DecryptNaBox for the Enterprise eliminates the need for private key escrow during data decryption by separating the decryption process into two different functions. The Data Decryption function is responsible for data decryption using a decrypted message session key. The Session Key Decryption function handles the decryption of the message session key to be used by the Data Decryption function. Architected with this separation of Session Key and Data Decryption functions, the need for a local copy of the user's private key to perform data decryption is eliminated.
At a high level, DecryptNaBox for the Enterprise is a Client/Server platform where both the Client and Server consist of multiple services and adapters. The server is referred to as Zeva KeyDecrypt which extends associated Certificate Authorities with Message Session Key Decryption (MSKDS) capabilities. In addition, KeyDecrypt server includes the use of a Hardware Security Module (HSM) to ensure secure key handling and compliance with FIPS 140 Level 2 and Level 3 requirements.
Click on the image to enlarge
The KeyDecrypt Server is responsible for retrieving keys from a CA and decrypting message session keys. By utilizing the KeyDecrypt server, the need to manually retrieve private keys for data decryption is eliminated. In addition, KeyDecrypt server provides the highest level of private key protection and safe handling. This is accomplished through the use of encrypted channels for all queries and transport, and Hardware Security Module (HSM) technology for private key handling.
The KeyDecrypt server also provides a solid approach for ensuring that system audit logs and configuration files are protected via the audit and configuration trust protection feature. In addition to guaranteeing protection, it also ensures that the integrity of the audit logs can be verified.
To help address different customers need, Zeva Inc. provides two editions for the KeyDecrypt: Government and Commercial. The Government Edition is designed for the US federal government agencies. It includes all required components and the Commercial Edition is designed for common commercial usage. It provides an affordable entry point with optional features to increase system security to comply with applicable regulatory and security requirements.
Click on the image to enlarge
Zeva provided many client types based on required usage. For Data decryption, Zeva offers three different editions: DataDecrypt Standard, DataDecrypt Professional, and DataDecrypt Enterprise. For mobility, Zeva offer MobileDecrypt in several implementation options. In addition, DecryptNaBox Client can be implemented as an extension to third party platforms or as a generic Microsoft CAPI adaptor. Below is a list of main provided clients:
The DataDecrypt Standard offers a simple user interface. Using Standard, customers can use a job creation wizard to submit decryption jobs bases on Active Outlook profile or by pointing to a folder in the file system where it will process all files with .pst, .msg, and .eml formats within the folder and all subfolders.
Zeva DataDecrypt Standard can make use of local private keys if present or point to the KeyDecrypt server instead. It supports many encryption protocols such as S/MIME, PGP, and RMS. It also support all message formats including HTML, Text, and RTF in both MIME and TNEF formats.
The Professional Edition uses the same simple user interface as Standard with the additional of approval workflow and enhanced reporting capability. It also include an authentication proxy to allow for distributed access control.
In addition to all features provided by the Standard and Professional edition, the Enterprise Edition allows customers to submit decryption jobs that are executed remotely. In addition, the job can be created to run automatically to allow for scenarios such as content inspection and/or automatic data
As part of our dedication to the platform, Zeva offers Enterprise Vault customer with an extension filter to process encrypted data within Enterprise Vault engine itself.
MobileDecrypt is a special client allows users to read encrypted email messages on mobile devices without direct access to smart card credentials or user private keys.The use of smart card PKI credentialing with encrypted electronic mail poses significant challenges for the mobile device users. Encrypted messages remain encrypted on the mobile device until smart card credentials are made available to the device, or unless the user’s private key is stored on the mobile device. For smart card credentials to be available to the mobile device a smart card reader is required. The storage of private keys on mobile devices poses a serious security risk, and is a violation of most organizations’ encryption key policies. Zeva MobileDecrypt solves this challenge by allowing the mobile device user to decrypt email messages without the need to use smart card credentials.