Three-Layer Encryption Method Awarded Patent

'Tricryption' scheme encrypts data in file systems, databases, storage -- and their keys

Eruces Data Security has secured a patent for its three-step encryption and key management scheme, which is designed to lock down data through its lifecycle.

The security firm’s so-called Tricryption technology first encrypts the data itself with symmetric keys, and then encrypts the keys and stores them in a central key repository. It also encrypts the links between the data and the keys.

“It stores the keys separately from the data items and encrypts the links between them,” says Oggy Vasic, senior vice president of software development for Eruces.

Vasic says Tricryption is different in that it centralizes key management for different types of encrypted data, including file, database, and storage, and it applies individual access control lists for each key to determine how a key is used, who can use it, when they can use it, and how often, for example. So when a client requests a key, it’s then authenticated using LDAP, PKI, Active Directory, or other authentication methods, as well as authorized based on its access rights, he says.

The authentication and authorization part of the key process is aimed at protecting data from outside attacks as well as for preventing insider attacks, such as a malicious employee snooping into the database or siphoning information off of a storage device, he says.

Other encryption vendors offer key servers, of course, but Vasic says the main difference with Tricryption is that it’s based on symmetric cryptography, with a unique key for each data item. “Hence the Tricryption key server manages session keys -- stored away from data,” he says. It runs on Windows, Linux, Solaris, AIX, and HPUX.

Jon Oltsik, senior analyst for information security at the Enterprise Strategy Group, says the Tricryption technology approach could provide a more cohesive way to manage encrypted data replication. “The value I see is the potential for a single encryption service for multiple applications like encrypting storage, file systems, databases, and applications,” Oltsik says.

But Eruces has a bit of an uphill battle, with heavy-hitters such as EMC, HP, and IBM also targeting this space, he says. “Also, firms like Ingrian Networks (now SafeNet) and PGP already can aggregate encryption and key management functions in a single suite. Technology alone won't win this battle, it will take security standards, partnerships, and enterprise sales, and marketing,” he says.

Encryption expert Nate Lawson, principal with Root Labs, says Eruces’s approach in part is based on its central key server handling all keys. “They're saying [they] only hand out a few keys at a time, so therefore it’s hard to get access to [their] keys,” he says.

But Root Labs’s Lawson says overall, Eruces’s technology isn’t really new. “The overall approach is reasonable... to manage keys carefully” and the layers of encryption, Lawson says. “But this is not a panacea. It’s not new.”

Eruces, meanwhile, plans to expand its OEM strategy -- Crossroads Systems, for example, OEMs Tricryption for its TapeSentry and SecureVTS storage products. The Tricryption server can support encryption for various types of applications, Vasic says. “All [data encryption] works with one encryption key server... and you can add and expand from that server,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Eruces Inc.
  • Enterprise Strategy Group (ESG)
  • Crossroads Systems Inc. (Nasdaq: CRDS)
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5