Which cryptosystem do you plan on using?

Will it be based on digital signitures, ala PKCS #11, *.pfx?

Do you have a modular bit range in mind?

Will it be synchronous or asynchronous authentication?

Would/have you considered smart cards for escrowing member's keys to?

Will the master and session key be certified by a third party, eg. insurance agnecy?

Other than SSL sockets, will it utilize tunneling?

Will dynamic passwords be an option for members?

But if I had to pick, it would be Hush. I know some of the founders of Hush and understand what they were trying to do.

I have a solid background in secure computing, and I like to know as much as I can about a system before using it. Thus my questions for George or any of his staff who'd be able to answer.

We have licensed the hush encryption engine, so our system is identical to theirs. In fact, hush users will be able to communicate securely with Elite Fitness mail users.

The system uses the "Blowfish Algorithm" which is simply a name for a type of 128-bit encryption method. The more technical definition of a Blowfish Algorithm adds that this particular algorithm is a symmetric block cipher with a 128-bit key. When combined mathematically with a user's Elite Fitness passphrase, the Blowfish algorithm encrypts the user's private key. This occurs before the key is stored on the secure key server. The only thing that can decrypt the private key is a user's passphrase combined with the Blowfish algorithm.

Encryption is a mechanism designed to protect sensitive information. Encryption that protects digital information works by scrambling and encoding information so that the proper recipient is the only party who reads an email message.

1,024 refers to the length in bits of the user's private key in the Elite Fitness public/private key cryptosystem. This private key is created from the random numbers generated with a user's mouse during address creation. The longer the private key is, the harder it is to guess, and so, the more secure the message. In public/private key encryption, 1,024-bit keys are considered unbreakable with current technology.

The system uses a Java applet which is a mini-program that exists inside a Web browser, like Netscape � or Internet Explorer �. The Java applet that Elite will use allows email messages to be decrypted and encrypted before being sent to the Internet.

Public/private key encryption is an encryption system in which a public key is used to encrypt data and a private key is required to decrypt the data. In public/private key encryption, keys must be long to protect against mathematical attacks. So, 1,024-bit keys protect Elite Fitness users.

The public and private keys of our users are both stored on our servers. However, before the private key is stored on the servers, the private key is first encrypted on the individual user's machine by his or her passphrase, so even Elite Fitness employees cannot access user passphrases. So, do not forget your passphrase! Additionally, the mail servers are not located in the United States.

Remember, you do not need to understand this to use it! For all intent and purpose, your elitefitness.com email account will work just like any web based email account such as hotmail.com, yahoo.com, or hushmail.com. You will not need to know anything about �keys� to use the system. But unlike hotmail and yahoo mail, your messages will be secure. And, you get a cool email address like [email protected] or [email protected]

------------------
Yours in sport,

George

George Spellwin
Research Director

Tell your friends about elitefitness.com!
Click here to Give them a free subscription to Elite Fitness News.

Is there a plan in the future to move to something that allows key manipulation? In other words using a passphrase as a key is great but the fact that both keys are stored on Hush's servers should be frightening for anyone concerned about having their keys escrowed to another person.

So a better, yet not exactly cost effective way to ensure the safety of your own key is to remove them from the host machine and allow the user to store them; on a smart card protected by PIN or biometric for example.

I happen to be able to get cards, readers and biometric storage hardware/software at a really good deal.

The goal is to make web based email encryption available to the masses and that means making it easy to use. The reson so many people do not use PGP, myself included, is because it is hard.

Hush has many new features planned and the will be available to us as soon as they are launched. Thanks for your interest. I will keep everyone posted.

------------------
Yours in sport,

George

George Spellwin
Research Director

Tell your friends about elitefitness.com!
Click here to Give them a free subscription to Elite Fitness News.