E-mail encryption as easy as remembering who you are

Dan Boneh and Matt Franklin

Most people wouldn’t dream of sending business and personal documents in an unsealed envelope, but every day millions of unencrypted e-mails containing equally sensitive information cross the Internet. The reason is simple: Until encryption becomes as easy to use as an envelope is to lick, few will bother.

The problem is that, until recently, the only available PKI schemes used digital certificates to hold the encryption keys, and certificate management can turn into an exercise in itself. The idea of using one’s identity in PKI has been around for more than a decade, but it wasn’t until a breakthrough in 2000 by Dr. Dan Boneh (above, left) and Dr. Matt Franklin (above, right) that the possibility became a reality.

“No one ever remembers what their public key is,” Boneh says. The volume and randomness of the data in a certificate make that prohibitive.

Boneh describes what must rank as one of the great adventures in academic grantsmanship. “Three years ago, Matt and I started thinking about this problem,” Boneh says. “We had a [Defense Advanced Research Projects Agency] project, and we promised DARPA that we would provide a solution.” In hindsight, “it was sort of foolish to write a proposal saying that we were going to solve this 18-year-old problem. We actually had no clue how we were going to do it.” But they got the funding and went to work.

The method Boneh and Franklin developed employs the mathematical technique of bilinear mappings, known as Weil and Tate pairings, on elliptic curves to obtain an algorithm that transforms a simple identity string (such as a phone number or e-mail address) into a public-private key pair, where the public key is the identity string. The beauty is that the process is self-serve; key users need not be pre-registered. “You can encrypt e-mail to me even before I’ve bothered to register [with the key server] as an individual,” Franklin observes.

Boneh and Franklin remain on their respective faculties — Boneh at Stanford University and Franklin at the University of California, Davis. Boneh also is a member of the board of directors of Voltage Security, a company founded by former Stanford students, with venture capital participation, in 2003 to capitalize on Boneh and Franklin’s breakthrough. Voltage is now offering a number of identity-based encryption products based on their work, including the SecurePolicy Suite and, through third-party service providers, the SecurePolicy Service, as well as tools for securing documents, e-mail, and IM.