Tag: PGP

22 Apr 2016

Unlocking Encryption Key Management

Any encrypted communication is only as secure as the keys used by the system that locked them. If the keys are compromised by hackers, negligence or other means, then any communication using those keys can be decrypted. So how can these keys be protected?

According to a recent Ponemon 2016 Global Encryption Trend Study, 67 per cent of IT professionals rated key management as one of the most important features of an encryption solution. As more organisations use encryption solutions, they also end up with more keys, and more varieties of keys. The successful management of these encryption keys is critical to the security of their private data.


How encryption keys are managed today
Public Key Infrastructure (PKI) is a type of key management system that uses digital certificates to provide authentication and public keys to enable encryption. PKIs use a specific class of encryption algorithms called asymmetric encryption. This involves two keys, one that encrypts the data (the public key) and another that decrypts the data (the private key).

The advantage of using asymmetric algorithms is that the public key can be distributed to anyone without risk of decrypting any of the data. It is only the private key that is capable of decrypting the data. Since only the private key decrypts, it does not have to be wildly available and can be kept in a secure place. Public keys are often stored in directories for other users to retrieve, while private keys are kept in key-stores accessible only to the key’s owner.

Another major component of a PKI is its ability to validate the authenticity of the public key. It ensures that any communication encrypted with a public key can only be decrypted with the corresponding private key.

How can one be sure “who” has the key?
Maybe a hacker has modified a directory and injected their public key. To prevent this from occurring a public key is embedded into a certificate. Think of it as a vetting process. A certificate typically contains information about who the public key is for (an email address, the owner’s nickname or a domain name) and is digitally signed by a certificate authority (CA). Imagine a paper certificate with the public key bound to it. There is the name and information about the owner of the key on it, plus the name and signature of the person who issued it.

The CA is a mutually trusted party. When two parties have each other’s public keys they can rely on the CA to ensure the encrypted communication can only be decrypted between them. If Alice wants to send a message to Bob and doesn’t directly trust him, she uses a CA to confirm that the key does in fact belong to Bob.

Introducing key recovery/escrow
Private keys, used to decrypt email messages, should be stored securely. The simplest method is to use a password to encrypt the private key. While it is well known that weak passwords can easily be broken, a strong and unique password is as good as almost any other kind of encryption.

But what happens when a user forgets their password, or they lose their key due to a hardware failure?

This is when key recovery or escrow is used. One way to achieve this is to use a secret sharing algorithm. Secret sharing is when a piece of data is broken up into a number of parts so that no one part is enough to determine what the original data is. In a PKI, the private key can be broken up this way. Each key part is encrypted for a unique individual and the only way to recover the private key is for all or some of the holders of the key part to agree to perform the key recovery. Once the key has been recovered it can then be securely delivered to the user. This method prevents any one individual from gaining access to the private key.

PKIs have revolutionised the world by allowing secure communication between parties, whether it is online banking, e-commerce, or secure email. Unfortunately, this is easier said than done for most. The same Ponemon study found that 53 per cent of respondents rated key management as a high pain level.


Making key management easier
As e-mail encryption usage continues to become more widespread and diverse in the way it is used, security teams are looking to eliminate islands of encryption built and acquired over the years.

This approach is helping to mitigate some of the historic key management challenges – a lack of ownership of the key management function, a shortfall in skilled personnel, isolated and fragmented systems and inadequate management tools.

It is a move that will be welcomed across industries. The paradox in the security sector today is that the more advanced the threat vector, the simpler the solution we need as users in order to manage the problem. Employees of organisations will always look for less secure workarounds, so creating more efficient, easy to manage, cloud compatible encryption and key management systems will help to take the protection of our private data to the next level and leave hackers collecting dust.

To learn more about how security teams are streamlining operations, reducing cost of delivering services, and driving user productivity by simplifying their organization’s email encryption and key management systems:

  • Watch our WEBINAR  | Migrating to the Cloud – A Catalyst to Success
  • Download our TECH BRIEF  | OneWorld and PGP, Seamless Together
  • Download our DATA SHEET  | OneWorld Enterprise Encryption

By John Fleming, Senior Software Developer, Echoworx


09 Sep 2013

What PGP Needs

PGP limitations and OneWorld capabilities

A number of organizations we have talked to who have implemented PGP for email encryption are looking for an easy way to take PGP to the cloud. PGP requires the Universal Server to be installed on prem which handles all the key management functions. This is not a bad approach for traditional enterprises. However if your PGP solution requires you to work with business partners outside the enterprise, it is hard to expand the footprint without increasing the cost. What customers generally want with their PGP implementation is as follows:

  • Upload Existing PGP keys to the cloud

  • Auto generate any new PGP keys as needed

  • Easy cloud provisioning

  • No software or servers to manage

  • Save on internal servers and resources

  • Simple user based pricing model

Check out what OneWorld PGP functionality can mean for your business →

16 Aug 2013

OneWorld Philosophy

What is OneWorld Email Encryption , Why Did we Build this Platform?

Bottom-line is that today encryption solutions for email and data are not interoperable. Senders have no clue to what type of encryption solutions the recipients are using. Recipients are confused with the options they have to pick-up encrypted messages. Ideally, recipients would like to pick-up encrypted messages right from their native inbox and look at a web-portal pickup as the last resort. Our goal was to make sure OneWorld solves these fundamental problems with email encryption forever!

OneWorld Email and Data Encryption promises that enterprises can communicate securely with each other no matter what encryption platform they have. Senders shouldn’t have to think about how to get encrypted data delivered to anyone. That was our mission from the start and we believe we have achieved this goal with OneWorld.

 The other thing we saw with other solutions in the market was that they didn’t easily allow for sending enterprises to pick and choose a method of encryption and delivery that made the most sense for their recipient community. We looked at the most desired encryption options and talked to our many diverse customers. They told us a few essential things that went into the building of the system including:

  • Compatibility with other encryption solutions in the market like PGP, Entrust, and 3rd Party S/MIME

  • Support for Encrypted PDFs since most people know how to handle PDFs

  • Support for allowing recipients to upload their own PGP and X.509 keys

  • Support for Unauthenticated Portal for Message Pickup