zsentry.com - Mobile, Web, and Desktop Security

Audience: technical

ZSentry App
click to signup, login, use

Help
New Users
Regulatory Compliance
How Zmail Works
Frequent Questions
Support Center

Resources
ZSentry SAML
ZSentry API
ZSentry Director
Technology
Say it Privately™
Service Updates

Cryptography Options: ZS*, PKI, PGP and Universal

* ZS™ is an abbreviation of the NMA™ technology called ZSentry™

Introduction

Encryption is used to assure privacy and security. User authentication, also called end-user digital certification, is used to assure that communication is happening between the desired endpoints.

User authentication is, unfortunately, often provided by conventional username/password systems, which are also called "simple authentication" in international standard terms (International Telecommunications Union, ITU). To contrast, ITU standards define "strong authentication" when using credentials created by cryptographic methods. The ITU and other recommendations such as by the U.S. FFIEC (Federal Financial Institutions Examination Council), state that only strong authentication should be used as the basis of providing secure services.

In providing support for strong authentication and encryption, ZSentry supports three security technologies and one open (universal) choice:

PKI (Public Key Infrastructure, based on the X.509 ITU recommendation), first released in 1988 and later followed by an S/MIME extension,
PGP® (Pretty Good Privacy), first released in 1991 and later followed by an S/MIME extension,
Universal, as an open choice that allows you to use proprietary encryption and authentication engines with ZSentry, following your specification, and
ZS (also implemented using the names ZSentry™, ZSentry Mail™ and Zmail™), first used in 2000, and applied to secure email in 2004.

These options a priori exclude three other possibilities: username/passwords as notoriously insecure; SSL/TLS because it does not deliver an encrypted message and falls short of basic email security requirements (even though it has worked fine for websites); and IBE (Identity-Based Encryption, also marketed as Voltage™ and MessageGuard™) because its design requires key escrow.

PKI/X.509

ZSentry PKI (BETA) provides a compatible solution to conventional PKI secure email. ZSentry PKI also improves the functionality of PKI solutions by adding first-contact and first-reply capabilities, as well as the ZSentry document lifecycle control functions, such as self-destruct, Return Receipt, certificate recovery and revocation, and other functions.

To use PKI: ZSentry PKI >>

PGP

ZSentry OpenPGP (BETA) provides a compatible solution to conventional PGP secure email. ZSentry PGP also improves the functionality of PGP solutions by adding first-contact and first-reply capabilities, as well as the ZSentry document lifecycle control functions, such as self-destruct, Return Receipt, certificate recovery and revocation, and other functions.

To use PGP: ZSentry OpenPGP >>

Universal

ZSentry Universal provides an open choice that allows you to use proprietary encryption and authentication engines with ZSentry, following your specification. ZSentry Universal also improves functionality by adding first-contact and first-reply capabilities, as well as the ZSentry document lifecycle control functions, such as self-destruct, Return Receipt, certificate recovery and revocation, and other functions.

To specify and use Universal: ZSentry Universal >>

ZS

ZS™ is an abbreviation of the NMA™ technology called ZSentry™

ZSentry provides a framework that allows trust to be induced and developed between parties in a dialogue, individuals or organizations. ZSentry also provides the dialogue parties (you and the recipient of your message, for example) with a secure context to support key management.

This includes the ZSentry registration service (ZS Registration) and the ZSentry Issuer (ZS Issuer), respectivelly to register users and issue ZSentry Credentials. For more information, click ZSentry Identity Verification.

Messages between the dialogue parties use a unique secret key (the "communication key"). With ZSentry, the communication key management data and communication keys are stored encrypted by each respective user key in that user's area. This is secure even against a physical attack at ZSentry because with ZSentry "Sans Target" technology, user keys are not at risk anywhere and are only available inside a "safe box" momentarily, when the user logs in. The communication key is also different for every sender and recipient pair, is never transmitted, and is unknown to either party.

ZSentry supports the usual distinction between users and managers of an account. With ZSentry Premium, the account manager is authoritative to manage the account, the account settings, as well as adding and closing user accounts. The trust framework provided by ZSentry reflects the usual needs of each organization's account manager (who seeks, for example, to impose centralized control over their users' reliance conditions on communication keys) and the concurrent needs of each individual user (who seeks, for example, to retain private and local validation of communication keys).

The flexibility of having both centralized control over the conditions of reliance while supporting localized validation is an important feature of ZSentry's management of address books, communication keys, and email tracking. The trust framework provided by Zmail works also across administration boundaries and in heterogeneous environments, a typical situation where there are many account managers, many users and multiple authority roots.

ZSentry enables first-contact secure communication. This means that ZSentry can also be used as a trusted, common-reference directory for the PKI and PGP operation modes. For example, one can leverage prior non-PKI secure communication using ZSentry in native mode (ZS) to issue a PKI certificate supported by the ZSentry trust framework. This is useful because the X.509/PKI standards require that the identity and keys of both parties in communication must be defined in public-key certificates established using common-reference directories, before secure communication can start. With ZSentry providing the trust framework, X.509/PKI and PGP gain a secure "bootstrap mode".

In addition to providing the trust framework, ZSentry also provides users with a scalable web implementation of the security services (such as identity management, authentication, confidentiality protection, integrity protection, access control, timestamping, and non-repudiation), in terms of standard, public algorithms and their revisions. This is tightly integrated with the email functions (such as import, export, address book, compose, attach, send, read, reply, and forward), and the ZSentry document lifecycle control functions (such as Self-Destruct (Expiration), Release, Return Receipt, Message Fingerprint, tracking, reporting, and auditing), as well as account management functions (such as credential reset and recovery) that are selectively available to users and account managers.

Please use the panel below to choose the solution(s) that you would like to protect with ZSentry. Alternatively, you can select other panels by clicking the red arrow on the right.

Choose how you want to use ZSentry

Questions? Request a Support Ticket if you need help.

REFERENCES

Trust: formally defined in Information Theory terms as "Trust is that which is essential to a communication channel but cannot be transferred through that channel". Published by E. Gerck (1997) for various combinations of machine (IT processes) and human interactions.

Main Technical Notes

Overview Key Features ZSentry App ZSentry Zero API ZS / PKI / PGP SAML & SSO
Security Usability HIPAA & HITECH Experience Why ZSentry? Red Flags SUMMARY

Titles and product names are trademarks of NMA, Inc. as described in our Legal Statement. We protect Your Privacy.