|
Products: |
| SecretAgent® 5 Key Recovery Utility (KRU)
|
|
|
When SecretAgent 5 key recovery has been enabled, this Windows application permits authorized key recovery agents (KRAs) to decrypt SA5 archives (regardless of originating platform), and thereby recover the plaintext they contain. At no time are user private keys compromised and a key escrow system is not required. Key recovery agents are configured in the security policy. The PolicyAgent application is required to generate a policy that includes key recovery.
When SA5 key recovery is enabled (either voluntarily by the user or as enforced by security policy settings), KRAs are included as “virtual recipients” for every encrypted archive. This means that the random session key used to encrypt a given archive is wrapped with the public keys of the (individual or group) KRAs just as it is for all normal recipients of that archive. When key recovery is required, say in case of employee dismissal or unexpected absence, the KRA-wrapped session keys can be extracted from the archive header by the KRU and handed off to the various KRAs for processing. Each KRA enters the password for his private key and the session key is partially unwrapped. Once all KRAs have processed their messages, the raw session key is available and can be used to decrypt the original SA5 archive.
Technical Notes Normal .sa5 archives as well as self-decrypting Windows executables can be protected with the key recovery feature. Any number of individual KRAs with RSA, DSA/DH, or ECDH keys can be specified. The current PolicyAgent application allows you to create up to two "shared secret" groups of KRAs but the members of each group must all have the same type and size DSA/DH or ECDH keys. (An unlimited number of such KRA groups can be specified for SA5/UNIX.) |
