for NeXTStep
WHY WOULD ANYONE WANT TO ATTACK YOUR COMPUTERS?
How about:
-financial fraud
-theft of resources
-industrial espionage
-wanton vandalism or `showoffs'
-malicious attacks by disgruntled employees
-illicit eavesdropping for financial or political gain
computerActive Inc.'s Entrust
for NeXTStep provided your organization with a set of
tools to manage the security and integrity of information
throughout your enterprise. It addressed four key areas:
Data Privacy:
The contents of a protected file could only be viewed by
the person who protected it and by the people who have
been authorized by that person to do so.
Public Key Encryption:
Encryption was used to protect information stored
electronically or being transferred between any users
throughout an organization, and between different
organizations inluding through mail systems through the
INTERNET.
Data Origin Authentication:
You could check the digital signature of the person who
signed the file to ensure the file really came from the
person you think it did.
Data Integrity:
You could be sure the file had not been altered since it
was signed. A valid digital signature that accompanied
the file was the guarantee.
Automated Key Management:
It was easy for users to encrypt and sign files for
others. The concept of keys was transparent to users, but
was of utmost importance to guarantee the privacy and
integrity of sensitive data.
User keys could have a limited validity period. When this
time period expired Entrust automatically updated all
users' keys with new ones without the users being aware
that this update had occurred.
Product
Features:
Graphical User Interfaces:
It was simple to use, quick to learn, an
included online help.
High Speed Cryptographic Software:
On an Intel486 running, the encryption
software was fast enough to be practical for encrypting
all the files in a user's directories.
Encryption for Groups:
Encrypt a file for multiple recipients in
one operation, without the overhead of creating separate
encrypted copies for each recipient.
Choice of Encryption Algorithms:
Entrust supported the best available
public key encryption algorithms and emerging standards,
including RSA, DES and others.
All file types:
Entrust handled any file, from any
application, without restriction. You could secure text,
forms, images, even multiple files, with a single
operation.
Key Security:
The cryptographic keys were created by the customer,
therefore, were not accessible to any external agency.
ASCII Encoding Option:
It could make encrypted files compatible
with all electronic transfer methods, including
ASCII-only electronic mail systems.
Written by computerActive Inc using licensed toolkits
from Entrust Corporation.
(Entrust is a trademark of Entrust Corporation)
Using
NEXTSTEP Entrust
Launch the Application
Select a file, drag and drop it onto the Entrust Icon on
your Dock. In this example we will use
Shakespeare/Hamlet/1.2.
If the Entrust application is not already running it will
be launched and you will be asked for a password.
Note that this password is not the password and account
you use for logging into the NEXTSTEP computer. This is
an entirely independent account used only for encrypting
and/or signing documents or folders. Whatever holes may
or may not exist within the NEXTSTEP accounts and
security system are eliminated here.
Select the intended recipients
Once you enter your Entrust password you will be
presented with a Select Recipients panel inviting you to
select one or many recipients.
This is where Entrust starts
to differentiate itself. The list of names you see in the
Selection List with their public keys is from a corporate
wide X.500 database of public keys.
This database holds all the public keys approved and
verified by trusted individuals in the organization. It
records not only the person's public key but also the
certifying authority.
An X.500 database is capable of managing thousands of
users, so we provide you with the ability to create
groups or mail lists. With a single click of a mouse you
could select a group of ten people who are intended
readers of this soon-to-be-encrypted and signed file.
Encrypt the file or folder
Once you have all the desired individuals and groups
listed in the Selected Recipients window, press the
Encrypt button.
The Select Recipients panel will disappear and be
replaced by a Process Status Panel. This gives a running
report on the progress of the encryption.
For the file Shakespeare/Hamlet/1.2 which is 15494 bytes
long and 9 printed pages long, it takes less than 3
seconds to complete the job for six recipients and write
it to the disk on a three year old NeXTstation Turbo.
Experts in the field will be picki ng themselves off the
floor about now. This as at least ten times faster than
traditional speeds given the same file sizes and
hardware.
Note that there are two pie charts. One to show the
progress of the individual file being encrypted and the
other to show the progress of the whole folder being
encrypted if that is what you wanted.
Note the resultant file
For output you have choices. In the above example we
chose to have the original file hard deleted from the
disk and replaced with the encrypted file. This is
appropriate if you wish to secure a file in your home
directory.
However if your intent is to keep the file "in the clear"
on your home directory but wish to have a secured copy to
send over the internet , then you would go to the
preferences panel and deselect the "Delete after
encrypting" check box.
Note that in this panel there
is an Encrypt operations section with choices of
encryption algorithms. Today there are two DES and CAST.
In the future there will be more.
Note also that there are check boxes for Encrypt, Sign
and My eyes only. You might want to sign a document but
not encrypt it. This would allow anyone to read the file
with absolute confidence that you signed it and that it
has not been changed after you signed it. My eyes only is
a short cut which encrypts files for yourself without the
Selected Recipients panel popping up.
As NEXTSTEP users we sometimes forget that there are
still people out there who's e-mail systems can only
handle ASClI. We provide an option in the Destination
Files section for writing the files in ASCII. Normally
you would want to keep them in binary form (tougher to
break the encryption, faster to decrypt and the resultant
files are smaller).
You now have an encrypted and signed file which can be
left on the network server with confidence. If anyone
manages to defeat the Unix file security systems and
illegitimately grab a copy they will not be able to
decipher the contents. The same can be s aid for sending
it across the Internet.
Decrypt the file
Encrypted files have a file name extension .ent . Select
the file you wish to decrypt in the file viewer and
double click it. If the Entrust application is still
running it will decrypt the file. If not, then the double
click will launch the application , ask for your password
and then decrypt the file. In our example of
Shakespeare/Hamlet/1.2 the file was decrypted in less
than 2 seconds and then an appropriate application was
launched to view the file. In this example it was Edit.
You have decrypted a
file.
The above panel tells you where it put the resultant file
and in the Files section it lists the decrypted files and
their status. Note two icons beside the file name, one
looks like an open padlock, the other looks like a pen.
If you click on the Signature button a new panel will pop
up.
If you see this panel you
know that the file was not corrupted along the way and
that it was signed by Jill Hennessy and that HASC-ELM
certifies that this was really Jill's valid public key.
Note if even a single character, comma or space was
changed you would not see this panel. The decryption
process would abort and you would be told that things are
not right.
Prove it to yourself. Encrypt a file. Open it with edit,
go to the middle of the jumble of characters and change
something, save the file. Now try to decrypt it. It will
know. Make sure you do this on a copy of the encrypted
file.
Note that this encryption/signature process is
independent of the application used to create the source
file. It is independent of operating system. That file
could be sitting on a Novell server, or a Digital NFS
server. It doesn't matter, if your NEXTSTEP computer can
see the file you can encrypt and sign it. The process is
independent of the transport mechanism. You may have
gotten it from a server or from a floppy or from an
Internet e-mail. It doesn't matter to the system. Any
file you encrypt and/o r sign can be decrypted on
Macintoshes, Windows, Sun's and HP workstations.
Back to the Preferences Panel
In the Decrypt Operations section you have the option of
writing the decrypted file to disk with the same file
name or to keep the information in memory and launch an
application.
Under the Decrypt Options you can choose to leave the
encrypted file on the disk and write the decrypted file
to the hard disk or you can cause the encrypted file to
be hard deleted upon decryption.
The Destination Files option asks if it should overwrite
existing files if they have the same file name.
In the General Options section you can set a time-out for
automatic log off of Entrust after a specified idle time.
Note that this is again separate from the general system
account and will not log you out of your NEXTSTEP system.
The remaining fields have to do with you taking your
NEXTSTEP portable on the road. It is possible for you to
download a database of valid public keys to take with
you. You are exposed, should one of those keys be
declared invalid while you are away you won't know about
it until you reconnect to the network. The risk is
probably acceptable for short periods of time. It's
certainly better than telling the world to invalidate a
lost credit card number.
Should you for any reason feel that your key pair has
been compromised, you have only to notify your Certifying
Authority. Your old public key will be invalidated. A new
key pair will be issued. Within moments everyone on the
net will be using the new pu blic key. Users look you up
know anything has changed.
This capability allows your organization to effect
sophisticated policies like automatic expiration of key
pairs when students go back to school or when employees
leave the company. After invalidation of their key pairs
it is still possible to access the work they left behind
through an auditable mechanism. You may automate the
expiration of keys of all employees at regular intervals
without the users knowing or caring. Their private
signature password remains intact.
Integration within NEXTSTEP
From any application select a portion of a file. Go to
the Browser Services menu. Select Entrust/Selection and
the selected information will be encrypted and written to
a file in a directory specified by you.
Written and distributed by 
