Signed & Secured has streamlined PKI and created a better way to do business, taking its best points and transforming them into a far easier to use, secure system that doesn't require complex software, expensive digital certificates, hard to manage keys. You use the documents you already use as well as the email addresses you and everyone else already have. That's the key to our success: significant cost savings, yet easily adoptable by you and all the many parties you need to communicate with.
Mr. Garfinkel, of the Massachusetts Institute of Technology (MIT) and author of Database Nation: the Death of Privacy in the 21st Century, wrote an interesting article* in the IEEE Security & Privacy journal. He explains that "email-based identification and authentication (EBIA) is a reasonable approach for many current commercial and government applications. EBIA provides a better match to the usability, privacy, autonomy, resiliency, and real-world business requirements than PKI [public key infrastructure] technology."
He points out that "even sensitive applications that let us enter into binding business agreements worth thousands of dollars and electronically transfer money between bank accounts, use EBIA." And so does Signed & Secured at the most basic level of its configurable authentication technology.
Getting EBIA architected correctly is critical to its success, and Signed & Secured has taken great care to ensure it's implementation creates a workable balance between usability and security. Authenticating parties because they can send an email with a given email address -- as is done on many list servers, news groups and the like -- is an extremely popular, yet poor design. Spammers prove this point millions of times each day as they send out their unsolicited garbage using fake "from/sender" email addresses.
To get EBIA right, it is important, instead, to prove that a given party can receive email at a given email address. It is quite hard to intercept someone's email (except for the system administrators at the person's ISP or IT shop who control the email or domain name servers). It is extremely easy to send email using anybody's email address.
Signed & Secured not only ensures a person can receive email at a given email address (what we call being "email confirmed"), but significant actions taken while using Signed & Secured also send out email notifications to the party's email address as a means to allow him or her to self-audit or detect misuse of the account. For example, if you change your password or forgotten password question and answer, if you sign something or have messages that will be deleted shortly, or if you receive a new message or request a return receipt, notifications are sent to your email address. These can help you detect misuse of your account as well as keep you informed about the status of messages you've sent or received. If you forget your password, instead of sending you your old password (we simply cannot because we don't store your password anywhere within Signed & Secured) or even emailing you a new temporary password, we instead send an email to your address and require that you click on a unique link in order to continue.
When done right, these added precautions can mean the difference between EBIA working really well for you or discovering that EBIA is providing no security whatsoever. Yozons does it right, and that's why experts consider EBIA to be a workable solution that's better suited for business than even PKI and its digital certificates.
"Despite a tremendous push from management, security professionals, consultants, and vendors, the market and the general public have been slow to adopt PKI," Garfinkel wrote. For PKI to have failed to gain widespread adoption after so many years (the technology dates back at least to the early 1980s), the shortcomings must be real.
Garfinkel says explanations for PKI's failure include usability and cost, as well as the fact that "some experts insist that the claims made for PKI are unjustified, because computer viruses and other kinds of malicious software can compromise private keys or make people think that they are signing one message when in fact they are signing another." Nevermind the fact that most PCs are not kept in secure rooms, laptops are lost or stolen daily, people don't logoff when they step away from their computers (even if just for a brief moment), people don't back up their encryption keys and trusted digital certificates, and when people upgrade their computers they don't know how to transfer those encryption keys and digital certificates to the new computer while ensuring that the same data are securely wiped clean from the old machines.
PKI has touted non-repudiation as its major benefit, but reality has shown that people can tamper with and forge just about anything, including currency with its sophisticated paper, fibers, ink and printing processes. As Garfinkel notes, "Unscrupulous people can forge passports, steal SSNs and private keys, and tamper with biometric databases." PKI gives an illusion of perfect security, but "software flaws, stolen keys, or improperly granted certificates" have proven that's not the case.
While Yozons knows of several Fortune 500 companies that have scrapped millions of dollars "worth" of PKI digital certificates in favor of Signed & Secured, Garfinkel also disclosed that even for the United States military, which has deployed four million client-side certificates, "many mission-critical Web sites -- especially those used in combat situations -- rely on user name-password authentication" precisely because digital certificates are not flexible enough to meet real-world needs. "While many organizations continue to invest in PKI, another technique for identifying and authenticating Internet users is rapidly emerging in the marketplace." That's EBIA.
Signed & Secured relies on email addresses for user ids because they are the de facto online digital identifiers used today. As Garfinkel points out, "email addresses are necessarily unique and it's easy to verify ownership of an email address."
While using email may seem insecure because it is transferred in the clear and "key employees at many businesses and Internet service providers (ISPs) can browse or perform keyword searches on users' mailboxes," EBIA is used widely, implying that the security risks are reasonably attractive to banks, the military and many other businesses. "EBIA has been successful because it combines ease of use with a limited challenge-response system that is not trivial to defeat."
Garfinkel continues, "A key advantage of EBIA over PKI is that PKI requires specialty software and a mutually trusted CA [certificate authority]. EBIA, on the other hand, can work with any email client (or even with Web-based email), using email addresses available from hundreds of thousands of different email-granting organizations (ISPs, companies, schools, government organizations, and so on)."
When you consider that Signed & Secured uses EBIA for its most basic form of authentication, it is easy to see why its adoption has been growing so quickly. Unlike email, messages sent through Signed & Secured are never sent in the clear so nobody can eavesdrop on your private communications, not even unscrupulous system administrators. Additionally, Signed & Secured sends email notifications so people can self-audit their actions and immediately be informed if an account has been activated, a password has changed, new messages have arrived or signatures have been applied. When necessary, Signed & Secured's configurable authentication allows you to easily increase the sophistication of user authentication by allowing you to use a shared secret password or request that another party pass a fairly rigorous Experian credit-based authentication check.
Signed & Secured has packaged EBIA with other forms of authentication to provide a robust and easily adopted technology for securely delivering documents and optionally getting them signed.
* All of the above quoted material is from the following article: "Email-Based Identification and Authentication: An Alternative to PKI?" by Simson L. Garfinkel, IEEE Security & Privacy, November/December 2003, pp. 20-26.
| © Yozons Inc., 2000-2009. All rights reserved.
|
|
Signed & Secured version 4.6.0
|