WO2001037496A1 - A secure email delivery system - Google Patents

A secure email delivery system Download PDF

Info

Publication number
WO2001037496A1
WO2001037496A1 PCT/IE2000/000140 IE0000140W WO0137496A1 WO 2001037496 A1 WO2001037496 A1 WO 2001037496A1 IE 0000140 W IE0000140 W IE 0000140W WO 0137496 A1 WO0137496 A1 WO 0137496A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
database
function
key
manager
Prior art date
Application number
PCT/IE2000/000140
Other languages
French (fr)
Inventor
Adly Lakhdar
Maurice Mcmullin
Original Assignee
Orad Software Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Orad Software Limited filed Critical Orad Software Limited
Priority to AU12962/01A priority Critical patent/AU1296201A/en
Publication of WO2001037496A1 publication Critical patent/WO2001037496A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the invention relates to delivery of secure email messages
  • the invention addresses this problem
  • a secure email delivery system comprising
  • a client-side interface comprising means for receiving outgoing messages from client devices operated by registered subscribers and for transmitting incoming messages to said client devices,
  • a policy database storing a security policy for each of a plurality of registered subscribers
  • a policy manager comprising means for accessing the policy database to determine a registered subscriber policy in real time and for delivering policy data to a requesting function m real time
  • a secure key database securely storing keys of registered subscribers and their addressees
  • a secure certificate database securely storing certificates of registered subscribers and their addressees
  • a signing function comprising means for receiving policy data from the policy manager and a registered subscriber private key from the key database and for dynamically signing an outgoing message received at the client-side interface
  • an encryption function comp ⁇ smg means for receiving policy data from the policy manager and for dynamically encrypting an outgomg message m real time usmg an addressee public key retrieved from the certificate database,
  • a decryption function comp ⁇ smg means for automatically decrypting an incoming message in real time using the private key of the addressee registered subscriber retrieved from the key database
  • a server-side interface comprising means for transmitting outgoing messages to a mail server after being processed, and for receiving incoming messages
  • the policy database stores a policy for non-registered users who are addressees of mail from registered users
  • the policy manager comprises means for determining policv data according to both a sender and a recipient of a message
  • the signing function comprises means for automatically signing an outgoing message in the absence of policy data for an addressee
  • the client-side interface comprises an API for linking with hooks on a server
  • the API comprises means for linking with hooks on an external mail server for generating Web mail under client instructions
  • the policy manager is linked with the signing function, the encryption function, and with the decryption function by a cryptography API providing a real time bi-directional link and allowing modularity of the functions of
  • the signing function, the encryption function, and the decryption function comprise means for operating with use of a cryptography library of low-level cryptography processes.
  • system further comprises a certificate manager and a key manager residing on the same side of the cryptography API as the signing, encryption and decryption functions
  • the signing function, the encryption function, the decryption function, the certificate manager, and the key manager provide a programmed wrapper around the cryptography library
  • the key database stores a policy as an instance of a plurality of datatype classes
  • the datatype classes include signing algorithm, encryption algorithm, signing policy, and decryption policy classes
  • the key database stores a key pool m a directory having a configurable size with a threshold, and the database comprises means for replenishing keys when the level falls below the threshold
  • a management console comprises means for editing data in the policy database
  • the management console comprises means for retrieving a policy from the policy database as a model and for ret ⁇ evmg a certificate from the key database as a model
  • the management console comprises a controller compnsmg means for treating each business operation as an object-orientated class mstance
  • the controller comprises means for receivmg a command string, parsing the string into a hash table, instantiating a class instance and setting properties and a name for the mstance, and initialising the instance
  • the policy database stores group policies, each associated with a group of registered subscribers
  • the policy database stores default policies
  • the certificate manager comprises means for automatically stripping certificates from incoming messages and storing them in the certificate database for subsequent use
  • the mvention provides a secure email delivery system comprising
  • a client-side interface comprising means for receiving outgoing messages from client devices operated by registered subscribers and for transmitting incoming messages to said client devices,
  • a policy database storing a security policy for each of a plurality of registered subscribers
  • a policy manager comprising means for accessmg the policy database to determine a subscriber policy in real time and for delivering policy data to a requesting function in real time,
  • a secure key database securely storing keys of registered subscribers and their addressees
  • a secure certificate database securely storing certificates of registered subscribers and their addressees
  • a signing function comprising means for receiving policy data from the policy manager and a subscriber private key from the key database and for dynamically signing an outgoing message received at the client-side interface
  • an encryption function compnsmg means for receiving policy data from the policy manager and for dynamically encrypting an outgoing message in real time usmg an addressee public key retrieved from the certificate database
  • a decryption function comprising means for automatically decrypting an incoming message in real time using the private key of the addressee retrieved from the key database, and a server-side interface compnsmg means for transmitting outgoing messages to a mail server after being processed, and for receivmg incoming messages, and wherem
  • the policy manager is linked with the signing function, the encryption function, and with the decryption function by a cryptography API providing a real time bi-directional link and allowing modularity of the functions on each
  • the signing function, the encryption function, and the decryption function comprises means for operating with use of a cryptography library of low-level cryptography processes
  • system further comprises a key manager and a certificate manager residing on the same side of the API as said signing, encryption, and decryption functions, and said functions, the key manger, and the certificate manager together provide a wrapper around said cryptography library
  • Fig 1 is a high level diagram showing interaction of a security relay of the invention with a client computer and with a mail server
  • Fig. 2 is a diagram showing mteraction between the client computer and the security relay m more detail
  • Fig. 3 is a diagram showing the security relay in more detail
  • Figs. 4 and 5 are diagrams showing parts of the relay m more detail
  • Fig. 6 is a flow diagram illustrating operation of the relay in more detail.
  • a secure email delivery system 1 interfaces with a client computer 2 over a secure HTTP socket layer (SSL) connection 3. It also interfaces with a local mail server 4 via APIs using a HTTP SSL lmk 5. The mail server 4 sends and receives messages over the Internet 6. Because the system 1 effectively operates as a relay between the client and server, it is henceforth called a" security relay" or "relay".
  • SSL secure HTTP socket layer
  • the client computer 2 is conventional insofar as it only needs to have a messaging application or browser which supports a portable code environment such as a Java Virtual MachineTM environment.
  • the computer 2 is operated by a registered subscriber, also referred to as a "user"
  • the mail server is a conventional mail server for an ISP
  • the relay 1 resides on the same platform as the mail server 4
  • the client computer 2 interfaces with a Web server 10 hosting the mail server 4 and the relay 1.
  • the client computer 2 runs a browser 11 having a portable code interpreter which allows execution of plug-ms 12.
  • the Web server 10 allows the client computer 2 to communicate with the mail server 4 to create "Web mail" messages while on-lme.
  • the server 4 then sends the messages to the recipients and receives the incoming messages m a mailbox for the user The user then subsequently retrieves the messages
  • the security relay transparently to the user performs a set of desired security operations for both incoming and outgoing messages and so it may be regarded as conceptually residing between the client computer 2 and the mail server 4 However, the physical interconnection is via APIs between the mail server 4 and the relay 1 , this channel transmittmg
  • a key feature is that the relay 1 handles all cryptography and digital signature operations for the client 2 These operations are carried out transparently to the user and require no input from him or her Thus a user only needs to subscribe to the security service provided by an organisation hosting the relay 1 Such an organisation may be any ISP or ASP, as the Internet is of course the major insecure network m use Thus the (real or perceived) problem of setting up encryption /decryption functionality is taken from the user He or she only needs to send and receive email messages in the usual manner The following is a typical message sequence
  • User X (of computer 2) sends a message to a remote user Y This is created over the secure socket 3 by the client computer 2 and the mail server 4
  • the message is routed to Y via the relay 1 This is not encrypted, but is signed automatically by the relay 1 on behalf of X If Y responds, the relay 1 captures Y's certificate on the return path From then on the relay 1 will automatically encrypt and sign all outgoing messages to Y, and also decrypt all incoming messages
  • the user X has a secure bi-directional link with Y without the need to bother with any cryptography operations.
  • relay 1 interfaces with an existing mail server 4, it is particularly convenient for the ISP or ASP hosting it
  • the relay 1 can be added in a modular manner
  • the relay 1 interfaces on the server side with (a) an SMTP delivery module 20 and an SMTP server 21 for sending messages, and (b) with an IMAP/POP3 mail server 22 and an IMAP/POP3 retriever 23 for receiving messages.
  • This interfacing is via APIs executing on the platform which hosts the relay 1 and the mail server 4 as applications.
  • a security policy database 30 allows the relay 1 to provide the security required by users according to policies set by a system administrator This database is managed by a management console function 31.
  • a user authentication module 35 uses the database 30 to dynamically perform authentication of subscribed users
  • a client side interface API function block 41 receives messages via the client plug-ms 12
  • the messages are passed to encryption functions 37 which perform encryption and digital signing according to the policies for the users and addressees retrieved from the database 30. As described above, if the addressee is being addressed for the first time there is digital signmg by default, however the outgoing message can not be encrypted However, once a reply is received from the addressee his or her certificate is stored m the database 30 and there will be encryption /decryption from then on
  • Messages are retrieved from the retriever 23 and are decrypted where applicable and the signature is authenticated by functions 38 using the database 30
  • the headei (sender, subject, date) is passed to the client computer 2 for display (after decryption) if it is selected by the user
  • the policy database 30 and the management console 31 are illustrated They may be together referred to as an administrative framework
  • the framework follows the MVC (Model-View-Controller) design pattern, allowing the management presentation interface to be completely decoupled from the logic
  • Each retrieved policy is represented as a JavaBean model 53 and each retrieved certificate is represented as a model 54
  • a certificate interface 56 is lmked with a certificate /key database 90, shown in Fig 5
  • a view interface 50 uses HTML with embedded JSP tags 51
  • Post/get control is implemented by a set of Java servlets 52
  • a Java cryptography API 75 is linked with a policy manager 74 and it has a HTTP client 76 linked with
  • CGI Common Gateway Interface
  • the interface 41 comprises an API 71, a HTTP client 72 programmed m native Java, and an API servlet 73, and
  • the management console 31 provides graphical user interfaces foi input and display of user information, security policies, and certification management
  • the view interface 50 is the console front end and the screens are displayed using HTML and JSP
  • the JSP tags 51 are used to interface between the screens and Java ode for the purposes of displaying derived data that is calculated or changes during the lifetime of the relay 1
  • the controller servlets provide the derived data to the JSP tags
  • the security policy model 53 is a Javabean which drives the data for the security policy screens
  • the certificate model 54 is a Java bean which drives data for certificate management screens
  • the function 55 provides access to the database 30 for persistent data on policies using the Java standard JDBC
  • the certificate interface interacts with the key database 90 to retrieve certificate data for the management console 31 Access to the database 90 is via the cryptography library 81 , described in more detail below
  • the mail server 4 shown m Fig 1 includes a client 70 which accesses the relay 1 via the client interface 10
  • the client of the server 4 is written in Perl/PHP
  • the client of the server calls the API 71 of the block 41 and the HTTP client 72 provides a mechanism for the client hooks 70 to communicate with the relay 1
  • This mechanism involves use of the API servlet 73 for server-side processing
  • the policy manager 74 determines what security policies should be applied to an email being received or sent It does this by communicating with the function 55 which extracts information from the database 30
  • the cryptography API 75 is an mterface which provides a real time bi-directional link and allows Java code to call C++ cryptography code
  • the cryptography API client 76 allows the cryptography library 81 to be distributed on a different hardware platform for fault tolerance versatility, and performance
  • the Fast CGI server 77 is the server side of the cryptography API 75
  • the component 78 provides S/MIME cryptography functionality for signing, encryption, and decryption
  • the component 79 provides certificate management functionality
  • the component 80 provides key pool management functionality
  • These components interact with the key database 90, and use cryptography processes of the library 81
  • the library 81 implements low-level cryptography algorithms and key generation routines
  • the components 78, 79, and 80 provide a C++ wrapper around the low-level C library 81
  • the controller 52 manages the flow of control for its operations by receiving a CGI command for instantiating business logic, and each business logic instance is a Java bean class instance
  • the control flow is as follows
  • the policy database 30 stores policies m which a policy consists of one instance of each of the following data type classes
  • the relay 1 automatically captures security data for non-registered users when they reply to an outgoing message from a registered user This is achieved by the certificate cryptography function 78 stripping off the certificate from a signed message and storing the certificates in the database 90
  • the key pool database 90 is structured to have minimal impact on performance of the relay 1 as generation of key pairs is processor-intensive
  • the key pool directory size is configurable by the user, and a threshold is set for the directory and when the number of keys falls below that level they are replenished
  • the key pool is replenished with anonymous key pairs, but these are still fully usable keys sets
  • the key sets are made usable by the generation of certificates and this happens on demand
  • a daemon is used to monitor key pool threshold levels, and message queues are used to communicate between the controller and the key pool code
  • the client computer 2 generates an email using Web server functions 10 and this is processed by the module 37
  • the plug-ins 12 allow the client computer 2 to route the email to the relay 1 via the mail server Web mail functionality This is a very effective mechanism for integration of the relay 1 with a mail server 4 in a modular manner With an open API any subscriber or administrative user can interface with the relay 1 by implementing a plug-m 12 so that its code interacts with the API 41
  • the security policy is determined based on the "from" and "to' addresses m the message
  • the security policy consists of Digital Signature Policy Clear-sign Opaque sign
  • the policy manager 74 accesses the policy database 30 to get policies for the senders and receivers of messages Each policy contains a "from” and a "to" field Some policies contain wildcards to allow setting of policies for groups The relay 1 has default policies, and these can be changed by the system administrator The policies contain the signing and encryption polices and algorithms
  • the key manager 80 then obtains access to the sender's private key from the database 90 This is secure because the keys are stored m the pkc #15 secure storage format
  • the S/MIME component 78 then constructs an S/MIME signed message including the digital certificate chain associated with the signing key m the message Encryption is of course by-passed if the policy does not indicate a requirement for encryption
  • the certificate manager 79 retrieves the recipient certificate from the certificate database
  • the S/MIME component 78 constructs an S/MIME encrypted message
  • the message is encrypted usmg a randomly- generated symmetric session key, and the session key is encrypted using the recipient's public key
  • the S/MIME message is then transmitted
  • An incoming message is received by the functions 71, 72, 75, 76, 77, and 78 There is no involvement of policies for incoming messages and the messages are decrypted by the S/MIME component 78 and the library 81
  • the invention provides for very effective security processing of messages m a manner which is modular on the Web server hosted by the ISP or ASP and is transparent to the subscriber.
  • the policy database allows excellent versatility in choice of options by subscribers
  • the structure of the functions allows excellent versatility for deployment of resources such as the low-level cryptography algorithms
  • the administrative framework comprising the management console 31 and the policy database 31 allows simple and effective real time configuration by administrative personnel of the host organisation

Abstract

A secure email delivery system (1) acts as a relay between a client computer (2) using Web mail services on a mail server (4) and with the mail server (4). It thus handles incoming and outgoing messages. A policy manager (74) determines a security policy from a policy database (30) when an outgoing message is received. According to this policy, the message may be signed and encrypted transparently to the user. All registered users have a policy and the system captures security data for communication with non-registered users when they reply to outgoing messages from registered users.

Description

"A secure email delivery system'
INTRODUCTION
Field of the Invention
The invention relates to delivery of secure email messages
Prior Art Discussion
It is well known that a major barrier to use of email for delivery of business and legal documents is the problem of ensuring security of messages and attached documents This problem remains despite the fact that major advances m cryptography have been made m recent years It appears that many people have not used the available key pair and digital signature systems because there is a perception that they require excessive processor time and are difficult to use
The invention addresses this problem
SUMMARY OF THE INVENTION
According to the invention, there is provided a secure email delivery system comprising
a client-side interface comprising means for receiving outgoing messages from client devices operated by registered subscribers and for transmitting incoming messages to said client devices,
a policy database storing a security policy for each of a plurality of registered subscribers, a policy manager comprising means for accessing the policy database to determine a registered subscriber policy in real time and for delivering policy data to a requesting function m real time,
a secure key database securely storing keys of registered subscribers and their addressees and a secure certificate database securely storing certificates of registered subscribers and their addressees,
a signing function comprising means for receiving policy data from the policy manager and a registered subscriber private key from the key database and for dynamically signing an outgoing message received at the client-side interface,
an encryption function compπsmg means for receiving policy data from the policy manager and for dynamically encrypting an outgomg message m real time usmg an addressee public key retrieved from the certificate database,
a decryption function compπsmg means for automatically decrypting an incoming message in real time using the private key of the addressee registered subscriber retrieved from the key database, and
a server-side interface comprising means for transmitting outgoing messages to a mail server after being processed, and for receiving incoming messages
In one embodiment, the policy database stores a policy for non-registered users who are addressees of mail from registered users, and the policy manager comprises means for determining policv data according to both a sender and a recipient of a message In one embodiment, the signing function comprises means for automatically signing an outgoing message in the absence of policy data for an addressee
In one embodiment, the client-side interface comprises an API for linking with hooks on a server
In one embodiment, the API comprises means for linking with hooks on an external mail server for generating Web mail under client instructions
In one embodiment, the policy manager is linked with the signing function, the encryption function, and with the decryption function by a cryptography API providing a real time bi-directional link and allowing modularity of the functions of
Figure imgf000004_0001
In another embodiment, the signing function, the encryption function, and the decryption function comprise means for operating with use of a cryptography library of low-level cryptography processes.
In one embodiment, the system further comprises a certificate manager and a key manager residing on the same side of the cryptography API as the signing, encryption and decryption functions
In another embodiment, the signing function, the encryption function, the decryption function, the certificate manager, and the key manager provide a programmed wrapper around the cryptography library
In one embodiment, the key database stores a policy as an instance of a plurality of datatype classes In one embodiment, the datatype classes include signing algorithm, encryption algorithm, signing policy, and decryption policy classes
In one embodiment, the key database stores a key pool m a directory having a configurable size with a threshold, and the database comprises means for replenishing keys when the level falls below the threshold
In another embodiment, a management console comprises means for editing data in the policy database
In one embodiment, the management console comprises means for retrieving a policy from the policy database as a model and for retπevmg a certificate from the key database as a model
In one embodiment, the management console comprises a controller compnsmg means for treating each business operation as an object-orientated class mstance
In another embodiment, the controller comprises means for receivmg a command string, parsing the string into a hash table, instantiating a class instance and setting properties and a name for the mstance, and initialising the instance
In one embodiment, the policy database stores group policies, each associated with a group of registered subscribers
In another embodiment, the policy database stores default policies
In one embodiment, the certificate manager comprises means for automatically stripping certificates from incoming messages and storing them in the certificate database for subsequent use According to another aspect, the mvention provides a secure email delivery system comprising
a client-side interface comprising means for receiving outgoing messages from client devices operated by registered subscribers and for transmitting incoming messages to said client devices,
a policy database storing a security policy for each of a plurality of registered subscribers,
a policy manager comprising means for accessmg the policy database to determine a subscriber policy in real time and for delivering policy data to a requesting function in real time,
a secure key database securely storing keys of registered subscribers and their addressees and a secure certificate database securely storing certificates of registered subscribers and their addressees,
a signing function comprising means for receiving policy data from the policy manager and a subscriber private key from the key database and for dynamically signing an outgoing message received at the client-side interface,
an encryption function compnsmg means for receiving policy data from the policy manager and for dynamically encrypting an outgoing message in real time usmg an addressee public key retrieved from the certificate database,
a decryption function comprising means for automatically decrypting an incoming message in real time using the private key of the addressee retrieved from the key database, and a server-side interface compnsmg means for transmitting outgoing messages to a mail server after being processed, and for receivmg incoming messages, and wherem
the policy manager is linked with the signing function, the encryption function, and with the decryption function by a cryptography API providing a real time bi-directional link and allowing modularity of the functions on each
Figure imgf000007_0001
the signing function, the encryption function, and the decryption function comprises means for operating with use of a cryptography library of low-level cryptography processes, and
the system further comprises a key manager and a certificate manager residing on the same side of the API as said signing, encryption, and decryption functions, and said functions, the key manger, and the certificate manager together provide a wrapper around said cryptography library
DETAILED DESCRIPTION OF THE INVENTION
Brief Description of the Drawings
The mvention will be more clearly understood from the following description of some embodiments thereof given by way of example only with reference to the accompanying drawings, in which
Fig 1 is a high level diagram showing interaction of a security relay of the invention with a client computer and with a mail server, Fig. 2 is a diagram showing mteraction between the client computer and the security relay m more detail;
Fig. 3 is a diagram showing the security relay in more detail,
Figs. 4 and 5 are diagrams showing parts of the relay m more detail, and
Fig. 6 is a flow diagram illustrating operation of the relay in more detail.
Description of the Embodiments
Referring to Fig. 1 , a secure email delivery system 1 interfaces with a client computer 2 over a secure HTTP socket layer (SSL) connection 3. It also interfaces with a local mail server 4 via APIs using a HTTP SSL lmk 5. The mail server 4 sends and receives messages over the Internet 6. Because the system 1 effectively operates as a relay between the client and server, it is henceforth called a" security relay" or "relay".
The client computer 2 is conventional insofar as it only needs to have a messaging application or browser which supports a portable code environment such as a Java Virtual Machine™ environment. The computer 2 is operated by a registered subscriber, also referred to as a "user" The mail server is a conventional mail server for an ISP In this embodiment, the relay 1 resides on the same platform as the mail server 4
Referring to Fig. 2, the client computer 2 interfaces with a Web server 10 hosting the mail server 4 and the relay 1. The client computer 2 runs a browser 11 having a portable code interpreter which allows execution of plug-ms 12. The Web server 10 allows the client computer 2 to communicate with the mail server 4 to create "Web mail" messages while on-lme. The server 4 then sends the messages to the recipients and receives the incoming messages m a mailbox for the user The user then subsequently retrieves the messages The security relay transparently to the user performs a set of desired security operations for both incoming and outgoing messages and so it may be regarded as conceptually residing between the client computer 2 and the mail server 4 However, the physical interconnection is via APIs between the mail server 4 and the relay 1 , this channel transmittmg
(a) outgoing messages from the mail server 4 to the relay 1 and security- processed outgoing messages back to the mail server 4 for onward transmission to the recipient, and
(b) incoming messages from the mail server 4 and security-processed incoming messages back to the mail server 4 for onward transmission to the client computer 2
A key feature is that the relay 1 handles all cryptography and digital signature operations for the client 2 These operations are carried out transparently to the user and require no input from him or her Thus a user only needs to subscribe to the security service provided by an organisation hosting the relay 1 Such an organisation may be any ISP or ASP, as the Internet is of course the major insecure network m use Thus the (real or perceived) problem of setting up encryption /decryption functionality is taken from the user He or she only needs to send and receive email messages in the usual manner The following is a typical message sequence
User X (of computer 2) sends a message to a remote user Y This is created over the secure socket 3 by the client computer 2 and the mail server 4
The message is routed to Y via the relay 1 This is not encrypted, but is signed automatically by the relay 1 on behalf of X If Y responds, the relay 1 captures Y's certificate on the return path From then on the relay 1 will automatically encrypt and sign all outgoing messages to Y, and also decrypt all incoming messages
Thus, the user X has a secure bi-directional link with Y without the need to bother with any cryptography operations.
Because the relay 1 interfaces with an existing mail server 4, it is particularly convenient for the ISP or ASP hosting it The relay 1 can be added in a modular manner
Referring now to Fig 3 the relay 1 is shown m more detail It interfaces on the server side with (a) an SMTP delivery module 20 and an SMTP server 21 for sending messages, and (b) with an IMAP/POP3 mail server 22 and an IMAP/POP3 retriever 23 for receiving messages. This interfacing is via APIs executing on the platform which hosts the relay 1 and the mail server 4 as applications.
A security policy database 30 allows the relay 1 to provide the security required by users according to policies set by a system administrator This database is managed by a management console function 31.
A user authentication module 35 uses the database 30 to dynamically perform authentication of subscribed users A client side interface API function block 41 receives messages via the client plug-ms 12
The messages are passed to encryption functions 37 which perform encryption and digital signing according to the policies for the users and addressees retrieved from the database 30. As described above, if the addressee is being addressed for the first time there is digital signmg by default, however the outgoing message can not be encrypted However, once a reply is received from the addressee his or her certificate is stored m the database 30 and there will be encryption /decryption from then on
Messages are retrieved from the retriever 23 and are decrypted where applicable and the signature is authenticated by functions 38 using the database 30 The headei (sender, subject, date) is passed to the client computer 2 for display (after decryption) if it is selected by the user
In more detail, referring to Fig 4 the policy database 30 and the management console 31 are illustrated They may be together referred to as an administrative framework The framework follows the MVC (Model-View-Controller) design pattern, allowing the management presentation interface to be completely decoupled from the logic Each retrieved policy is represented as a JavaBean model 53 and each retrieved certificate is represented as a model 54 A certificate interface 56 is lmked with a certificate /key database 90, shown in Fig 5 A view interface 50 uses HTML with embedded JSP tags 51 Post/get control is implemented by a set of Java servlets 52
Referring to Fig 5, the functions 37 and 38 are illustrated in detail A Java cryptography API 75 is linked with a policy manager 74 and it has a HTTP client 76 linked with
a fast Common Gateway Interface (CGI) cryptography server 77 programmed in C++ a S/MIME C++ cryptography function 78 a certificate manager 79 programmed ln C-f — , a key manager 80 programmed m C++, and a cryptography library 81 having access to a certificate /key database 90
The interface 41 comprises an API 71, a HTTP client 72 programmed m native Java, and an API servlet 73, and
In more detail, the management console 31 provides graphical user interfaces foi input and display of user information, security policies, and certification management The view interface 50 is the console front end and the screens are displayed using HTML and JSP The JSP tags 51 are used to interface between the screens and Java ode for the purposes of displaying derived data that is calculated or changes during the lifetime of the relay 1 The controller servlets provide the derived data to the JSP tags The security policy model 53 is a Javabean which drives the data for the security policy screens Likewise, the certificate model 54 is a Java bean which drives data for certificate management screens The function 55 provides access to the database 30 for persistent data on policies using the Java standard JDBC The certificate interface interacts with the key database 90 to retrieve certificate data for the management console 31 Access to the database 90 is via the cryptography library 81 , described in more detail below
Referring again to Fig 5, the functions which perform the core cryptography operations are now described in detail The mail server 4 shown m Fig 1 includes a client 70 which accesses the relay 1 via the client interface 10 In this example the client of the server 4 is written in Perl/PHP The client of the server calls the API 71 of the block 41 and the HTTP client 72 provides a mechanism for the client hooks 70 to communicate with the relay 1 This mechanism involves use of the API servlet 73 for server-side processing
The policy manager 74 determines what security policies should be applied to an email being received or sent It does this by communicating with the function 55 which extracts information from the database 30 The cryptography API 75 is an mterface which provides a real time bi-directional link and allows Java code to call C++ cryptography code The cryptography API client 76 allows the cryptography library 81 to be distributed on a different hardware platform for fault tolerance versatility, and performance The Fast CGI server 77 is the server side of the cryptography API 75
The component 78 provides S/MIME cryptography functionality for signing, encryption, and decryption The component 79 provides certificate management functionality, and the component 80 provides key pool management functionality These components interact with the key database 90, and use cryptography processes of the library 81 The library 81 implements low-level cryptography algorithms and key generation routines The components 78, 79, and 80 provide a C++ wrapper around the low-level C library 81
In the architecture illustrated m Fig 4, the controller 52 manages the flow of control for its operations by receiving a CGI command for instantiating business logic, and each business logic instance is a Java bean class instance The control flow is as follows
Taking the command string from the CGI variables,
Parsing the string into a hash table,
Instantiating a bean using introspection and the command string,
Setting the bean properties from the name, value pairs m the hash table,
Calling inttQ on the bean, and Pushing the data mto the view for display
The policy database 30 stores policies m which a policy consists of one instance of each of the following data type classes
Security policy scope, Signmg algorithm, Encryption algorithm, Signing policy, Encryption policy
The relay 1 automatically captures security data for non-registered users when they reply to an outgoing message from a registered user This is achieved by the certificate cryptography function 78 stripping off the certificate from a signed message and storing the certificates in the database 90
The key pool database 90 is structured to have minimal impact on performance of the relay 1 as generation of key pairs is processor-intensive The key pool directory size is configurable by the user, and a threshold is set for the directory and when the number of keys falls below that level they are replenished The key pool is replenished with anonymous key pairs, but these are still fully usable keys sets The key sets are made usable by the generation of certificates and this happens on demand A daemon is used to monitor key pool threshold levels, and message queues are used to communicate between the controller and the key pool code
Referring now to Fig 6 operation of the relay 1 is described The client computer 2 generates an email using Web server functions 10 and this is processed by the module 37 The plug-ins 12 allow the client computer 2 to route the email to the relay 1 via the mail server Web mail functionality This is a very effective mechanism for integration of the relay 1 with a mail server 4 in a modular manner With an open API any subscriber or administrative user can interface with the relay 1 by implementing a plug-m 12 so that its code interacts with the API 41
In the module 37, the security policy is determined based on the "from" and "to' addresses m the message The security policy consists of Digital Signature Policy
Figure imgf000015_0001
Clear-sign Opaque sign
Digest Algorithm
Encryption policy
Do not encrypt Encrypt
(Symmetric) encryption algorithm
The policy manager 74 accesses the policy database 30 to get policies for the senders and receivers of messages Each policy contains a "from" and a "to" field Some policies contain wildcards to allow setting of policies for groups The relay 1 has default policies, and these can be changed by the system administrator The policies contain the signing and encryption polices and algorithms
The key manager 80 then obtains access to the sender's private key from the database 90 This is secure because the keys are stored m the pkc #15 secure storage format
The S/MIME component 78 then constructs an S/MIME signed message including the digital certificate chain associated with the signing key m the message Encryption is of course by-passed if the policy does not indicate a requirement for encryption
If the policy requires encryption, the certificate manager 79 retrieves the recipient certificate from the certificate database The S/MIME component 78 then constructs an S/MIME encrypted message The message is encrypted usmg a randomly- generated symmetric session key, and the session key is encrypted using the recipient's public key These cryptography operations are performed by an algorithm selected from the library 81 The structure of the library is as follows -
key and certificate generation key and certificate management, and
S/MIME capabilities
The S/MIME message is then transmitted
An incoming message is received by the functions 71, 72, 75, 76, 77, and 78 There is no involvement of policies for incoming messages and the messages are decrypted by the S/MIME component 78 and the library 81
It will be appreciated that the invention provides for very effective security processing of messages m a manner which is modular on the Web server hosted by the ISP or ASP and is transparent to the subscriber. Also, the policy database allows excellent versatility in choice of options by subscribers The structure of the functions allows excellent versatility for deployment of resources such as the low-level cryptography algorithms Also, the administrative framework comprising the management console 31 and the policy database 31 allows simple and effective real time configuration by administrative personnel of the host organisation
The invention is not limited to the embodiments described but may be varied in construction and detail

Claims

Claims
1 A secure email delivery system (1) comprising
a client-side interface (41) comprising means for receiving outgoing messages from client devices operated by registered subscriber and for transmitting incoming messages to said client devices,
a policy database (30) storing a security policy for each of a plurality of registered subscribers,
a policy manager (74) comprising means for accessing the policy database (30) to determine a registered subscriber policy m real time and for delivering policy data to a requesting function m real time,
a secure key database (90) securely storing keys of registered subscribers and their addressees and a secure certificate database (90) securely storing certificates of registered subscribers and their addressees,
a signing function (78) compnsmg means for receiving policy data from the policy manager (74) and a registered subscriber private key from the key database (90) and for dynamically signing an outgomg message received at the client-side interface,
an encryption function (78) comprising means for receivmg policy data from the policy manager (74) and for dynamically encrypting an outgomg message in real time using an addressee public key retrieved from the certificate database, a decryption function (78) compnsmg means for automatically decrypting an incoming message m real time using the private key of the addressee registered subscriber retrieved from the key database (90), and
a server-side interface (71-73) comprising means for transmitting outgoing messages to a mail server after being processed, and for receiving incoming messages
A system as claimed m claim 1, wherein the policy database (30) stores a policy for non-registered users who are addressees of mail from registered users, and the policy manager (74) comprises means for determining policy data according to both a sender and a recipient of a message
A system as claimed in claim 2, wherem the signing function (78) comprises means for automatically signing an outgoing message in the absence of policy data for an addressee
A system as claimed m any preceding claim, wherem the client-side interface comprises an API (71-73) for linking with hooks on a server
A system as claimed in claim 4, wherein the API (71-73) comprises means for linking with hooks on an external mail server for generating Web mail under client instructions
A system as claimed in any preceding claim, wherem the policy managei (74) is linked with the signing function (78), the encryption function (78), and with the decryption function (78) by a cryptography API providing a real time bidirectional link and allowing modularity of the functions of each side of said API
7. A system as claimed m any preceding claim, wherem the signing function (78), the encryption function (78), and the decryption function (78) comprise means for operating with use of a cryptography library (81) of low-level cryptography processes
8. A system as claimed in claim 6 or 7, wherein the system further comprises a certificate manager and a key manager residing on the same side of the cryptography API as the signing, encryption and decryption functions
9 A system as claimed in claim 8, where the signing function, the encryption function, the decryption function, the certificate manager, and the key manager provide a programmed wrapper around the cryptography library
10 A system as claimed in any preceding claim, wherem the key database (90) stores a policy as an instance of a plurality of datatype classes
11. A system as claimed in claim 10, wherem the datatype classes include signmg algorithm, encryption algorithm, signmg policy, and decryption policy classes
12 A system as claimed in claim 11, wherein the key database (30) stores a key pool in a directory having a configurable size with a threshold, and the database comprises means for replenishing keys when the level falls below the threshold
13 A system as claimed in any preceding claim, further comprising a management console (31) comprising means for editing data m the policy database
A system as claimed in claim 13, wherein the management console (31) comprises means for retrieving a policy from the policy database as a model and for retrieving a certificate from the key database as a model
A system as claimed m claim 14 wherein the management console (31) comprises a controller (52) comprising means for treating each business operation as an object-orientated class instance
A system as claimed in claim 15, wherem the controller (52) comprises means for receiving a command string, parsing the string into a hash table, instantiating a class instance and setting properties and a name for the instance, and initialising the instance
A system as claimed in any preceding claim, wherein the policy database (30) stores group policies, each associated with a group of registered subscribers
A system as claimed m any preceding claim, wherem the policy database stores default policies
A system as claimed in any of claims 8 to 18, wherem the certificate manager comprises means for automatically stripping certificates from incoming messages and storing them m the certificate database for subsequent use
A secure email delivery system (1) comprising
a client-side interface (41) comprising means for receiving outgoing messages from client devices operated by registered subscribers and for transmitting incoming messages to said client devices a policy database (30) storing a security policy for each of a plurality of registered subscribers,
a policy manager (74) comprising means for accessing the policy database (30) to determine a subscriber policy in real time and for delivering policy data to a requesting function in real time,
a secure key database (90) securely storing keys of registered subscribers and their addressees and a secure certificate database (90) securely storing certificates of registered subscribers and their addressees,
a signing function (78) comprising means for receiving policy data from the policy manager (74) and a subscriber private key from the key database (90) and for dynamically signing an outgomg message received at the client-side interface,
an encryption function (78) compnsmg means for receivmg policy data from the policy manager (74) and for dynamically encrypting an outgoing message m real time using an addressee public key retrieved from the certificate database,
a decryption function (78) comprising means for automatically decrypting an incoming message in real time using the private key of the addressee retrieved from the key database (90), and
a server-side interface (71-73) comprising means for transmitting outgoing messages to a mail server after being processed, and for receivmg incoming messages, and wherem, the policy manager (74) is linked with the signing function (78), the encryption function (78), and with the decryption function (78) by a cryptography API providing a real time bi-directional link and allowing modularity of the functions on each side of said API,
the signing function (78), the encryption function (78), and the decryption function (78) comprises means for operating with use of a cryptography library (81) of low-level cryptography processes, and
the system further comprises a key manager (80) and a certificate manager
(79) residing on the same side of the API as said signing, encryption, and decryption functions, and said functions, the key manger, and the certificate manager together provide a wrapper around said cryptography library.
21. A computer program product comprising software code portions for completing a secure email delivery system as claimed in claim 1 when executing on a digital computer.
PCT/IE2000/000140 1999-11-16 2000-11-16 A secure email delivery system WO2001037496A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU12962/01A AU1296201A (en) 1999-11-16 2000-11-16 A secure email delivery system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IE990956 1999-11-16
IE990956 1999-11-16

Publications (1)

Publication Number Publication Date
WO2001037496A1 true WO2001037496A1 (en) 2001-05-25

Family

ID=11042165

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IE2000/000140 WO2001037496A1 (en) 1999-11-16 2000-11-16 A secure email delivery system

Country Status (2)

Country Link
AU (1) AU1296201A (en)
WO (1) WO2001037496A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020064629A (en) * 2001-06-05 2002-08-09 주식회사 모비젠 E-mail encrypt/decrypt method
KR100462103B1 (en) * 2001-12-27 2004-12-17 후지제롯쿠스 가부시끼가이샤 Mail server, electronic mail transmission control method for the mail server and electronic mail system
GB2405293A (en) * 2003-08-18 2005-02-23 Clearswift Ltd Email policy manager
EP1701282A1 (en) * 2005-03-09 2006-09-13 BUNDESDRUCKEREI GmbH Computer system and method for signing, signature verification and/or archiving
WO2007014448A1 (en) * 2005-08-04 2007-02-08 Echoworx Corporation Method and system for managing electronic communication
US8520840B2 (en) 2001-06-13 2013-08-27 Echoworx Corporation System, method and computer product for PKI (public key infrastructure) enabled data transactions in wireless devices connected to the internet
WO2015033206A1 (en) * 2013-09-06 2015-03-12 Orange Secure toll-free application data access
US9967242B2 (en) 2014-01-30 2018-05-08 Microsoft Technology Licensing, Llc Rich content scanning for non-service accounts for email delivery

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5473143A (en) * 1991-09-23 1995-12-05 Atm Communications International, Inc. ATM/POS based electronic mail system
US5982856A (en) * 1994-09-16 1999-11-09 Octel Communications Corporation Network-based multimedia communications and directory system and method of operation

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5473143A (en) * 1991-09-23 1995-12-05 Atm Communications International, Inc. ATM/POS based electronic mail system
US5982856A (en) * 1994-09-16 1999-11-09 Octel Communications Corporation Network-based multimedia communications and directory system and method of operation

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
AUYONG K ET AL: "AUTHENTICATION SERVICES FOR COMPUTER NETWORKS AND ELECTRONIC MESSAGING SYSTEMS", OPERATING SYSTEMS REVIEW (SIGOPS),ACM HEADQUARTER. NEW YORK,US, vol. 31, no. 3, 1 July 1997 (1997-07-01), pages 3 - 15, XP000739146 *
KENT S: "Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management (URL)", NETWORK WORKING GROUP, 1 February 1993 (1993-02-01), XP002058728 *
SUCHUN WU: "MHS SECURITY-A CONCISE SURVEY", COMPUTER NETWORKS AND ISDN SYSTEMS,NL,NORTH HOLLAND PUBLISHING. AMSTERDAM, vol. 25, no. 4 / 05, 1 November 1992 (1992-11-01), pages 490 - 495, XP000306615, ISSN: 0169-7552 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020064629A (en) * 2001-06-05 2002-08-09 주식회사 모비젠 E-mail encrypt/decrypt method
US8520840B2 (en) 2001-06-13 2013-08-27 Echoworx Corporation System, method and computer product for PKI (public key infrastructure) enabled data transactions in wireless devices connected to the internet
KR100462103B1 (en) * 2001-12-27 2004-12-17 후지제롯쿠스 가부시끼가이샤 Mail server, electronic mail transmission control method for the mail server and electronic mail system
GB2405293A (en) * 2003-08-18 2005-02-23 Clearswift Ltd Email policy manager
GB2405293B (en) * 2003-08-18 2007-04-25 Clearswift Ltd Email policy manager
US8209538B2 (en) 2003-08-18 2012-06-26 Clearswift Limited Email policy manager
EP1701282A1 (en) * 2005-03-09 2006-09-13 BUNDESDRUCKEREI GmbH Computer system and method for signing, signature verification and/or archiving
WO2007014448A1 (en) * 2005-08-04 2007-02-08 Echoworx Corporation Method and system for managing electronic communication
WO2015033206A1 (en) * 2013-09-06 2015-03-12 Orange Secure toll-free application data access
US9992814B2 (en) 2013-09-06 2018-06-05 Orange Secure toll-free application data access
US9967242B2 (en) 2014-01-30 2018-05-08 Microsoft Technology Licensing, Llc Rich content scanning for non-service accounts for email delivery

Also Published As

Publication number Publication date
AU1296201A (en) 2001-05-30

Similar Documents

Publication Publication Date Title
US6904521B1 (en) Non-repudiation of e-mail messages
US6442686B1 (en) System and methodology for messaging server-based management and enforcement of crypto policies
US6415318B1 (en) Inter-enterprise messaging system using bridgehead servers
US9917828B2 (en) Secure message delivery using a trust broker
AU717065B2 (en) Secure network protocol system and method
US8230517B2 (en) Opaque message archives
EP1532783B1 (en) System for secure document delivery
US8166299B2 (en) Secure messaging
KR100756308B1 (en) Secure Peer-to-peer messaging invitation architecture
US7469340B2 (en) Selective encryption of electronic messages and data
US20030115448A1 (en) Methods and apparatus for securely communicating a message
WO2000031931A1 (en) Method and system for securing data objects
Brown et al. A proxy approach to e‐mail security
EP1151573A1 (en) Secure messaging system and method
GB2368756A (en) Email encryption system in which messages are sent via an encryption server which stores the public keys of intended recipients
US20020099941A1 (en) Email processing method, email processing apparatus and recording medium
WO2001037496A1 (en) A secure email delivery system
CA2494972A1 (en) Method and apparatus for interactive electronic messages
EP1387239A2 (en) Secure messaging
Turner Secure/multipurpose internet mail extensions
IE20000927A1 (en) A secure email delivery system
IES20000926A2 (en) A secure email delivery system
CA2328548A1 (en) Privacy system
JP2001094600A (en) Message transfer node and network
Myint SMS security for Andriod platform by using RSA

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DE DK DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 69(1) EPC DATED 20-01-2003

122 Ep: pct application non-entry in european phase