PrivateExpress Secure Messaging Network is designed to provide a secure messaging service to link all the employees (including remote and mobile workers) and business partners of a company without that company having to install and manage a public key infrastructure (PKI).

At its headquarters in California, PrivateExpress provides an Operations Center (PE Ops Center) with email servers that are used as gateways into its Secure Messaging Network, accessible via the Internet. All PrivateExpress messages are secured by a virtual private network (VPN). The PE Ops Center is critically important, handling all the VPN functions and also providing the PKI certificate authority (CA) including key management, tracking and non-repudiation.

The underlying technology is 168-bit triple-DES symmetric encryption for the bulk messages, with 1024-bit RSA public-key encryption for key exchange, authentication and digital signatures. Entrust PKI is used to implement the PKI and Entrust CA is used to provide the X.509 v3 PKI certificate authority. All registered users of the PrivateExpress Secure Messaging Network are issued with public and private keys through Entrust PKI. Key management is completely transparent and handled by the PE Ops Center. Message integrity is also guaranteed so that the complete solution complies with the e-Signature Act, which gives electronic signatures the same legal status as traditional 'wet' signatures.

The Entrust digital certificate is used to secure, sign and verify the content of every document sent and every PrivateExpress-delivered message is signed with this centrally recorded digital signature, which is legally binding. PrivateExpress can also attach a 'notary seal' to all signed documents to 'freeze' the documents so that recipients, or any intermediary, cannot alter a document before signing it themselves and returning it. It maintains full records tracking each delivery, with date and time stamps that prove that a message has been received and opened. Together with user authentication and message integrity, the tracking records provide non-repudiation.

PrivateExpress provides different PKI certification levels. The most basic level is email identity assurance that guarantees that the person you are dealing with has the relevant nominated email address.

SC Magazine tested the desktop client version of PrivateExpress, which comes with its own email client, called 'Service Center' - this approach does not integrate with your existing email system. Whenever there is a secure message or delivery-opened receipt waiting, you will receive a notification email to your normal email address on your existing email client. Then you must fire up or switch to the PrivateExpress client to read the message.

Alternatively, you can use the PrivateExpress client all the time as a replacement for your regular email client, but you can't use it to send messages to anyone who is not a registered user of PrivateExpress. If you do send a message to an unregistered user, he or she will receive an invitation to join the service, which they must complete before they can read your message. PrivateExpress solves the problem of accepting a message in advance of key generation for the recipient, by itself acting as an escrow agent using its patent-pending technology.

There are several ways of implementing PrivateExpress. The desktop client or the web access software can be used to access the PE Ops Center directly, but most corporate customers would choose to install the PrivateExpress Email Gateway, which solves the problem of integrating with existing email clients. However, the email gateway does not bring the PE Ops Center in-house - it merely centralizes and makes transparent the email access.

Installation is straightforward using the supplied CD-ROM. During installation PrivateExpress uses your Internet connection to register a user ID with the PE Ops Center. You can set up various preferences.

PrivateExpress maintains a contact list or directory, and you can choose to have your PrivateExpress user ID published in its directory for any other user to see, or you can be 'ex-directory'. Effectively, this directory maintains a user community, with which you can communicate securely.

Access to the PrivateExpress Service Center is password-protected, while your private key is stored encrypted in your key file on your computer. The username and password enables you to access your key file, which contains your encrypted private key. This file is then used to access your account. Therefore to access your account, someone would need the actual private key in the form of a file on a computer, plus knowledge of the username and password. This is regarded as two-factor authentication as it depends on something you know (your password) and something you own (the key file on your PC). However, the minimum password length is one character. So, PrivateExpress relies on users choosing passwords that are both difficult to guess and long enough to guarantee security, and on users keeping their passwords secret and their PC secure.

System requirements for the desktop client are a 133MHz Pentium with 32Mb RAM and any 32-bit version of Windows. Technical support is provided via a worldwide toll-free number and is available 24x7. The PE Ops Center secures against systems failure by using redundant systems including RAID storage devices. Of course, off-site backups are kept to provide full recovery in the event of a major disaster. Physical security of the Ops Center site is based on biometric access control backed by CCTV. Systems and procedural security is provided using hardened operating systems and segregation of duties, which follows best practices as recommended by PricewaterhouseCoopers.

SC On-Line
SC Magazine
www.scmagazine.com