To: infsecur@smiley.mitre.org Date: Tue, 31 Oct 1995 07:50:35 -0400 To: infsecur@smiley.mitre.org From: wneugent@smiley.mitre.org (Bill Neugent) Subject: SecretAgent **DO NOT FORWARD OUTSIDE MITRE** Folks, I'm always bugging this list for assistance on what seem to be frantic efforts, but you rarely ever hear what happened. Frinstance, last week I broadcast a shrill call for help on SecretAgent. Thanx to your assistance, I prepared and delivered a report later that same day. The next morning, the senior official who had asked for the report contacted me to say he read the report, agreed with the recommendations, and had already directed his staff to implement them. From the time of the request for the report to decisive government action based on the report's recommendations was less than 24 hours! This wouldn't have been possible without the expertise and contacts of the folks on this list. So, thanx! Following, FYI, is a slightly sanitized version of the report. Bill Bottom line is, SecretAgent is a nice package (better than ViaCrypt PGP) and also one that should be acceptable to NSA, since Information Security Corporation is working closely with NSA to add MISSI functionality. Following is a summary. I'm also faxing to you a brochure and government pricing information. My guess is that Information Security Corporation folks would be willing to come here and provide a demonstration, if you wish. One strategy would be: 1. Have Information Security Corporation provide a demonstration and discussion to key government players. 2. Field 50-100 on a wide assortment of platforms to test integration and interoperability. 3. Based on findings from step 2, go no further or place an order for the community to be covered. Especially since the involved government community has already solved the addressing and connectivity problems, the main schedule driver here is probably just coordination among the players. Given high priority, this entire process could take place in 30-60 days. Bill (883-6632) SecretAgent Overview SecretAgent seems an excellent package for achieving cross-platform mail interoperability. The Windows version of SecretAgent is mail-enabled with cc:Mail, LotusNotes, MS Mail, and AT&T Mail. "Mail-enabled" means that, when a user installs SecretAgent, it automatically integrates itself with the mail package. SecretAgent for other platforms is not mail enabled. Even where SecretAgent is not mail enabled, files can be easily encrypted with SecretAgent and sent as attachments, as long as the applications at both ends have binary compatibility. In the absolute worst case, where (1) SecretAgent cannot be mail enabled for a particular mail package and (2) there are no compatible word processing packages, TeachText can be used as a simple, common application for interoperability. SecretAgent is available on Windows, Macs, DOS, HP/UX, Sun 4.1.3, and Solaris 2.4 (the Windows and Mac versions have GUIs). There are plans to support AIX, Silicon Graphics, and SCO (the brochure is inaccurate in saying that these exist now). A variety of algorithms and tokens (including FORTEZZA) are supported. The default algorithms are 512-bit Digital Signature Algorithm (DSA), the Secure Hash Algorithm (SHA), Diffie-Hellman (key exchange), and 512-bit single DES. Other algorithms such as RSA and Triple DES are also available. Management of algorithms is normally transparent to users. For example, when a sending user selects recipient names from the recipient list, the public key, algorithms, and other interoperability information are provided and applied transparent to the user. Support is provided for mail lists. One interesting feature is that private keys are not stored. They are generated at run time from a passphrase that the user types in. There is no public key infrastrastructure support and there is no provision for certificate validation, CRL handling, or KRL handling (except for FORTEZZA). Basically, public keys are included with the transmissions. I talked with three major users who confirm that SecretAgent is easy to use and administer, with no special training required for users or administrators. FAA has thousands of copies in operation (their license is for 15,000) primarily on PCs and laptops and uses it for JPEG images, text, and a variety of file types. They exchange the files via mail, TCP/IP, PPP, or other protocols. They find it supports a variety of applications. The Department of Agriculture is using it in 48 locations, primarily using cc:Mail on Windows. The Department of Transportation is using it for mail. All are very pleased with the product and the support. NSA has hundreds of copies. A license for 1000 copies costs from $50,000 (Windows) to $62,500 (UNIX). Availability is several days; the normal procedures is to ship five percent of the order in boxes and allow the rest to be copied. Maintenance is 10 percent of purchase price per year. For the first year, maintenance and upgrades are included in the purchase price. SecretAgent provides FORTEZZA compatibility. It currently supports FORTEZZA on Windows and DOS (beta), and soon will support FORTEZZA on Macs. If only some users have FORTEZZA cards, *all* users could still interoperate using DSA/DES (or other algorithms) and users with FORTEZZA cards could (when they so choose) interoperate among themselves using FORTEZZA. The ability to choose between DSA/DES and FORTEZZA requires some extra steps on the part of the sending user. Nevertheless, SecretAgent provides a path to evolve from commercial software algorithms to FORTEZZA, while awaiting the availability of DMS-compliant mail applications. They have a contract with NSA to support MSP, with availability scheduled for the end of January 1996. This should enable writer-to-reader interoperability with MSP-based mail packages. It also enables storage of files in the MSP format for cypher text archives. (Currently, SecretAgent uses a proprietary format.) Another interesting feature of SecretAgent is that it provides a strong file erasure utility that follows DoD Magnetic Remanence security guidelines. This enables users to ensure that no clear-text copy of the file is left on their system (regardless of whether they choose to store the file in encrypted form). SecretAgent was developed by Information Security Corporation, a small (nine people) Greensboro NC company specializing in public key cryptography. They signed an exclusive marketing agreement with AT&T for sales of their products. Sources: Mike Markowitz, lead technical representative of Information Security Corporation, mjmarkowitz@attmail.com, 708-405-0500 Tom Venn, President of Information Security Corporation, 708-405-0500 Tom Penland, FAA, major customer, 202-267-3864 Donna Wessel, Dept of Agriculture, major customer, 202-690-1285 Mike Kane, DoT, major customer, 202-366-9715 MITRE letter, Jean Hung, 14 December 1994, "Survey of Digital Signatures Standard (DSS) Electronic Mail Products," done for SPAWAR. Booz-Allen report, December 1994, "Secret Agent Quicklook Report," done for SPAWAR. SecretAgent technical brochures. ======================================================================