AGENT-BASED SECURE HANDLING OF E-MAIL HEADER INFORMATION
BACKGROUND OF THE INVENTION Technical Field of the Invention
The invention generally relates to e-mail communications and, more particularly, to methods for improved security in the transmission of e-mail communications, and devices therefor.
Description of Related Art and Background E-mail is now one of the most widely used forms of asynchronous communication. Given the number of mobile terminals and smart phones currently available, solutions that make e-mail available at the mobile terminals have become much more in demand. Naturally, people want this kind of availability to be both secure (e.g., secure against eavesdropping or traffic analysis based on header information) and convenient for archival, retrieval, sorting and searching.
There are several solutions for secure access to corporate e-mail on the Internet. Pretty Good Privacy (PGP) and S/MIME are the most popular ones, but they only allow secure e-mail for point-to-point communication when all parties have a certificate or public key pair. For domain-to-point mail, e.g., mail from a company (corporate domain) to a receiver in a public domain, gateway-based solutions have been proposed, as exemplified by Applicants' Assignee's co-pending U.S. Patent Application Serial No. 09/198,822, entitled "Method and System for Security Data Objects", filed on February 24, 1998, in which plaintext e-mail from within a domain is automatically secured by a gateway before leaving a domain. An IETF proposed protocol describes a secure e-mail method for domain-to-domain security, also based on gateways.
In domain-to-point or domain-to-domain secure e-mail, gateways perform partial or full e-mail protection. With partial protection, gateways protect or secure (e.g., by encryption) part of an e-mail message, usually the body, but leave the headers in plaintext. With full protection, the whole e-mail, i.e., body plus headers, is
protected (e.g., encrypted), and minimal header information needed for delivery of the message (commonly the receiver's address) is also left unprotected. The reason behind this is that headers can reveal potential confidential information. The entire header is provided along with the body in the protected body portion of a full- protection e-mail, and the receiver's address is also provided, unprotected, in the header portion of a full-protection e-mail.
On the client side, when using full-protection e-mail, it is difficult for standard e-mail clients to show the headers, such as the "Subject:", in the message summary.
Furthermore, the e-mail client cannot perform more advanced tasks such as threading, sorting or searching, because the necessary headers for this are within the protected body portion of the full-protection e-mail. As a result, users do not get a convenient overview of the messages.
Several methods exist to solve these problems: special protocols, changes to existing e-mail clients and entirely custom e-mail clients can present the message in a convenient way to the user. Unfortunately, these methods are typically cumbersome for the average user to handle. In addition to handling passwords, hardware or software key-generators, certificates, etc., users typically must also learn to use special e-mail clients or modify to a great extent their behavior when using normal e-mail clients. It is, therefore, desirable to provide services such as e-mail message summaries and more advanced tasks, such as mentioned above, while maintaining desired e-mail security, and without complicating the user interface.
SUMMARY OF THE INVENTION The invention produces a result e-mail from a received secure e-mail that was in turn produced from an original e-mail. Information contained in a body portion of the received secure e-mail is decrypted, and a portion of the decrypted information from the body portion is provided in a header portion of the received e-mail, thereby producing a header portion of the result e-mail. In another embodiment of the present invention, the decrypted information includes non-header, body portion information, which is re-encrypted or reconstructed, thereby producing a body portion of the result
e-mail. The result e-mail in either embodiment can then be provided for use by an e- mail client, which can advantageously use the decrypted information in the header portion to perform standard tasks, such as summarizing, threading, sorting or searching, while the information in the body portion of the result e-mail is advantageously still encrypted.
Also according to the invention, encrypted header information can be provided in the header portion of a secure e-mail, and this header portion can be transmitted, without its corresponding body portion, to a destination via an air interface. At the destination, the encrypted header information can be decrypted, and advantageously used to determine whether or not the body portion should be transmitted to the destination over the air interface pursuant to a variety of parameters. In any event, the decrypted header information can be advantageously used by an e-mail client at the destination to perform standard procedures such as summarizing, threading, sorting and searching.
BRIEF DESCRIPTION OF THE DRAWINGS
For a more complete understanding of the present invention, reference is now made to the following detailed description taken in conjunction with the accompanying Drawings where: FIGURE 1 diagrammatically illustrates an exemplary e-mail communication system utilized in connection with the implementation of the subject matter of the present invention;
FIGURE 2 diagrammatically illustrates a first exemplary embodiment of an agent, as described in connection with FIGURE 1 ; FIGURE 3 diagrammatically illustrates exemplary operations performed by the agent of FIGURE 2;
FIGURE 4 diagrammatically illustrated a currently preferred exemplary embodiment of an agent, as described in connection with FIGURE 1 ;
FIGURE 5 diagrammatically illustrates exemplary operations performed by the agent of FIGURE 4;
FIGURE 6 diagrammatically illustrates another exemplary e-mail communication system according to the invention;
FIGURE 7 diagrammatically illustrates an exemplary embodiment of a mobile terminal used in connection with the system shown in FIGURE 6; and FIGURE 8 diagrammatically illustrates exemplary operations which can be performed by the system of FIGURE 6.
DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EXEMPLARY EMBODIMENTS The numerous innovative teachings of the present application will be described with particular reference to the presently preferred exemplary embodiments. However, it should be understood that this class of embodiments provides only a few examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily delimit any of the various claimed inventions. Moreover, some statements may apply to some inventive features but not to others.
With reference now to FIGURE 1 of the Drawings, there is diagrammatically illustrated pertinent portions of an exemplary e-mail communication system for domain-to-point mail, that is, mail sent from one domain, for example, a corporate or company domain, to a receiver's communication station, for example, a desktop computer, a laptop or other mobile computer, or a mobile telephone, in a public domain. In FIGURE 1, an original e-mail 10 includes a header portion (Uυ) 7 and a body portion (Bυ) 9. The header portion 7 includes the unencrypted header H-j of the e-mail 10, and the body portion 9 includes the unencrypted body Bυ (i.e., all information other than the information in the header Hυ).
The original e-mail 10 is input to an encryptor 11 provided, for example, in a security mail gateway which handles security for a corporate domain. In response to the original e-mail 10, the encryptor 11 outputs a protected e-mail, generally designated by the reference identifier e, including a header portion 16 and a body portion 18. The body portion 18 includes an encrypted version HE of the unencrypted header H,j of the original e-mail 10, and an encrypted version BE of the unencrypted
body B-j of the original e-mail 10. The header portion 16 of e-mail e includes unencrypted header information H'-j which typically includes a portion of the unencrypted header Hυ of the original e-mail 10, for example the receiver's address, or both the receiver's address and the sender's address. However, the unencrypted header information H'-j in the header portion 16 advantageously does not include information that describes the substantive content of the original e-mail message (e.g., the "Subject:"), and also advantageously does not include information which would permit unwanted traffic or network analysis of e-mail communications. This type of information is provided only in the encrypted header HE in the body portion 18 of e- mail e.
The e-mail e can be transmitted from the corporate domain through an e-mail communication path, generally designated by the reference numeral 13, to a conventional mail server 12, which can in turn forward the e-mail e to the receiver in the public domain via an e-mail communication path 15. The e-mail communication path 15 can include, for example, a data network, a radio air interface, or both. Thus, through the communication channel represented at 13, 12 and 15, the e-mail e is provided to the receiver's e-mail communication station, generally designated in FIGURE 1 by the reference numeral 5.
An agent 14 in the receiver's e-mail communication station 10 receives as input the e-mail e, and produces in response thereto a modified e-mail, generally designated by the reference identifier e'. The body portion 18 of the modified e-mail e' is, in this example, identical to the body portion 18 of the e-mail e, including the encrypted version HE of the original header H-j and the encrypted version BE of the original body Bυ. However, the e-mail e' differs from the e-mail e in that the header portion 16 of the e-mail e' includes the unencrypted (e.g., plaintext) header Hυ of the original e-mail 10.
The e-mail e' is provided as input to an e-mail client, which can use the unencrypted header Hυ along with standard conventional e-mail processing techniques to further process the e-mail e'. Examples of conventional components that perform these standard techniques are illustrated in FIGURE 1. For example, a summarizer
17A can use conventional techniques with respect to the unencrypted header H-_- to
provide a message summary to the user. Similarly, a threader 17B, a sorter 17C and a searcher 17D can, respectively, perform conventional threading, sorting and searching operations with respect to the e-mail e'. Also, a decryptor 17E of the e-mail client can perform a conventional decryption operation on the encrypted body BE in the body portion 18 of e-mail e', so that the user can read the information in the original unencrypted body Bυ.
It can, therefore, be seen that the agent 14 of FIGURE 1 permits the e-mail client to perform conventional operations, such as summarizing, threading, sorting, searching, etc., by use of the unencrypted header H-j, while the information from the body of the original e-mail 10 is retained in encrypted form as BE in the body portion
18 of the e-mail e'.
With reference now to FIGURE 2, there is diagrammatically illustrated a first exemplary embodiment of the various actions performed by the agent 14 of FIGURE 1. In the embodiment shown in FIGURE 2, the e-mail e, as received at the agent 14 in FIGURE 1, is input to a decryptor 21, which can use conventional decryption techniques to decrypt the encrypted header HE and the encrypted body BE in the body portion 18 of e-mail e. Thus, decryptor 21 outputs a transitional e-mail el whose header portion 16 is identical to that of the input e-mail e, i.e., an abbreviated form of the original header portion 7, but whose body portion includes the unencrypted header H-j and the unencrypted body Bυ of the original e-mail 10, as illustrated and described in connection with FIGURE 1.
With reference again to FIGURE 2, the transitional e-mail el is input to an information handler 23, which manipulates information in the transitional e-mail el to produce a further transitional e-mail e2. As shown in FIGURE 2, the header portion 16 of the transitional e-mail e2 produced by the information handler 23 includes the unencrypted header Hυ of the original e-mail 10. The body portion 18 of the transitional e-mail e2, however, is identical to the body portion 18 of the transitional e-mail el. In the embodiment of FIGURE 2, the information handler 23 copies the unencrypted (e.g., plaintext) header Hu from the body portion 18 of the transitional e- mail el into the header portion 16 thereof to produce the transitional e-mail e2 with the full header portion Hy. The unencrypted header information Wυ can therefore be
discarded by the information handler 23 in this embodiment, because all of the information in H'-j is included in the unencrypted header Hυ.
Finally, the transitional e-mail e2 output from the information handler 23 is input to an encryptor 25, which can use conventional techniques to encrypt the header H-j and the body Bυ provided in the body portion 18 of the transitional e-mail e2, thereby producing the e-mail e', as described above with respect to FIGURE 1.
FIGURE 3 illustrates exemplary operations performed by the agent of FIGURE 2. For example, at step 31, the body portion of the received e-mail e is decrypted to produce the transitional e-mail el. Thereafter at step 33, the decrypted header information from the body portion of transitional e-mail el is copied to the header portion of transitional e-mail e2, as described above in connection with FIGURE 2. Thereafter at step 35, the information in the body portion of the transitional e-mail e2 is encrypted to produce the desired e-mail e'. At step 37, the aforementioned conventional e-mail client operations can be performed on e-mail e' based on the unencrypted header Hy.
With reference now to FIGURE 4 of the Drawings, there is diagrammatically illustrated a currently preferred embodiment of the present invention, which avoids many computations by a client having limited resources, e.g., the re-encrypting of the message by the encryptor 25 to create transitional e-mail e2 (step 35), as illustrated and described in connection with FIGURES 2 and 3.
In the presently preferred embodiment shown in FIGURE 4, the e-mail e, as received at the agent 14 in FIGURE 1, is input to a decryptor 41, which starts decrypting the body part of e-mail e, as described in connection with FIGURE 2. However, in this preferred embodiment, when the decryptor 41 discovers information indicative of a separation between the respective header Uυ and body Bυ portions, e.g., by detection of a header terminator flag 42 or other demarcation indicator marking the separator between the encrypted header and body portions within the body portion of e-mail e, the decryptor 41 stops after decrypting the header portion without undertaking the computationally heavy decryption of the more voluminous body portion Bυ of the original message 10. In other words, after decryptor 41 detects the
flag or indicator 42, the decryptor 41 has completed decryption of the entire header portion, leaving the contents of the body portion untouched.
As shown in FIGURE 4, the decrypted header Hυ is preferably temporarily stored at a memory 43. An information handler 45 replaces the header part 16 of the e-mail e with the extracted full header Hυ stored in memory 43 to form e-mail e'.
Since only the pertinent header H-j information has been decrypted for client usage, no re-encryption, e.g., by the encryptor 25 of FIGURE 2, is necessary, thereby avoiding step 35 of FIGURE 3.
With reference now to FIGURE 5, exemplary operations performed by the agent of FIGURE 4 are illustrated. For example, at step 51 , only the encrypted header portion HE of received e-mail e is decrypted and the decrypted header Kυ temporarily stored. As the decryption of the header portion transpires, a check is periodically made (step 53) whether the header decryption is complete, e.g., whether the aforementioned header terminator flag 42 (or other indicator) has been detected. If not, then decryption continues at step 51. Otherwise, the decrypted header portion Hυ is temporarily stored within memory 43 (step 55). The information handler 45, at step 55, copies the still encrypted body portion 18 of e-mail e to e-mail e' (step 57), and at step 58, copies the stored header υ from intermediate memory 43 to the header portion 16 of e-mail e'. Finally, at step 59, the aforementioned conventional e-mail client operations can be performed based on the unencrypted header Hυ.
In domain-to-point e-mail communications where the receiver's communication station, e.g., the communication station 5 in FIGURE 1, is a mobile terminal, such as a mobile telephone, a user of the mobile terminal may prefer to postpone reading of very large e-mail messages until another communication station is available, for example, a desktop computer. However, the user of a mobile terminal cannot determine the size of an e-mail message until it has been completely transferred to the mobile terminal over the associated air interface. Similarly, other considerations may warrant non-transference of the body portion of the e-mail for a variety of other reasons, e.g., priority, privacy, etc. In other words, the information stored in H'-j alone may not suffice to make this determination since the unencrypted header H',j contains minimal information. The problem then is to transfer the full H-j without the whole
body part, thereby giving the receiver full header information and an enhanced ability to handle the e-mail. The exemplary e-mail communication system shown in FIGURE 6 provides a preferred solution to this problem.
In the exemplary system of FIGURE 6, the security mail gateway of a corporate domain includes, in addition to the encryptor 11 of FIGURE 1 , an information handler
61. The encryptor 11 outputs separately the encrypted header HE and an encrypted entity resulting from the combined encryption of H-j and Bυ, i.e., the two parts cannot be separately identified in the encrypted entity. A dashed line 11 A separating the two parts HE and BE in body portion 18 indicates that the encrypted header and body portions are not normally separately distinguishable. If, in an alternate embodiment of the present invention, the encrypted header and body portions could be distinguished, a demarcation flag may be employed to mark the boundary.
The output from the encryptor 11 and the header Hυ from the original unsecure e-mail 10 are then input to the aforementioned information handler 61, which as illustrated in FIGURE 6, processes the input to produce e-mail e3. As shown in the figure, the header portion of e-mail e3 includes a header portion H'-j, typically a portion of the original header Hυ, and the encrypted header HE. The body portion 18 of e-mail e3 is identical to the body portion 18 of the protected e-mail e3, including both the encrypted header HE and the encrypted body BE. A full line 16A separating the H'y and HE in 16 indicates that the two parts can be separately identified, whereas a dashed line 18 A, as with line 11A, indicates an indistinguishable divide.
The information handler 61 in this embodiment of the present invention utilizes a permitted feature of Internet Standard RFC822, according to which standard the protected e-mail can, in some instances, be produced. In particular, the RFC822 standard permits the header portion 16 to contain additional extended header fields of arbitrary length. Accordingly, in some embodiments, the information handler 61 copies the encrypted header HE, separately input to the information handler, into an extended field of the header portion 16 of e-mail e3. Alternatively, the separately output HE from the encryptor 11, identical to HE in the header portion 16, should at least be indicative of the contents of the message instead of the entire encrypted header
HE. E-mail e3 is, thereafter, loaded into, for example, a conventional mail server 67,
which separates the header portion 16 from the body portion 18 thereof, e.g., using flags or other indicators such as flag 42 discussed in more detail hereinabove in connection with FIGURE 4. Upon request, the header portion 16 is further transmitted, through a mobile (e.g., cellular) network 68, to a receiving client at a mobile terminal 69. The receiving client decides, by analyzing the decryption of header HE at least indicative of the contents of the message, if the full body portion 18 should be requested from the mail server 67.
FIGURE 7 diagrammatically illustrates pertinent portions of an exemplary embodiment of the mobile terminal 69 illustrated and described in connection with FIGURE 6. A decryptor 72 in the mobile terminal 69 receives the separated header portion (containing the unencrypted and encrypted versions of the header portions as shown in FIGURE 6) from the air interface, and uses conventional techniques to decrypt the encrypted header portion HE thereof, thereby producing the unencrypted header Hυ of the original e-mail message 10, as shown in FIGURE 1. This unencrypted header H-j is then applied to a decision logic 74, which determines, for example, from information in the header Hυ indicative of various parameters concerning the e-mail message how to proceed. The parameters may pertain to any operational aspects of the transmission, e.g., the identity of the sending party, priority, the size of the e-mail message, and whether or not to communicate back through the air interface a request for the security mail gateway to provide from the storage section
65 the separated body portion 18 (see FIGURE 6) or at least the encrypted body BE.
The unencrypted header H-j can also be provided to an e-mail client in the mobile terminal 69, and the e-mail client can use this header to perform the conventional e-mail client operations described above with respect to FIGURE 1. FIGURE 8 illustrates exemplary operations which can be performed by the exemplary system of FIGURE 6. For example, at step 81, the encrypted header information from the body portion of the protected e-mail e is copied to the header portion thereof to produce the transitional e-mail e3. Thereafter, at step 83, the header portion of e-mail e3 is transmitted over the air interface, and, at step 85, the received encrypted header information is decrypted by the mobile terminal to obtain the unencrypted header Hυ. At step 87, it is decided from the header H-j whether to
request transmission of the stored body portion of e-mail e3 over the air interface. It should be understood that if it is decided that the body portion is too long to send over the air interface to the mobile terminal, then the user of the mobile terminal can request transmission of the stored body portion later when another communication station, such as a desktop or other computer, is available. At step 89, the aforementioned conventional e-mail client operations can be performed based on the unencrypted header Hυ.
It will be evident to workers in the art that an agent according to the invention can be implemented, for example, by a suitably programmed data processor provided in an e-mail communication station, such as a mobile computer or a mobile telephone, as generally referred by reference numeral 5 in FIGURE 1. As another example, an agent according to the invention can also be implemented by such suitably programmed data processor in combination with other external components. It will also be evident that a security mail gateway according to the invention can be readily implemented, for example, by suitable modifications in software, hardware or both in a conventional security mail gateway.
Although exemplary embodiments of the present invention have been described above in detail, this does not limit the scope of the invention, which can be practiced in a variety of embodiments.