# Voltage Simplifies Encryption

In a world where secure communications is becoming more and more essential, a group of whiz kids from Stanford has found a way to make public keys more simple.

Quick, where are your house keys? In your pocket, probably, or your purse (or if youre like me, lost in the couch).

Quick, wheres your private key? Public key? Do you even have one? If youre like most people, probably not. But these two keys can go a long way toward helping to secure the internet, reduce fraud and identity theft, and even control spam and other nefarious behavior.

But the whole private/public-key infrastructure is broken. Born through a nifty application of abstract mathematics, the promise of secure and encrypted communications for everyone just hasnt happened. And thats mostly because the keys themselves are unwieldy, difficult to transmit and hard to manage.

A public/private-key system works in an almost magical way. Two numbers, paired together, create an almost perfect way to encrypt information in a way thats truly for your eyes only. One part of the pair, your public key, is made available to anyone who wants to send you a message. The private key sits in a secured place on your computer, in a smart card, or tied to your thumb- or retina-print. The sender encrypts the message using the public key, which turns it into gobbledygook. The only way to decrypt it and turn it back into the message is by applying the private key to the message. And since only you have that private key, only you can bring it back.

In practice, however, the whole public/private thing is broken. Its hard to get a public key, and harder still to let the world know what it is. Public keys are typically long, long strings of numbers, which makes it even more difficult to send them to other people.

But what if the public key could be something simple, unique to you, but easy to remember? What if all someone needed was your e-mail address or your phone number? Its a problem mathematicians have been toying with for years, and a few whiz kids from Stanford finally solved it in 2001.

Once they worked out the math, all that was left was to turn it into a real product. The mathematicians teamed up with some of the same folks who worked on Googles business plan, secured funding and launched a company called Voltage Security, with the goal of bringing simplicity—and thus increased usage—to the private/public-key morass.

Heres how Voltages solution works. Your bank, or some other organization that knows you, encrypts an e-mail using a public key, based on your e-mail address. You receive that e-mail, which connects you back to that organizations authentication server. The server verifies that you are you (by asking for your mothers birthday, for example, or the street you grew up on), and generates your private key. That key gets sent to you, and typically gets stored on your computers hard drive. Now you can decrypt the message—and encrypt a response—automatically.

From then on, anyone can encrypt a message using Voltages free tools. And if you have a Voltage-based private key, all you need to do is apply their software to return a message to English, or encrypt a response to someone else.

But Voltage has added a unique twist to public/private key encryption—the concept of time. Your public key is not, in fact, your e-mail, but instead your e-mail address concatenated with the week and year, along with a special code for that particular encryption server. That makes it easy to create secure groups for a short period of time, and to expire users if they are no longer deemed secure. It also lets Voltage make money by ensuring that someone has to pay for the authentication server each week.

Why expire keys? For a whole host of reasons. Imagine that you rent a digital copy of a movie, or subscribe to a music library. Stop paying your bills, and the private keys stop coming—and the music and movies youve downloaded suddenly turn into mush.

The U.S. government is interested in Voltages system. DARPA has already put it to work building temporary coalitions to solve specific regional problems. Its a nifty way to ensure secure communications, over a week or more, with folks you might not trust much.

Its also a great way to improve productivity between consumers and business—especially where regulations require signed documents. Did you refinance your home recently? How many papers did you have to physically sign? My hand cramped before I was done! Waterfield Mortgage deployed the Voltage system, and the company now handles most transactions entirely by e-mail. By going entirely electronic, the company estimates that it can handle about 10 percent more volume with the same staff. Now thats productivity!

General Electrics insurance arm uses the Voltage technology to process its insurance paperwork. Advantage Bank in Colorado conducts cash-management transactions with corporate clients using e-mail.

During my test of the system, it worked great. All a provider needed to do was send me an e-mail encrypted based on my e-mail address. When I received the e-mail, I was instructed to verify my identity online, which allowed them to send me my private key. A 3MB helper application installed into Outlook, which then let me decrypt and read the e-mail. It was simple and easy to operate.

However, its not foolproof. I purposely used one of my Exchange e-mail aliases (jlouderb@ziffdavis.com) instead of my real e-mail address (jim_louderback@ziffdavis.com) for my public key. That caused problems when I tried to encrypt a response using Outlook.

Its also expensive. Youll have to spend \$62,500 to get started with 250 internal users. There is a less expensive version for smaller businesses, at \$22,500 for three years. The companys also working with third-party software developers to fight spam and viruses. Brightmail, CipherTrust, FrontBridge and others have all signed up to incorporate Voltages technology into their products.

In a world where secure communications is becoming more and more essential, its nice to see advanced mathematics applied to making our lives easier. The company expects its technology to be incorporated into instant messaging applications, BlackBerry-like portable e-mail systems and more. Itll even work at Internet kiosks.

Now if only theyd figure out a way to hang my private key on my keychain. On second thought, Id probably lose that in the couch, too.

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

/zimages/2/77042.gif