FOR

Really an extension of the Windows 95/98/NT 4.0/2000 operating system, Protect is designed to enhance the security of your data, primarily by the use of encryption, but also improves logon to client stations when used in conjunction with an identification and authentication token. It also offers a convenient method of locking and unlocking your workstation using the DECROS Card PKI among others.

This is the first time I have looked at Protect. For those of you familiar with version 2, you will be interested to learn that Protect version 3 is an entirely new generation of product, built on the existing Protect version 2 technology but offering a range of powerful new features. These include the option of online encryption (transparent encryption in selected folders), encryption through protected archives anywhere on your computer, network or on the Internet, central management tools (greatly facilitating mass rollout and implementation), and a simple method for sending encrypted email.

On-line encryption, also called transparent or on-the-fly encryption, means that encryption and decryption take place automatically and transparently, in the operating system background. Once you have entered the encryption key for a given file or directory, all operations will proceed normally and you need not be aware that you are working with encrypted data. For online encryption, Protect makes use of specially designated directories. These directories are chosen by the user and are like any other directories, except that the first character of the directory name is the @ symbol. Protect automatically encrypts any file created, saved, copied or moved to an @directory. Similarly, when reading files from an @directory, once you have entered the key, Protect will automatically decrypt the file online, and remember, your files are always stored in encrypted form.

Protect encrypts and protects data directly on the Windows 95/98/NT 4.0/2000 kernel level, which should make working with protected data simple and intuitive, and this is indeed the case. The Protect design philosophy allows you to work with encrypted data without your files ever being decrypted on disk. This guarantees that wherever your sensitive data is stored - whether on your hard disk, diskettes or servers - it is stored in encrypted form only. Also, when sending data over LAN, WAN or Internet, it is always transferred in encrypted form. Decryption takes place locally and only when the data reaches its destination workstation. So, all in all, there is really no window of opportunity for an interloper to intercept unencrypted data, however fleeting that opportunity might be.

Protect offers a choice of algorithms to encrypt your data, e.g. WinCros, WinCros II and CAST, although users may easily add other algorithms if they have especially high security requirements. WinCros is a symmetric block cipher using a fixed encryption key length of 80 bits, developed by DECROS using the latest cryptographic techniques and know-how. It is optimized for 32-bit operating systems, resulting in high speed and performance, even with exceptionally large files. For key length and quality of encryption, WinCros provides far greater security than the international standard DES.

WinCros II is based on the WinCros algorithm with a few differences. It uses the latest version of the secure hash standard function. It also uses 'salting' (a cryptographic technique that increases randomness and encryption quality) and it allows the choice of either an 80 or 160-bit long encryption key. Finally, an extra option allows you to set your own unique structural key of either 248 or 168-bits in length (depending on the choice of encryption key length) giving a total key length of 328 bits.

With Protect, the only security worry you will have is how to store effectively and securely the encryption keys that were used to protect your data. Obviously, if you lose the encryption key then you will lose your data and here is no method for recovering data from a file that has been encrypted. Protect uses smartcards or a Security Box for storage of encryption keys and logon information. We do not feel it necessary to explain the smartcard, but Security Box does need an explanation. This is a compact, portable device (4x4x1cm box) for the secure storage and transfer of up to 15 (80-bit) different encryption keys for use with Protect. Depending on the model, you can either attach it to the serial port of any desktop or laptop computer or use the infrared port for wireless communication.

The main benefit that Security Box brings is greatly improved and simplified encryption key management and storage. The encryption keys stored in the Security Box are protected by a password; to be able to use the keys, you must first enter the access password. Therefore, with Security Box the problem of remembering a number of encryption keys is reduced to having to remember only the access password to the Security Box. As well as providing a means of storing encryption keys, Security Box makes it possible for you to give others access to your files without them knowing your encryption keys: you need only give them the Security Box and the access password.

I used the DECROS Card PKI with Protect. It can be used for logon, workstation lock and encryption key storage and allows for the storage of up to 32 records. DECROS Card PKI is generous in its support of password types. These include an access password (PIN), an unblock access password, a write password, unblock write password, and a transport key for changing the internal card format.

This is actually quite a wonderful product. It is easy to understand and easy to use, and its interoperability with other token/card systems (each with their own inherent benefits) increases its flexibility and security options further. The only problem here might be that you are spoilt for choice, and its implementation must be put in the hands of a very focused administrator, who will decide on a particular course of action and stick to it.

SC On-Line
SC Magazine
www.scmagazine.com