Users want to keep their data safe from outsiders but they do not want their securitysecurity to make their computing experiences tedious. Vendors often find it difficult to maintain that delicate balance, but that could change if a new encryption technique gains momentum.
Ideally, users want their data to be encrypted as it moves from their desktops to recipients’ inboxes. One challenge in encrypting data is that in many cases, senders and receivers have little in common. Sometimes they have never had contact before and won’t communicate again after the information is shipped.
Public key infrastructure (PKI) encryption was designed to solve that problem. It functions on a case-by-case basis. However, it has also often been difficult to use and administer. A new option, dubbed “identity-based encryption” (IBE), promises to address PKI’s shortcomings.
Typically, PKI encryption requires multiple steps. First, a user registers with a certificate authority, a vendor whose job it is to distribute keys that encrypt and decrypt messages. Upon registering, a user receives a pair of keys. One is a private key, which the user needs to keep secret, and the other is a public key, which the certificate authority provides to anyone who wants to send the user an encrypted message. The sender encrypts data with the public key, and the recipient opens it up with the private one.
Lack of Standards Causes Problems
While the process sounds simple, it has been difficult to implement. There has not been much standardization among PKI systems, so it is not easy to mix and match different products. Also, in today’s instant gratification world, users do not want to take the time and put in the effort to sign up for public and private keys. PKI systems cannot easily revoke public keys if they are compromised in some way or if something changes, such as an employee leaving a company.
Because of these problems, companies have found it difficult to manage PKI systems, and they have been used only in select cases. “You will find the government and some financial institutions rely on PKI systems, but very few other organizations have adopted it,” said Richi Jennings, lead analyst at Ferris Research.
IBE schemes are simpler than PKI systems. While IBE systems still rely on public and private information, they do not require that users register to access the encryption mechanisms. Instead, users rely on unique identifiers, such as e-mail addresses, to gain encryption keys.
Simplifying PKI Administration
Consequently, IBE systems have many potential advantages. Data exchanges can take place dynamically. IBE encryption data is simpler to implement and manage than PKI systems. IBE systems automatically revalidate all keys, typically after a period of one week, so companies do not need to revoke key addresses. In sum, IBE systems are considerably simpler to implement than PKI encryption.
IBE technology grew out of research that began in 1984. Now, a few start-up companies, including Voltage Security and Identum, are trying to build businesses based on this approach. Voltage has been using the term “IBE” to describe its system; Identum calls its technique “Sakai Kasahara Key Encapsulation Mechanism” (SK-KEM).
A Much Cheaper TCO
These products offer some potential benefits. Ferris Research did a cost comparison between IBE and PKI implementations and found that the former has a lower upfront cost, requires very few servers to operate, and is simpler to maintain. Consequently, an IBE system can cost one fourth as much as a PKI approach.
Because these approaches promise to solve longstanding problems, they have been generating some buzz. “There haven’t been a lot of new developments when it comes to encryption, but IBE has recently garnered a fair amount of attention,” said Ray Wagner, research vice president at Gartner.
Developing innovative technology is only the first step to market acceptance. Vendors next need to determine how to market their products. E-mail represents an area where simpler encryption functions are needed.
Walking Down Two Different Roads
Voltage and Identum are taking different approaches with IBE. “Voltage has concentrated on the business market, while Identum has taken more of a consumer approach,” Ferris Research’s Jennings told TechNewsWorld.
The vendors face challenges in transforming their work from theory to practice. “With any new security technology, there is always some skepticism about how well it will work,” noted Gartner’s Wagner. Some think that IBE could be open to spoofing — a practice in which an illicit user mimics a legitimate one — although the vendors rebut such assertions.
Initially, the vendors have been targeting businesses and consumers, but over the long term, their products will probably be incorporated into e-mail systems or operating systems. Consequently, they will have to convince vendors, many of whom have their own security approaches, to support their products.
IBE appears to offer a significant improvement over PKI security, and the technology has taken a few steps toward widespread adoption. Its progress in the next 12 to 18 months will determine whether it becomes widely used or just another niche technology, like PKI.