ZSentry - Mobile, Web, and Desktop Security

Audience: technical

ZSentry App
click to signup, login, use

iPad & phone: click and
bookmark in Home Screen

Help
New Users
Regulatory Compliance
How Zmail Works
Frequent Questions
Support Center

Resources
ZSentry SAML
ZSentry API
ZSentry Director
Technology
Say it Privately
Service Updates

Cryptography Options: ZS*, PKI, PGP and Universal

* ZS is an abbreviation of the NMA technology called ZSentry

Introduction

Encryption is used to assure privacy and security. User authentication, also called end-user digital certification, is used to assure that communication is happening between the desired endpoints.

User authentication is, unfortunately, often provided by conventional username/password systems, which are also called "simple authentication" in international standard terms (International Telecommunications Union, ITU). To contrast, ITU standards define "strong authentication" when using credentials created by cryptographic methods. The ITU and other recommendations such as by the U.S. FFIEC (Federal Financial Institutions Examination Council), state that only strong authentication should be used as the basis of providing secure services.

In providing support for strong authentication and encryption, ZSentry supports three security technologies and one open (universal) choice:

PKI (Public Key Infrastructure, based on the X.509 ITU recommendation), first released in 1988 and later followed by an S/MIME extension,
PGP (Pretty Good Privacy), first released in 1991 and later followed by an S/MIME extension,
Universal, as an open choice that allows you to use proprietary encryption and authentication engines with ZSentry, following your specification, and
ZS (also implemented using the NMA trademarks ZSentry, ZSentry Mail and Zmail), first used by NMA in 2001 and applied to secure email in 2004.

These options a priori exclude three other possibilities: username/passwords as notoriously insecure; SSL/TLS because it does not deliver an encrypted message and falls short of basic email security requirements (even though it has worked fine for websites); and IBE (Identity-Based Encryption, also marketed as Voltage and MessageGuard) because its design requires key escrow.

The problem with PKI and PGP: Usability

Anyone who was an early adopter of PKI, PGP and other email security solutions will recall how difficult it was to explain how to send and read secure email.

Secure email was one of those things that you couldn't really explain to people. It was something that senders and recipients had to see in action, something that they both had to learn and experience to really appreciate the way the technology would make their email secure.

Sending and receiving email is also one of those experiences that people just don't want to disrupt, not even to make it secure.

Even though conventional PGP and PKI/X.509 solutions are notoriously far too difficult to use, a number of providers use servers to automate some of the tasks that were previously done manually. While this does improve ease-of-use, it may compromise HIPAA/HITECH Safe Harbor conformance, and still has to deal with several limitations of the underlying technologies PGP and X.509/PKI.

For example, the lack of first-contact capability in PGP and X.509/PKI has been countered by server-solutions that set and request passwords, which reduces usability for first contact, creates online targets for username and password lists, and sharply reduces security.

However, people more and more want to use email, webmail, SMS, and IM, and store documents online for easier access, while they also need to comply with HIPAA and other privacy regulations.

That's all solved with ZSentry, which also offers PKI and PGP compatible solutions as described below.

PKI/X.509

ZSentry PKI (BETA) provides a compatible solution to conventional PKI secure email. ZSentry PKI also improves the functionality of PKI solutions by adding first-contact and first-reply capabilities, as well as the ZSentry document lifecycle control functions, such as self-destruct, Return Receipt, certificate recovery and revocation, and other functions.

To use PKI: ZSentry PKI >>

PGP

ZSentry OpenPGP (BETA) provides a compatible solution to conventional PGP secure email. ZSentry PGP also improves the functionality of PGP solutions by adding first-contact and first-reply capabilities, as well as the ZSentry document lifecycle control functions, such as self-destruct, Return Receipt, certificate recovery and revocation, and other functions.

To use PGP: ZSentry OpenPGP >>

Universal

ZSentry Universal provides an open choice that allows you to use proprietary encryption and authentication engines with ZSentry, following your specification. ZSentry Universal also improves functionality by adding first-contact and first-reply capabilities, as well as the ZSentry document lifecycle control functions, such as self-destruct, Return Receipt, certificate recovery and revocation, and other functions.

To specify and use Universal: ZSentry Universal >>

ZS

ZS is an abbreviation of the NMA technology called ZSentry

ZSentry provides a framework that allows trust to be induced and developed between parties in a dialogue, individuals or organizations. ZSentry also provides the dialogue parties (you and the recipient of your message, for example) with a secure context to support key management.

This includes the ZSentry registration service (ZS Registration) and the ZSentry Issuer (ZS Issuer), respectivelly to register users and issue ZSentry Credentials. For more information, click ZSentry Identity Verification.

Messages between the dialogue parties use a unique secret key (the "communication key"). With ZSentry, the communication key management data and communication keys are stored encrypted by each respective user key in that user's area. This is secure even against a physical attack at ZSentry because with ZSentry "Sans Target" technology, user keys are not at risk anywhere and are only available inside a "safe box" momentarily, when the user logs in. The communication key is also different for every sender and recipient pair, is never transmitted, and is unknown to either party.

ZSentry supports the usual distinction between users and managers of an account. With ZSentry Premium, the account manager is authoritative to manage the account, the account settings, as well as adding and closing user accounts. The trust framework provided by ZSentry reflects the usual needs of each organization's account manager (who seeks, for example, to impose centralized control over their users' reliance conditions on communication keys) and the concurrent needs of each individual user (who seeks, for example, to retain private and local validation of communication keys).

The flexibility of having both centralized control over the conditions of reliance while supporting localized validation is an important feature of ZSentry's management of address books, communication keys, and email tracking. The trust framework provided by Zmail works also across administration boundaries and in heterogeneous environments, a typical situation where there are many account managers, many users and multiple authority roots.

ZSentry enables first-contact secure communication. This means that ZSentry can also be used as a trusted, common-reference directory for the PKI and PGP operation modes. For example, one can leverage prior non-PKI secure communication using ZSentry in native mode (ZS) to issue a PKI certificate supported by the ZSentry trust framework. This is useful because the X.509/PKI standards require that the identity and keys of both parties in communication must be defined in public-key certificates established using common-reference directories, before secure communication can start. With ZSentry providing the trust framework, X.509/PKI and PGP gain a secure "bootstrap mode".

In addition to providing the trust framework, ZSentry also provides users with a scalable web implementation of the security services (such as identity management, authentication, confidentiality protection, integrity protection, access control, timestamping, and non-repudiation), in terms of standard, public algorithms and their revisions. This is tightly integrated with the email functions (such as import, export, address book, compose, attach, send, read, reply, and forward), and the ZSentry document lifecycle control functions (such as Self-Destruct (Expiration), Release, Return Receipt, Message Fingerprint, tracking, reporting, and auditing), as well as account management functions (such as credential reset and recovery) that are selectively available to users and account managers.

Please use the panel below to choose the solution(s) that you would like to protect with ZSentry. Alternatively, you can select other panels by clicking the red arrow on the right.

Choose how you want to use ZSentry

Questions? Request a Support Ticket if you need help.

REFERENCES

Trust: formally defined in Information Theory terms as "Trust is that which is essential to a communication channel but cannot be transferred through that channel". Published by E. Gerck (1997) for various combinations of machine (IT processes) and human interactions.

Main Technical Notes

Overview Key Features ZSentry App ZSentry Zero API ZS / PKI / PGP SAML & SSO
Security Usability HIPAA & HITECH Experience Why ZSentry? Red Flags SUMMARY

Trademarks and Copyrights as described in our Legal Statement. We protect Your Privacy.