Born-again PGP wins over security boffins

By ADAM GIFFORD

People say they want information security, but when push comes to password, are they willing to do the work to get it?

Judging by the slow take-up of advanced cryptography products, the answer must be: "In most cases, not."

Palo Alto-based PGP Corporation thinks it can address many of the secure encryption issues which have delayed adoption outside of banking and finance or health.

The original PGP, or Pretty Good Privacy, was one of the pioneers in the field, but sold out to Network Associates in 1997.

Last year Network Associates, best known for the McAfee antivirus tools, decided to quit the cryptography business, and sold the assets to PGP Corporation, an entity set up by many of those involved in the original company.

Phil Dunkelberger, chief executive of the old and new PGP, said the offer came when he was setting up another company to build email security products.

"I got in touch with my chief technical officer from PGP 1 and asked what effect it would have if we bought the assets.

"He said it would cut a year and a half off our development time."

The price was "a lot less than they bought it for", and as well as the original PGP code and patents, the new owners inherited some 10,000 customers from Network Associates.

"We were able to take our new product ideas to that large customer base and ask if they would buy more if we built them," he said.

The improvements in version 8.0 of PGP and the new features to be released in a couple of months means large organisations are looking at using PGP not just for their most sensitive positions but on thousands of desktops.

PGP combines what cryptographers call public and private keys, allowing users to send an encrypted email and the key to unlock it in the same message.

Dunkelberger said improvements included true user transparency, so messages were encoded and decoded at an email gateway, without the user having to do anything; centralised policy management and enforcement inside and outside the firewall; and the ability to work with multiple clients, so the software will support all types of email and instant messaging systems.

He said the company was also extending encryption to new technologies like Palm, Win CE, phone SMS and the whole roaming wireless area.

"More people are detached from the edge of the network," he said.

Many firms use virtual private networks, but that only secures the data in transit, not the package itself.

"Where this becomes an issue it that more than 50 per cent of corporate intelligence is now tied up in email. We are sending all this insecure plain text around."

PGP Corporation has taken a key step towards winning the trust of the market by publishing its source code.

"Security is the hardest form of rocket science, and we publish the source code because we get excellent feedback from other rocket scientist cryptographers," Dunkelberger said. "It gives great comfort to security people. Corporations don't want back doors in their software."

Auckland University security expert Peter Gutmann, an original author of PGP, said releasing the source code was an important test for PGP Corporation.

"The basic requirement of crypto software is, security people don't trust it if can't see the code," said Gutmann.

He said PGP was also making individual copies of the software available, as well as restoring a stripped-down freeware version.

"Network Associates was not interested in selling quantities less than several thousand," he said.

"The main selling point for PGP is you can generate and distribute your own keys. You don't need to go to a certificate authority like Verisign.

"Anything which requires you to jump through hoops and pay for certificates is a disincentive."

PGP