Start-up streamlines e-mail encryption

Voltage Security's encryption method is a slight twist on current practices. The so-called public key is derived from the sender's e-mail address, eliminating one step in the process.

Ina Fried
Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
3 min read
A Palo Alto, Calif., start-up has its sights set on making sure that more people encrypt their e-mail.

Voltage Security's e-mail encryption system is a slight twist on the current practice of using a combination of security codes--one publicly available and one privately stored--to encrypt and decrypt messages. Using Voltage's approach, the so-called public key is derived from the sender's e-mail address, eliminating one step in the process, according to the company.

"You don't have to go through the process of obtaining a security credential or certificate," said Voltage CEO Sathvik Krishnamurthy.

Although the same security level can be reached using existing public key authentication systems, Voltage executives say the simplicity of their software could draw businesses that are interested in more secure e-mail but have been daunted by the work required to put such a system in place.

The idea of using someone's identity to form the basis for their public "key" is not a new one. In 1984, public key pioneer Adi Shamir proposed such an approach. In 2000, two professors--Dan Boneh and Matt Franklin--released a paper outlining the math behind such an approach. Boneh and others started Voltage to try to build commercial software using the method. The company, which now has 20 employees, secured venture funding from Morgenthaler and Hummer Winblad.

The result of Voltage's efforts is a program that the company says eliminates the need for somebody to plan ahead before having an exchange of encrypted e-mail. Krishnamurthy said only the sender of an encrypted e-mail needs to have the company's software. The recipient can then automatically decode the message while using Outlook, Outlook Express, Eudora or even a BlackBerry handheld. A test version of software for IBM's Lotus Notes software is also available.

A number of technology companies are focusing on identity management in their efforts to make the e-mail encryption-decryption process more seamless. Microsoft, for example, last week announced its new Microsoft Identity Integration Server 2003 software, which is designed to automate the process of managing user-identity information on corporate networks.

Meanwhile, Hewlett-Packard said last week that it is acquiring the SelectAccess identity management software from British security software maker Baltimore Technologies.

In an interview, HP Senior Vice President Nora Denzel said that although HP will find itself competing to some degree with Microsoft, IBM and others, the security industry is still largely fragmented. At the same time, she said it is "poised for tremendous growth," making it an attractive area for companies like HP.

"The security space is dominated by 'other,'" said Denzel, who runs HP's software business. "There is no one single vendor." HP's deal is slated to close before HP's fiscal year closes at the end of October and is subject to approval by Baltimore's shareholders.

Voltage said that, in addition to simplifying the process for those sending encrypted e-mail, its approach helps trim the cost of administering an encryption system. However, Krishnamurthy refused to say how much the software costs. He did say it is available commercially, and he named two pilot customers: Silicon Valley Bank and eHealthInsurance.