Superconductor

There was an interesting press release on February 24 from Cellopoint, a company based in Taiwan that makes information security products. Here's part of it.

Cellopoint today announced the immediate availability of Cellopoint Email Encryption, a modular solution of products for data loss prevention and regulatory compliance that can simply the deployment processes and eliminate the management overhead. For financial institutes, sending and receiving inadequately secured email statement to customers was becoming a potential security risk. So they deployed email encryption products for secure message delivery. But some of them were using identity based encryption which employed social security number and some kind of username as secret keys. The security and strength of the keys were doubtful. Encryption technology can be divided into symmetric and asymmetric key algorithms. Symmetric key is to protect confidentiality while asymmetric key is providing authentication and non-repudiation. Each of them has its own pros and cons, so the better way is combine them into an integrated solution. Public key infrastructure (PKI) is the well-known cryptography system utilizes both symmetric and asymmetric algorithms but it is hard to install, deploy, maintain and is very costly. Cellopoint Email Encryption is an easy-to-use, gateway encryption solution. It simplifies CA management process and provides confidentiality, identity identification and non-repudiation.

I would think twice about buying encryption technology from these guys. It looks like they don't quite understand what identity-based encryption is, so they're probably not really encryption experts. IBE has a very clear and precise definition. It's defined in the paper "Identity based encryption from the Weil pairing" by Dan Boneh and Matt Franklin if you're really curious about it. Some things are properly called IBE while others aren't, and it certainly looks like the people at Cellopoint don't understand that. They also don't seem to understand that IBE is a public key technology, just like RSA or Diffie-Hellman. These aren't the kinds of things that you'd expect the average guy on the street to understand, but they're certainly the kinds of things that you'd expect a vendor of email encryption products to understand.

The IBE that Voltage uses has a formal and rigorous proof of its security, so claims like "the security and strength of the keys were doubtful" won't withstand much scrutiny, and it takes more than a competitor claiming that our technology isn't secure to make it so. If there's actually a problem with the security of our technology, that means that there's a flaw in the proof of its security. Thousands of cryptographers have looked at this proof, and none of them have found that it's incorrect. This means that if someone claims that Voltage's IBE isn't secure then either they really don't have the background to really make such a claim or they've found something significant that will get their paper accepted at the cryptography conference of their choice if they write it up. The chances of all the leading cryptographers being wrong is probably very small, so it's very likely that claims that Voltage's IBE is weak are also wrong.