Experts have long contended that encrypted e-mail can become an everyday occurrence only when end users need only push a button to securely send messages.
Startup Sigaba Corp. thinks it has developed that button.
The company recently unveiled SigabaSecure, a system for encrypting e-mail with the click of a button. SigabaSecure is based on software that plugs into popular e-mail clients, including Eudora, Lotus Notes, Microsoft Outlook, Netscape Messenger and Novell GroupWise.
Sigaba, which was the name of a U.S. encryption device during World War II that was never compromised by the enemy, is also developing an enterprise server-based version of its software. The enterprise version lets IT managers encrypt outgoing e-mail at the server based on a set of policies. No software is needed for desktop clients.
Getting around PKI
Encrypted e-mail, which has been discussed for nearly two decades, suffers from many problems, most notably encryption key management. With a public-key infrastructure (PKI), users must have a public key for every recipient and IT must manage sets of private encryption keys.
Sigaba reduces key management by providing only a symmetrical key to encrypt and decrypt messages, eliminating public and private keys. SigabaSecure assigns keys to messages, not users.
"I'm looking for the gotchas in the software," says Eric Arnum, editor of "Messaging Online," an e-mail newsletter. "When you make things easy for the end user you have to make compromises, but I haven't seen those yet with Sigaba. They have eliminated the fatal flaw in PKI [key management]." Other vendors, such as ZixIt, HushMail and Tumbleweed, also are focusing on secure message delivery, but Sigaba's difference is that it never touches the actual e-mail.
When a user sends a message using SigabaSecure, the plug-in communicates with a key server maintained by Sigaba. The server authenticates the user over a Secure Sockets Layer connection before creating a key and message identifier for the e-mail, and sending it back to the user. The key uses the Blowfish algorithm to encrypt the message on the user's desktop and send it off.
The process is a subsecond performance hit, according to Sigaba officials.
The process is reversed for the recipient of the message. If the recipient does not have the plug-in, it can be downloaded. If the recipient doesn't use an e-mail client that supports Sigaba's software, Sigaba can decrypt the message and deliver it.
"Encryption that is simple and can be plugged into existing software is essential," says David Raucher, president of Telcopoint in Dallas. "With sales documents and bills being sent as attachments, you need security." Raucher is using Sigaba as part of Telcopoint's Secure PC Call, an encrypted voice-over-IP conference calling service. Sigaba provides secure notification to participants invited into Secure PC Call.
In the fall, Sigaba will release the enterprise version of the software, which runs on Windows NT, Unix and Linux.
"IT managers will have access to the key for any message," says Richard Bliss, vice president of marketing for Sigaba.
The company will provide free server software to companies and charge approximately US$1 per user to manage keys.