Locking email in the 'Vault'

Designed to control how information is used, rather than merely control who has access to it, Athentica's PageVault software can control printing, copy/paste, and even make it impossible to forward a document by e-mail.

Australian distributor Software Intelligence claims its use would have prevented last month's timing incident at the Reserve Bank of Australia when an email revealing the latest national rates increase was sent to various banks and financial institutions six minutes prior to the official announcement.

Reportedly, in an effort to avoid potential implications of the error, the Reserve Bank then forwarded another email, asking those that received the premature statement to ignore it. In the minds of those who received the two messages, the latter email merely confirmed the unpredicted higher increase. Reports of millions of dollars being won and lost during the six minute frenzy has raised questions about the security and accuracy of exclusive data and information being transmitted electronically from the Reserve Bank.

The PageVault system requires the author to encrypt and register a document with the PageVault server. PageVault applies 128-bit RC4 encryption to the specified PDF file. The author then defines the privileges for the authorised users and registers this information onto the PageVault server. The registration data is encrypted with RC4 and then tunnelled through an SSL channel protected with triple-DES encryption. The keys are generated and stored on the PageVault server.

FREELY DISTRIBUTED

The resulting encrypted document can be freely distributed because it is inherently secure and the keys are only available through the PageVault server.

In order to view a PDF file protected by PageVault, a user needs a copy of Adobe Acrobat and the PageVault plug-in. When someone tries to open the file, the plug-in recognises it as a PageVault file, derives from it the location of the author's PageVault server, and begins the authentication process. The server responds to the authorisation request with a challenge over an SSL channel protected with RC4 encryption. If the user provides a suitable response (via shared secret of up to 256 characters or a X.509 V3 certificate) permission is given and a key is provided which decodes the first authorised page. The page's content is decoded only to video memory, it never becomes "clean text" on the user's PC. The key is immediately destroyed to maintain security. This process is repeated for every page access request which allows PageVault to provide security with page-level granularity. Authentication is a fast (700 byte) process which is transparent to the user.