Key FeaturesZSentry includes sophisticated features, previously not available even on expensive high-end IT systems. Easy to use, requires no extra hardware, plugins or downloads.
IntroductionZSentry uses well-tested and standard commercial cryptographic tools, including SSL HTTP (HTTPS) and SSL SMTP (SMTPS), with 128-bit grade or higher encryption. Different encryption grades and authentication models, including ZSentry, PKI, and PGP may be used as needed.
The ZSentry Sans Target technology fully protects personal and other sensitive information against inappropriate and unauthorized use and disclosure, whether due to external or internal attacks. Your login credentials and your keys are not stored anywhere, so that there is no password list, credential list, or user keys, even encrypted, that could be attacked online. Without a key anywhere to be found, all your files, which are encrypted, are just gibberish if captured by an attacker. As another example, if you use the default ZSentry Automatic Skin, a part of your encrypted message may be stored online but the stored part is Sans Target and does not by itself allow the message to be decrypted.
ZSentry does not use pre-arranged passwords or keys, does not impose a trusted Certificate Authority or a web-of-trust, and does not require users to purchase a digital certificate or have previous contact.
Uniquely available features also include both SSL SMTP and HTTPS access, third-party verified US NIST timestamp, processable forms for user data entry, adding multiple attachments, third- party verifiable message fingerprint showing that the message did not change after it was sent, automatic server and anti-spam strategies to improve deliverability, verified delivery with full tracking of "Who-Where-When-What-How" information, release time, expiration (self-destruct), legally conforming digital signature (as regulated in the US and most countries), several read/reply control options, full reporting, and secure archiving.
ZSentry, ZSentry Mail, Zmail and Sans Target are NMA trademarks since 2001. Zmail is the secure Mail module of ZSentry.
NMA ZSentry offers users online access to on-demand Services, providing for secure reception and transmission of messages electronically. Each of these Services may be web-, desktop-, server-, or mobile-based. Each Service utilizes an Interface, accessed through compatible and allowed means, such as a web-browser, an email client, or a server.
ZSentry includes three distinct ways to communicate securely, your way:
ZSentry App: the web-based way to send, read and store secure email & files with your own choice of email provider, whether or not web-based. No installation or plugin. Works in Windows, Mac, and Linux, for desktop, cloud, and phone. No setup. Also provides self-management functions, including service personalization and password reset 24/7.
ZSentry Client: if you’re not using ZSentry with a mail or cloud client you’re missing the full picture! ZSentry Client is the app-less way to send, read and store secure email & files with your own choice of mail / cloud clients. No installation or plugin. Works in Windows, Mac, and Linux, for desktop, cloud, and phone. Flexible setup options, mashing mail and cloud clients for worry-free regulatory compliance according to your environment needs. No need to login after setup.
ZSentry API: you can easily access the ZSentry “bare metal” for maximum flexibility & performance. ZSentry API is the server-side way to send, read and store secure email & files with your own choice of email server. Also works client-side. No installation or plugin. Works in Windows, Mac, and Linux, with .NET, C#, Java, PHP, PowerBuilder, and more. Works with Exchange Server and Postfix.Sender and recipients can use one or all three ways, in any location or device (Anywhere, Anyway). ZSentry automatically creates a matched secure connection path, according to choices of both sender and recipients. ZSentry is always current, with the latest updates in compliance, mobility, functionality and usability. No cost of deployment or update, and no technical support required on your site. HIPAA compliance requires the ZSentry Premium service.
ZSentry Premium offers Services for centralized administration of users by an organization, while protecting user privacy.
Two Factor Authentication
This Service employs the ZSentry technology for two factor authentication
of users. Upon registration to the Service, the
Service authenticates the user's mailbox by cryptographic
challenge-response and issues directly to the user a
digital certificate (the DTC™, or Digital Transaction Certificate). The
mnemonic and can be typed by the user for access authorization to use
Service, as if it is a username
or Usercode. The Usercode
(DTC) value is
unpredictable and its use is protected by a user-defined
Password. Combined, the Usercode and the Password values are
unpredictable to prevent dictionary or brute-force attacks within the
operational parameters. The Service does not have or maintain copies of
the Usercodes or Passwords. Both the user's Name and Email
address are authenticated, in a manner similar to PKIX/X.509 authentication.
Mutual authentication is provided first, whereby registered users
start by authenticating the server in a two-phase process for SSL web access and also for SSL/SMTP access.
In the first authentication phase for SSL web access, the user submits the Usercode (the DTC). Afterwards, but before the user inputs the Password, the server using the ZSentry technology provides a Return Code (RC) for visual authentication by the user. The RC is previously known to the user but was not provided to or exists in the server. This is the second phase of the ZSentry authentication process and provides protection against server phishing and spoofing, as the ZSentry server must have the correct key to calculate the correct Return Code. If the RC displayed matches the RC known to the user, the user inputs the user-defined Password. If the Password is validated using the user's previously submitted Usercode (DTC) and a Service-supplied key (the Service-supplied key does not depend on the user), then mutual authentication is completed to grant user access and the user access keys are calculated by ZSentry.
For SSL/SMTP access, there is no spoofing concern for the user entering data at a false site. The first authentication phase is provided by verifying the user's email address, followed by Usercode/Password authentication.
The ZSentry user authentication process is done under trusted
server-authenticated SSL access, preventing man-in-the-middle attacks.
Even though SSL cannot prevent spoofing, phishing and pharming attacks,
the combination of SSL and ZSentry user authentication can.
With ZSentry technology, online message security has to do more with server availability assurance (which the Service can mitigate by server replication according to the required service level for each use) rather than assurances on data confidentiality and data integrity at the server or the user's machine.
That the Service is actually usable by users, with no prior training required, is a very important factor to assure compliance to security requirements by all personnel involved.
User authentication by ZSentry uses a two-factor strong authentication process with a Usercode / Password digital certificate. This process is a direct replacement for, and resembles, the familiar but deeply flawed username / password user authentication, which largely avoids user education and directly supports usability. ZSentry login is designed to prevent phishing, dictionary attacks (even if a user chooses a weak password), and other vulnerabilities, with no password or username lists stored anywhere, not even encrypted.
This Service uses the ZSentry Sans Target technology to protect personal and other sensitive information against inappropriate and unauthorized use and disclosure. Usercodes, Passwords and user access keys are provided by the ZSentry technology and are not stored. Audit trails, which are implemented for all Interface operations, and personal data storage, including email address book, are maintained with encrypted, de-identified numbers, which access keys are provided and secured by the ZSentry technology. Therefore, if security is breached, no user access data or personal data can be recognized or accessed.
ZSentry technology is also used to provide a proven anti-phishing solution and two-factor authentication to protect user Passwords from someone trying to guess them, in dictionary or brute-force attacks, which protection works together with the additional user access protection methods described below.
In regard to additional technology used, ZSentry's networks are protected by up-to-date firewall technology and utilizes trusted third-party certified server-authenticated SSL (Secure Sockets Layer technology) with the highest commercially available data encryption level (256 bit or at least 128 bit, as enabled) technology for transmission of all TLS/SSL transactions, including SSL SMTP and HTTPS. Servers employ power-on and user passwords, virus protection, and battery backup systems. Authorized users have restricted access to files. Operating System and security patches are current. Servers are constantly monitored for break-in attempts or other illegal activity.
Server-authenticated SSL connections are required. Users trying to connect or access without using SSL will be redirected to an SSL access page. If the SSL connection fails, the user is denied access.
For a given Usercode, brute-force attacks may be used to try and gain unauthorized access by trying to guess the ZSentry Password. To prevent such attack, the offending account will be automatically disabled after a defined number of invalid login attempts (see below for reset). Because the ZSentry Usercode must be guessed together with the ZSentry Password, and the Usercode presents an unpredictable very large number of possibilities, this protection is sufficient even if a user chooses a weak password.
Users' access can also be blocked after excessive invalid login attempts even if the Usercode is changed for every attempt.
Denial-of-Service (DoS) and brute-force attacks, which may be used to try and slow down the server or gain unauthorized access to ZSentry accounts, are also prevented. In addition to firewall rules that detect and deflect DoS before the servers, the Service uses redundant servers, spare IP numbers, and DNS fast-switching capability to detect and deflect attacks also at the server level.
DoS attacks, excessive invalid login attempts, or any other misuse attempts also trigger a defense at the user IP level, whereby users' Internet Protocol (IP) numbers are blocked after a number of attempts (which depends on the severity of the attempt). Offending user IP numbers will be automatically added to the IP access list of blocked addresses after that defined number of attempts.
In case of a defense block (as above), a security audit is triggered immediately and the block shall remain in effect until reset. The user may request the access to be reinstated, or simply wait for the Service to verify, take corrective action if needed, and restore access.
User access is disabled after excessive number of messages sent. Spam attacks may be tried to send to a large number of recipients a malevolent virus, a phishing request, or just an excessive number of messages using a ZSentry account. To prevent such access the offending account will be automatically disabled after a defined number of sent messages and shall remain in that state until the next day. Premium account users have a larger quota per day and may request access to be granted for an additional quota per day.
User access is denied for excessively large messages or attachments. Email-bomb attacks may be tried in a Denial-of-Service attempt to overflow a mailbox, to send a malevolent virus, to send a phishing request, or just to send excessively large messages or attachments using a ZSentry account. To prevent such access the offending account will be automatically blocked for that message. Premium account users have a larger size limit.
Auto logoff is enforced, with less time for more critical tasks such as user login. After user login, in case the access is left idle for a defined number of minutes, the user is logged off automatically.
ZSentry messages are time-stamped using a time reference synchronized
to atomic clocks certified by the National Institute
of Standards and Technology (NIST) and US Naval
Observatory (USNO). The time-stamp is visible in plaintext and is also
tamper-proof, being digitally signed and encrypted with the message
itself. The combination of the time-stamp evidence provided by ZSentry
acting as a trusted third-party with the ZSentry two factor
authentication technology provide for non-repudiation, which purpose is to
prevent a party from falsely denying an act.
Messages sent by ZSentry are encrypted end-to-end using the highest commercially available data encryption level (256 bit or at least 128 bit, as enabled) technology. Messages can only be read by the authenticated sender and recipients, who are authenticated according to pre-set online identity policies that can be easily chosen by the sender, within the message's validity period.
Messages are not stored locally (in the user's computer) unless the
user specifically commands the Interface to do so, either when read
using the decryption Services, or as a draft being edited, or to be
sent using the encryption Services. Messages can be stored locally in
plaintext or encrypted.
The mailbox of message recipients and message senders are authenticated by cryptographic challenge-response prior to the communication, allowing the online identity of the communicating parties to be positively verified.
If your organization is a
HIPAA Covered Entity, HIPAA compliance requires the ZSentry Premium service with at least one-year license.
The Basic service does not include all the
functions of the Premium service (some of them required for regulatory compliance by organizations).
Users can easily personalize many choices through the Dashboard control, which is protected by mandatory ZSentry two-factor authentication for access and works within controlled, safe parameters. To access, login using ZSentry App and look for the Dashboard controls at the bottom. Choices in the To/Cc bar can also be personalized. When done, users click "Dashboard > Personalize > Save" to make their choices active for the ZSentry Client and the new default for ZSentry App.
As defined through the Dashboard control:
To preserve user privacy, the Services do not store cookies in the
user's computer, except for session-only encrypted cookies that exist in computer
memory for a
defined time and only during that web-browser session. After the
web-browser is shut down and restarted, or if the web-browser session
is used past the time defined by each Service, there are no
present. All Service session cookies are encrypted and/or present only
ZSentry is a zero-footprint application. The Services do not install software, plugins, ActiveX plugins, Java, drivers, or store data in the user's computer. The Interface works using technologies already built into the web-browser, email software or other compatible means.
Read more: ZSentry Desktop and Cloud
|Main Technical Notes|