmin.com/

OfficeGuard

User must install: MailGuard component provides Secure Email functionality within Microsoft Outlook.

14. http://www.sigaba.com/

Sigaba

User must install at the customer site a Sigaba Gateway, Key Server, Authentication Server or adapter.

15. http://www.shyfile.com/

Shyfile

Only Self-decrypting file.

16. http://www.kyberpass.com/

TrustPlatform

Server centric. Requires Several components including Microsoft Windows 2000 Advanced Server etc. and Outlook.

17. http://www.ripem.com/

RIPEM

Not available commercially. Read: http://www.uni-giessen.de/faq/archiv/ripem.faq/msg00000.html

18. http://www.aliroo.com/

PrivaSeal

Severely restricted application: Works only on MS Word and MS Excel files.

19. http://www.softmode.com/

Vigilante

File Encryption only. Vigilant does not protect the email text, only the attachments.

20. http://www.marshalsoftware.com/

MailMarshal Secure

Server Centric. Requires: Windows NT 4.0 or Windows 2000 Server, or Windows XP and SQL Server 2000.

21. http://www.navastream.com/

CryptoEx

Server Centric. Works only with Outlook and Lotus Notes for both sender and recipient.

22. http://www.elock.com/

E-Lock ProSigner

√

√

√

√

Works only on MS WORD and EXCEL files.

23. http://www.wondercrypt.com/

WonderCrypt

√

√

√

√

√

√

In the light of the above evaluation only four of the above mentioned products are found to be implementing PKI as a desktop solution for email message security and authentication. Hence, only these four products are being compared: 1.PGP http://www.pgp.com/  2.Content Assurity http://www.articsoft.com/  3.Apm4.00Pro http://www.abylonsoft.com/ 4.WonderCrypt http://www.wondercrypt.com/

PKI     Secure Messaging Requirements

 

 

Utilities

                                                                                   

 

R1

R2

R3

R4

R5

R6

Mail Text            Sign

Mail Text Encrypt

Mail Text Encrypt &  Sign

File  Sign

File Encrypt

File Encrypt & Sign

Mail Client  Independent

Mail Account Indepen-dent

Free Verifier Available

Free Reader Available

Active Window Support

Provides Message Editor

Private Key Security on Removable Token

Operating Systems Supported

PGP http://www.pgp.com/

√

√

√

√

√

√

√

√

√

√

√

√

√

√

X Read: PGP1

X Read: PGP2

√

X

Optional available Not Diffie

Windows 95, 98, Me, NT, 2000 and XP, Mac

Content   Assurity http://www.articsoft.com/

√

√

√

√

√

√

√

√

√

For File Sign/Enc another software FileAssurity has to be used.Read: CA1

Not Applicable Read: CA2

Not Applicable Read: CA2

√

√

X Read: CA3

√

X

Windows 95, 98, Me, NT, 2000 and XP

Apm4.00Pro http://www.abylonsoft.com/

√

√

√

√

√

√

X

X

Read: APM1

X

X

√

Not Applicable Read APM2

Not Applicable Read APM2

X Read: APM3

√

X Read: APM4

√

Optional available

Windows 95, 98, Me, NT, 2000 and XP

WonderCrypt http://www.wondercrypt.com/

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

Included in software

Windows 95, 98, Me, NT, 2000 and XP

Key Life Cycle Management

PKI Architecture

 

 

1

2

EA

HA

SA

1

2

3

4

1

2

3

4

5

1

2

3

1

2

1

2

3

1

2

3

1

2

3

4

5

6

7

1

2

3

4

5

PGP

√

√

Various

MD5

PGP/MIME

√

√

√

√

√

X

√

X

X

√

√

X

√

√

√

√

√

√

X

√

√

√

√

√

√

X

X

√

√

√

√

√

Content Assurity

√

X

AES

MD5 SHA1

RSA

√

√

√

X

√

X

√

X

X

√

√

X

√

X

X

√

√

X

X

X

√

√

X

X

√

X

X

√

√

X

X

√

Apm4.00Pro

√

X

DES & RC4

Not Clear

RSA

√

√

√

√

√

X

√

X

X

X

X

X

√

X

√

X

X

X

X

X

√

√

√

X

X

X

X

√

√

X

X

X

WonderCrypt

√

√

DES

MD5 SHA1

RSA

√

√

√

√

√

√

√

X

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

√

HEAD TO HEAD:

BRAND:

SYSTEM REQUIREMENTS

PRICING

PROS

CONS

VERDICT

PGP

Windows 95, 98, Me, NT, 2000 and XP, Mac

PGP 8.0.2 $80.00 Ea without Smart Card or Token

1.     Can be used by an organization as a closed group solution but not as email with all clients solution. 2.     Various plug-ins make it is easier to use with Outlook and Eudora. 3.     Freely distributed version is available. However, this is allowed for only non-commercial use and has very few of regular functionalities. 4.     Various choices of algorithms. However, this makes life of the user difficult. From PGP Help: “Perhaps the government has some classified methods of cracking the conventional encryption algorithms used in PGP. This is every cryptographer’s worst nightmare. There can be no absolute security guarantees in practical cryptographic implementations.”

1.     No free reader / verifier available. Recipient must buy even if to verify a sender’s one commercial signature. 2.     Does not provide its own message editor. 3.     No reconfirmation of message during clipboard encryption. This has, while more than one text windows were open, caused different than the intended message to be sent encrypted. 4.     Offline creation of Certificate Signing Request is not possible to be sent to CA on a backup media. 5.     A deleted public key cannot be recovered. 6.     There is no offline revocation checking facility. 7.     Too many interfaces and choices, complicated for the user. 8.     No user mobility, user cannot read/write his email in a cyber café.

Can be used by an organization as a closed group solution but not as email with all clients solution.

Content Assurity

Windows 95, 98, Me, NT, 2000 and XP

ContentAs-surity:  $39.00 Ea   FileAssurity $39.00 Ea   Total =  $78.00 Ea   No smart-card or token. Private Key on Hard Disk.

Simple to use. Not too many interfaces. Only one password to remember. Uses user’s email account, not necessary to use any proprietary email system. Not necessary to buy or administer any PKI. Free Reader/Verifier available.   CA2: It is Mail Client Independent and also Mail Account Independent. However, the user must write mail on its own (CA’s) editor and then copy and paste the signed/encrypted content on the mail client’s compose window.

1.     Only single user on one computer as all private keys have the same password. Surprisingly, not even free reader version can be used by other people on the same computer that has the full version installed. 2.     Private key is always on the hard-disk, anyone knowing the password can sign as you. 3.     Backup of one private key involves taking backup of the complete key store. 4.     Revoked public keys cannot be identified, checked and removed. 5.     User has no means to get his public key signed by a Certificate Authority. 6.     Once deleted, another persons public key cannot be found anywhere for a document verification in the future. 7.     Message must be written on its own (CA’s) editor that makes write then sign/encrypt later to send difficult.

Can be used as point to point or person to specific person solution but not as an implementation of desktop PKI solution.

Apm4.00Pro

Windows 95, 98, Me, NT, 2000 and XP

Apm4.00Pro $99.00 Ea without Smart Card or Token

Simple to use but needs corrections in the software. Uses browser’s keystore. There is a separate “Certificate Manager” module using which certificates can be managed within the browser’s keystore. However, this is risky too as deletes without displaying the certificate. Free Reader available.

1.     Creates Private Key only with email address, no other X.509 fields of a Distinguished Name can be mentioned. The recipient has to rely on the email address of the sender, no other information is visible in the certificate. 2.     No expiration date can be set on a private key, it is one year by default and there is no way to change it. 3.     No support for backup of the created private key. 4.     No certificate signing request generation. A public key created by the software does not create or support signing of the public key by a CA. 5.     No offline public key revocation can be done using support from the software. 6.     No minimum password length restriction allows weaker passwords. 7.     Password of a private key cannot be changed, if the password is once revealed to anyone the private key should be considered as compromised. 8.     Once deleted, another persons public key cannot be found anywhere for a document verification in the future. 9.     Message must be written on its own (APM’s) editor that makes write then sign/encrypt later to send difficult. 10.  Text message is sent as an attachment in file having extension “.sme”. This file must be attached by the user to the mail being sent. Moreover, as the name of the file is always “messge.txt.sme” hence there are fair chances of overwriting an existing message that is waiting to be sent. 11.  Serious Error: There may be, and generally are, several private keys in the MY store of a Windows installation, but was found always using the first listed private key or gives error –2146885628 CryptAPI.cpp 1741. This happened  frequently.

Needs some corrections before can be advised for use.

WonderCrypt

Windows 95, 98, Me, NT, 2000 and XP

1.    Can be used by an organization or an individual as an email with all clients solution. 2.    Truly mobile. User can carry private key on token and use to read or write, secure and authenticated, mail even in a cyber café. 3.    Even the full version of the software is available for free download. However, to use this one must have an iKey token purchased from WonderCrypt.. 4.    Free Reader/Verifier available. This free version is a complete software that has no time limits, no size limits for decryption and verification but sign/encrypt is restricted to 1000 characters for email and 100 KB for files. 5.    Simple to use, very user friendly interface with interactive dialogs.

1.    Online checking of revocation not possible. Revocation List must be downloaded before it can be run on the certificates in the keystore. 2.    Only the free version runs without iKey token. The free version has limitation for signing and encryption  of mail (up to 1000 characters) and file (up to 100 KB). However, if used by recipient then there are no size limitation for decryption and verification. 3.    Restricted choice of algorithms. 4.     Only one password rule i.e. minimum length of password is defined. Password expiry date should have been defined.

A sure winner. A complete PKI desktop software. Excellent ease of use and interactive interfaces design makes it the best amongst the software evaluated. Worth using by any user whether it be an individual or an organization.

 

I can be contacted : Please note that the contact should be done only for technical comments or corrections and not in any case for any commercial causes.

At Email:  [email protected]