Working from a flexible, programmable database at the back end, and multiple layers of security before, during, and after a session at the front end, startup CryptCOM Securities says it delivers secure file transfers over the Internet.

by Alex Goldman ISP-Planet Associate Editor [December 19, 2002]

On the Internet, everybody worries about the security of FTP, and many companies are selling secure solutions. Now, New York City-based startup CryptCOM Securities says it can provide ISPs with the ability to offer secure FTP to their customers.

Working with RSA Security, Inc., the company has developed a Windows-based solution that it sells to ISPs for $18,000 per server, with unlimited client licenses.

CryptCOM maintains security throughout a session by continuously checking and rechecking the packets that are sent and received. The company explains the process visually in a three minute presentation on its website.

Covering all the bases
It's a system with many pieces, and CryptCOM built it through attention to detail. For example, Joseph Stein, CryptCOM founder, vice president, and CTO, says, "SSL is popular but the drawback is that it's a one-way technology, secure only from client to server. There's no security when the server sends to the client."

The company calls its more secure protocol Secure Data Layer Transfer Protocol (SDLTP). "It provides a continuous handshake while sending and receiving," says Stein. "For example, if you send four or five files, you'll check security regularly throughout the session."

CryptCOM's system is simple but effective. When a file is sent, CryptCOM embeds a header, like "123" (but actually 50 or more characters long). When the recipient replies, the recipient places the "123" it received in the footer, and inserts its own header, perhaps "ABC." Any message inserted into the stream by a third party will be detected instantly.

Even at the start of the session, CryptCOM uses strong security. Stein is dissatisfied with most Public Key Infrastructure (PKI) security systems. "The problem is that most PKI systems store keys in an area that is accessible. A related problem is that if you acquire a company's key, you can decrypt all of their information."

CryptCOM generates random and dynamic public keys. Says Stein, "using RSA's software development kit (SDK), we built a system that generates two sets of keys for every connection. So each time a connection is made, both server and client each generate a 1024 bit public key and a 2048 bit private key."

Digitizing the envelope
CryptCOM creates what it calls a "digital envelope." Instead of encrypting the entire message for each transmission, Stein says that CryptCOM took a cue from SSL. "We encrypt a 50 character seed with the public key and if you cannot crack the seed, you cannot read the data."

At the back end, Stein does not trust any of the above security methods for protecting a database. Instead, he goes a step further with RSA's SecurID technology. The SecurID product is a token that generates 6 numbers that change every 10 seconds. A copy resides on the database server. The client's token can reside on a keychain or a credit card on in a PalmPilot or other PDA. Says Stein, "I like the PalmPilot because I'm already carrying it. Why carry something else?"

He sees demand for security even at the small business level. "If a sole proprietorship is paying $50 per month for hosting services, they can pay a $200 one-time fee for a token."

Stein usually advises buying two tokens. CryptCOM sets up the security so that each token is a valid user with full privileges on the database. The backup is stored in a physically secure location in case the customer loses the other. Otherwise, a lost token results in nobody being able to access the server.

Dynamic data engine
The database is a basic Windows SQL database that Stein says is very flexible. "It's a Microsoft Active Template Library (ATL) C++ service that runs on Windows 2000 and SQL Server 2000. The client is Java-based for platform independence," he says. "We've used the ATL to build services. You just modify the database to add services. For example, when we wanted to log every time a file was transferred, we just wrote a procedure that stores the time in a table."

Building secure data transfer around a database and server makes data centers more secure, Stein says. "With FTP, you've got an FTP server on every Web server. One of the benefits of running CryptCOM is the centralization of infrastructure. Everything gets done on the database and mapped out to the servers. This gives you built-in virtual server capabilities, and it makes your Web servers more secure. Our database has the highest level of security currently available."

For the future, Stein is working on porting his product to Solaris (for Q2 of 2003). He's also fascinated by the flexibility of the ATL service. "We built the CryptCOM system to pass data back and forth securely. Now we're looking at the database and database relationships. The ATL service runs all the time. You can add logic simply by adding a procedure. That's where our development effort is right now," he says.

—End