FI122184B - Search appliance for the discovery of secure paths in an Internet Protocol-based communication network - Google Patents

Description

Detector for finding secure paths in an IP (Internet Protocol) based communication network This application is separated by subdividing the parent application EN-20085663, June 5, 2008

FIELD OF THE INVENTION The invention relates generally to e-mail and data security. In particular, the invention relates to solutions for ensuring that the contents of an email message 10 remain confidential when the content is transmitted from the sender to the recipient over the Internet. If the recipient of the e-mail replies to the message, that is, sends a reply message, the content of the reply message must also remain confidential.

Background Art 15 As known, the Internet transmits IP (Internet Protocol) packets. These IP packets are encapsulated in different ways for different types of communication needs. For example, encapsulation produces TCP / IP Transmission Control Protocol / (Internet Protocol) packets. The e-mail message consists of at least one Internet-based communication packet, such as an IP packet or 20 TCP / IP packets.

There are servers on the Internet that are considered secure and servers that are considered insecure. Generally speaking, the sender of an email does not know which servers are secure and which are unsafe. Even if the sender knows which servers are secure, the sender may not have 25 options to control the Internet so that his or her messages are passed through secure servers.

i £ The server that connects the LAN to the Internet is generally called i firewall. A firewall is connected to a local area network to terminals that have allo-x Internet addresses included in a specific address space. Emails addressed to the address space are routed through the firewall and LAN <m to the receiving terminals. In this application, the term "fire> wall" also refers to the so-called "fire". email firewall capable of individual

o

^ instead of telecommunication packages, handle email as a whole and perform quite complex checks and 35 conversions on email.

2 If the sent message passes through at least one insecure server, the confidentiality of the message is compromised. To resolve this issue, the message may be encrypted.

Following are some encryption-based e-mail solutions and related problems.

IPsec (IP security) is a set of protocols that secures IP connections. An IPsec solution can use the Encapsulating Security Payload (ESP) protocol, which encrypts each IP packet associated with a secure IP connection.

In an IPsec solution, traffic to certain terminals or to all terminals in a LAN is controlled through a single point, such as a firewall. The firewall encrypts outgoing traffic and decrypts incoming traffic. Alternatively, the terminals perform the outgoing traffic encryption and the incoming traffic decryption.

IPsec has been used to establish confidential communication channels between the communication parties. These parties can communicate through a Virtual Private Network (VPN), which contains confidential communication channels.

The problem with IPsec is that maintaining the communication channels is quite laborious because it requires the exchange of encryption keys between the communication parties. Thus, IPsec is poorly suited to typical open e-mail environments where organizations and the people they represent have a large number of external communication parties.

The S / MIME (Secure Multipurpose Internet Mail Extensions) solution Q requires the sender and the recipient to have encryption keys g and compatible encryption programs. S / MIME is based on the use of a public and private encryption key. While most email clients support ^ S / MIME, only a few users have encryption keys.

CC

[012] As with the IPsec solution, the problem with cm is the trouble of changing and maintaining the keys, g Another problem with the S / MIME solution relates to the prevention of harmful traffic. If the message sender's workstation has been compromised by the malicious program, the malicious program may send malicious messages encrypted with the recipient's public key to the recipient. Because messages are encrypted, malicious content inside them, such as spam or a virus, cannot be effectively identified by a typical e-mail gateway on the edge of the network. As a result, a malicious message can pass through multiple checks all the way to the recipient's desktop.

Although the prior art provides the ability to copy the private key of each of its senders / recipients to a counter server and decrypt it during content scanning, the procedure is complicated. Encrypting messages is therefore a negative measure to prevent harmful traffic.

In an IBE (Identity Based Encryption) solution, a master key is used to derive a set of keys for different identities. The preferred option for the solution requires that the sender and recipient of the message have compatible encryption software. If the sender does not have the recipient's public encryption key, the sender may use a method of speculatively encrypting the message 15. This method generates an encryption key based on the recipient's email address and encrypts the message with the encryption key generated.

I BE simplifies key management as compared to the S / MIME method, but it poses a new problem, that is, the recipient 20 identification problem. The prior art does not provide a user-friendly method of identifying a recipient in a situation where the recipient is not known for anything other than an email address.

As mentioned above, message encryption is a negative measure in the prevention of harmful traffic. Therefore, the top 25 alternatives to the IBE solution are considered problematic.

O In the alternative alternative relating to the IBE solution, r ^. WWW (World Wide Web) based o messaging is used instead of encryption programs.

x [019] The IBE-related WWW-based Messaging and the D3- * 30 server created by the applicant are some examples of so-called e-mail. ad hoc mediation.

The applicant's D3 server is compatible with existing o) e-mail systems. The D3 server enables email creation,

o

° Intermediate delivery between organizations without the hassle of managing distributed software and servers. Based on the contents of the e-mail message, the D3 server creates at least one file and then performs in part the same steps as the following method.

The method includes the steps of 1) encrypting the recipient file, 2) encrypting the file on a web server, 3) generating an e-mail message containing a link to the encrypted file hosted on the web server, and 4) sending the created email message to the recipient.

Upon receipt of the message, the recipient can read the file in a web browser via the link contained in the message. Clicking on the link establishes an HTTPS (Hypertext Transfer Protocol Secure) connection between the recipient's terminal 10 and the server contained in the file, whereby the contents of the file can be read in a confidential manner.

The first problem with the above method is that the recipient needs a web browser on their terminal, otherwise the file cannot be read.

Another problem with the method is that the email may end up in the wrong person. In this case, the wrong person will be able to read the file if the method does not use person authentication, such as a password. Thus, the confidentiality of the file is compromised without encryption when the message containing the link passes through an insecure server. 20 On the other hand, the method is considered to have the advantage of ensuring that e-mail is fairly confidential without the hassle of encryption key and the hassle of sending and maintaining an encryption key.

End-to-end secure data communications have become commonplace on the Internet. The TLS 25 (Transport Layer Security) protocol has been developed to meet the needs of confidential communication. TLS is a protocol that can o protect the transmission of Internet applications over the Internet. The most common use of TLS i4. the way is to protect the transmission of WWW pages using the HTTPS protocol 0 mentioned above. The TLS extension in connection with ESMTP (Extended Simple Mail £ 30 Transfer Protocol) can be used for the confidential transmission of emails. The encryption technology supported by the known server o can be checked by the SMTP session-opening authentication-

C \ J

S device.

σ> o The nodes of the telecommunication network form the paths through which the telecommunication packets contained in the e-mail message can be transmitted over the telecommunication network. Known methods for studying paths are discussed below.

Traceroute is an operating system command that uses the TCP / IP protocol to determine which path, i.e. packets, are sent to 5 specific nodes in a telecommunications network. For example, a node is a server or router. Moving one or more packets from one node to the next node is called a hop.

The Traceroute command increments the "To Time" value of packets it sends, which indicates the number of hops to be performed. Specifically, the first packet has a 'Time To Live' value of one, the second packet has a 'Time To Live' value of two, etc. Thus, the first packet returns after the first router, the second packet returns after the second router, etc. Based on the returned packets traceroute command creates a list of nodes in the communication network. List nodes form a path along which packets pass to a particular node in a telecommunications network.

The Traceroute command is derived from Unix operating systems. Most Linux operating systems use the "Matt's Traceroute" tool, which is called "mtr", instead of the same name or traceroute, and 20 "tracert" commands on Windows operating systems.

In the application, the term "Traceroute" or "Traceroute Tool" refers to the commands "" traceroute "," mtr "," "tracert" and other possible commands to determine the path of packets.

Although the use of the Traceroute tool is restricted for security reasons, __ 25 many Internet backbone routers accept its use. Thus, the Trace route route tool can sometimes determine which servers or countries through which an e-mail message travels over the Internet. It is assumed that the path traveled by the message is cleared by the Traceroute ^ tool and the list generated by the tool contains a number of servers. This list of £ 30 is compared to the list of secure servers or insecure servers available on the Internet. The comparison performed reveals whether all the servers in the path followed by the S message are secure or not. Because of traffic management, the firewall may be referred to as the Message Transfer Agent (MTA).

In addition to firewalls, other servers can also act as MTAs. In source routing, the sender of the communication packet 5 is able to direct the communication packet to the recipient along a specific route. Source routing can be applied to individual e-mail messages instead of individual communication packages. In this case, the addresses of the MTAs that are on a particular route are included in the recipient address of the message. When the MTA receives a message, it shortens the recipient address by deleting its own address from the recipient 10 address. The MTA then forwards the message according to the truncated recipient address.

With source routing, the sender can test different paths or order the message to be transmitted along a faster, cheaper, or more reliable path. However, for security reasons, the use of source routing is often prohibited.

15 The basic principle of the Internet is that the Internet routes routed communications packets from the sender node to the recipient node.

As mentioned above, the prior art provides: - limited access to the Traceroute tool, - the security of the servers running the path of the communication packets 20 can be determined from the list of secure servers or insecure servers - if source routing is allowed, e-mail can be routed to the secure path.

The first problem with the prior art is that __ 25 even if secure paths are available through the e-mail message, o the sender of the message is generally unaware of the existence of secure paths and the system used by the isL sender is unable to direct the message to the secure path. the problem is that the sender ^ has no chance of influencing the path along which the recipient of the £ 30 message sends his reply message relating to the message. Often, the reply message ^ contains the entire message to which the recipient of the message replied with S in his reply message.

CD

o o Even if the message is passed along a secure path to the recipient, the path passed by the reply message, i.e. the so-called. the return path presents a security risk 35 if the return path is unsafe. In particular, the security risk means that the sensitive information contained in the 7 reply messages will end up in the wrong person, who is attempting to misuse the information, due to an unsafe return path.

BRIEF SUMMARY OF THE INVENTION One object of the invention is to solve the above-mentioned prior art problems. The invention is characterized by what is stated in the appended claims.

An attempt is made to secure the confidentiality of e-mail by searching a secure path over the Internet using a search engine.

The search device according to the invention is particularly suitable for use in the method described in patent application FI-20085663, filed June 27, 2009. The present patent application is formed by dividing it from the aforementioned patent application.

The discovery apparatus for discovering secure paths in an IP (Internet Protocol) based communication network according to the invention includes a node finder, a domain determiner, a TPP finder, a inference unit and a memory.

The node searcher obtains as input either the message name information or the message sender information area name or the relay node address and returns a set of nodes comprising at least one node.

Based on the address of the node 20 contained in the node set, the domain determiner determines the terrestrial domain, the operator domain, the organization domain, and the server domain.

^ 25 The TPP lookup performs at least one of the following DNS queries: a first DNS query based on a server domain, revealing whether a secure x path server (TPP) has been defined in the server domain, ^ a second DNS query based on an organization domain ^ 30 revealing whether the organization domain , S a third DNS query based on the carrier domain o revealing whether the operator domain has a defined TPP, a fourth DNS query based on the carrier domain indicating whether the terrain domain has a specified TPP.

The inference unit concludes that the search was successful when the first, second, third, or fourth DNS queries reveal that the TPP has been defined, and the inference unit returns the address of the TPP.

The search device according to the invention is particularly suitable for use in the method described in patent application FI-20085663, which includes the steps to be performed in the control entity.

the control entity retrieves the secure path address (TPO) based on the message recipient information from the memory where the secure path contains at least one node.

10 In the absence of a TPO in the memory, the control entity searches for a secure path on the paging device, the paging device receives the message recipient information and outputs the TPO.

the control entity writes a message to the recipient's TPO address to forward the message over a secure path to the recipient node on the communication network.

the control entity retrieves, based on the message sender information, a secure return path address (TPPO) from the memory, wherein the secure return path includes at least one relay node between the message sender node and the recipient node.

20 In the absence of a TPPO in the memory, the control entity searches for a secure return path on the paging device, the paging device inputs the message sender information, and outputs the TPPO.

Finally, the control entity writes the message to the return address TPPO so that the response message associated with the message can be transmitted over the secure return path from the recipient node to the sender node in the communication network.

In the following, the invention will be described in more detail with reference to the following schematic diagrams, of which x Figure 1A shows nodes and entities associated with the invention, Figure 1B shows an example of control and relay entity o ™ Figure 2 illustrates a method FIG. 3 illustrates an optional additional step of the method, FIG. 4 illustrates a system for securely transmitting a message and a reply message, FIG. 9 illustrates a search device according to the invention for finding secure paths.

DETAILED DESCRIPTION OF THE INVENTION FIGS. 1A and 1B illustrate some terms related to the invention, and FIG. 3 illustrates a Use Example in which imaginary persons, Alice and Bob, send each other e-mails.

Figure 1A shows nodes and entities associated with the invention. The sending node 101, the relay node 102, and the receiving node 103 are nodes of an IP-10 based communications network such as the Internet. Nodes 101-103 are different nodes. Server, router, and terminal are some examples of communication network nodes. Generally, the sending node 101 is a terminal and the receiving node 103 is a terminal.

Both the control entity 104 and the forward entity 105 include at least one node. The control entity 104 may be the same entity as the forward entity 105, or the entities (104 and 105) may include at least one common node.

The sender node 101 transmits the message 106 to the recipient node 103. The control entity 104 receives the message 106. The control entity 104 may include the sender node 101, or the control entity 104 may be included in the sender node 101.

After the first address transformation of the message 106, the control entity 104 forwards the message 106 along the secure path 107 to the recipient node 103. The secure path includes at least one communication network node. The node contained in the secure path 107 may be the recipient node 103.

c3 In response to message 106, recipient node 103 transmits a reply message 108 along a secure return path 109. Forward entity 105 i LO receives a response message 108. Forward entity 105 may include x sender node 101, or forwarder entity 105 may be contained in sender node 101. o ™ Forward entity 105 forwards a reply message 108 after the second address change to sender node 101.

To maintain the confidentiality of the message 106, the message 106 is transmitted in a secure manner from the sender node 101 to the control entity 104 and the control 35 entity 104 along a secure path 107 to the recipient node 103.

To maintain the confidentiality of the reply message 108, the reply message 108 moves along the secure return path 109 to the forward entity 105 and the forward entity 105 in a secure manner to the sender node 101.

The aforementioned first address transformation 5 performed by control entity 104 is such that the control entity replaces the original return address (APO) contained in the return address of the message 106 with a secure return path address (TPPO).

The second address transformation, i.e. the address transformation performed by the forwarding entity 105, is such that the forwarding entity replaces the secure return path address (TPPO) contained in the recipient address of the reply message 108 with the original return address (APO).

A secure path server (TPP) is defined as a server that meets the following two requirements: 1) The TPP is able to receive e-mail messages in a confidential manner 15 using the TLS protocol, 2) The TPP is capable of relaying messages confidentially in the domain for which it is a TPP. defined network area of the holder or another trusted party body.

The secure path 107 includes at least the recipient node 103. 20 If the secure path contains only the recipient node 103, the recipient node 103 is a TPP. The first node of the secure path is the TPP that owns the TPO. The first node of the secure path is the node to which the control entity 104 forwards the message 106.

The secure return path 109 includes at least a forward entity 103. The forward entity 103 has a TPPO. More specifically, the relay entity 103 0 includes a node which is a TPP and has a TPPO ^ Figure 1B shows an example of a control and relay entity.

In this example, the sending node 101 and the receiving node 103 are terminal-x devices. The sender node 101 is connected by LAN 110 to the sender's firewall 113. Similarly, the receiver node is connected by LAN 112 ^ to the recipient firewall 113.

o) An e-mail sent from Sender Node 101 passes through Sender Firewall 111, Internet 114, and Recipient Firewall 113 to Receiver Node 103.

Similarly, the response message sent from the recipient node 103 relating to the e-mail message passes through the recipient firewall 113, the Internet 114, and the sender firewall 111 to the sender node 103.

Figure 1B illustrates the forwarding of an e-mail message and associated reply message with double-headed arrows.

With respect to Internet 114, it should be noted that Internet 114 is a network of networks. Fig. 1B illustrates, among the networks included in Internet 114, a sender operator network 115 and a receiver operator network 116.

The control entity 104 and the forward entity 105 are located on one or more devices in the LAN 110, the sender firewall 111, and / or the sender operator network 115. The control entity 104 and the forward entity 15105 can be deployed in a number of different ways. For example, both entities 104 and 105 may be located on the same mail server on the sender's carrier network 115.

In connection with Figure 1A, it was mentioned that the reply message 108 is transmitted from the forward entity 105 in a secure manner to the sender node 101. The secure way 20 means, for example, that messaging from the sender's operator network 115 to the sender node 101 is secure. An individual or organization is expected to have confidence in their broadband provider.

Correspondingly, it is assumed that message transmission is secure between the recipient node 103 and the recipient operator network 116.

Messaging security problems are related to traffic between my sender operator network 115 and the recipient operator network 116, g Typically, there are several alternative paths between networks 115 and 116. Only some of the alternative paths are secure paths. Figure 2 illustrates a method for protecting the confidentiality of message and reply message content 30 via email over an Internet Protocol (IP) based communication network.

g The method utilizes at least control entity. Generally, the control entity is one of the following entities: a telecommunications network terminal device, an email relay node in a telecommunication network, or an entity comprising at least one terminal device and at least one email relay 12 node. An e-mail server and a firewall are typical examples of an e-mail forwarding node.

The method includes the following steps to be performed in a control entity: 5 - Initially retrieving a secure path address (TPO) from the memory of the 201 message recipient information, wherein the secure path contains at least one node. TPO is the node's e-mail address that configures e-mail to pass through a secure path server (TPP). Node means a server, terminal, or other node in a telecommunications network.

The memory used by the method or system of the invention includes at least one memory device. The memory is available for at least one node. Memory is available locally or globally.

In the absence of the TPO in the 202 memory, the secure path is searched by the 203 discoverer. As shown above in Figure 1B, the sender operator network 115 and the recipient operator network 116 typically have a number of alternative paths, some of which are secure. The search engine tries to find at least one secure path, more specifically at least one TPP. The paging device receives the message recipient information as an input and outputs the TPP address. Based on the TPP address, the original recipient information 20 is converted to TPO. The conversion can be accomplished by adding the TPP address to the end of the original recipient address.

- then writing 204 to the TPO of the recipient of the message to forward the message over a secure path to the recipient node in the communication network.

25 - Next, a secure return path address (TPPO) is retrieved based on 205 message sender information from the memory, wherein the secure return path c3 includes at least one relay node located between the message sending node and the receiving node. The TPPO is the node's e-mail address that specifies i to the e-mail's possible response message to pass through a secure path service x 30 limp (TPP). An e-mail reply message refers to the so-called "e-mail" defined below. message to the return address.

^ - In the absence of the TPPO in the memory 206, a secure o) reverse path is searched by the paging device, the paging device inputs the sender information of the message o o and outputs the TPP address. Based on the TPP address 35, the original return address is converted to TPPO. The conversion may be performed by adding the TPP address to the end of the original sender address domain name.

It will be appreciated that the above transformations resulting in TPO or TPPO may be accomplished in any other manner obvious to one skilled in the art.

- finally, writing 208 the message return address TPPO so that the reply message associated with the message can be forwarded over the secure return path from the recipient node to the sender node in the communication network.

Descriptions 10 of the method and system of the invention include the terms sender node and recipient node. The sender node and the receiving node may use the same carrier network. However, the advantages of the invention are best exemplified in the situation of FIG. 1B, where the sender node and the recipient node use different operator networks. In the prior art, protecting the confidentiality of the content of a message and a reply message is known to be challenging when the sender node and the recipient node use different carrier networks.

The return address of the message is used under different names in different contexts. For example, the return address is one of the following addresses: The "From:" address in the Simple Mail Transfer Protocol (SMTP) envelope, the "Reply-To:" address in the Multipurpose 20 Internet Mail Extensions (MIME) header, or another MIME header ("Sender" or "Receiver" address).

The memory used by the control entity can be initialized so that at least one of the searches is performed: a secure path search or a secure return path search.

[080] The memory may be initialized once or repeatedly so that when retrieving the secure path address c \ i ^ (TPO) from the memory of the 201 message recipient information, no TPO is found. The method then performs a search for a safe path.

LO

In addition or alternatively, the memory may be initialized once or

X

a. 30 repeatedly such that when retrieving a secure reverse path address (TPPO) based on 205 message sender information from the memory, no TPPO is found. In this case, the c0 method performs a search for a safe return path.

CD

Thus, by initializing memory, the control entity may be forced to use a search device to find a secure path or a safe return path.

[083] Alternatively, the detector may be permanently or temporarily abandoned. The method then stores at least one of the TPO or TPPO addresses in the memory by the control entity. As long as the TPO is stored in memory, no secure path is searched. Similarly, as long as 5 TPPOs are stored in memory, no safe return path is searched.

Figure 3 illustrates optional further steps of the method. Steps 201 -208 shown in Figure 2 are illustrated in Figure 3 by dashed line 301.

Preferably, the following optional additional step is performed prior to steps 201-208.

The method provides 200 at least a message's original return address (APO) from a control entity to a relay entity containing at least a node having a TPPO. APO mediates from control entity to agency entity in several ways obvious to one skilled in the art. For example, the APO may be encoded into a TPPO and transmitted with the message.

In response to the message, in an embodiment of the invention, a response message sent by the recipient node is received in the forward entity. If necessary, different types of checks can be applied to the response message. Preferably, checks can also be made during the handshake phase of the SMTP session associated with the response message.

The method includes the following steps to be performed in the broker entity after any checks.

replacing 210 response message contained in the recipient address of the response message with a TPPO of the TPPO sent by the control entity to the relay entity and forwarding 211 response messages to the sender node.

[089] As mentioned above, the control entity replaces the APO contained in the return address of the message with a TPPO. TPPO can be formed in many different ways. The following is a simple way of forming a TPPO.

i "s." is inserted before the area name in the return address. In addition

CC

30 MX (Mail exchange) data must be modified so that the domain name assigns cm based on the customized MX information to a server that receives (j) e-mail messages only through an encrypted connection such as TLS-o.

Use example. Let's say Alice works for a company called Compatent-35 and a company called Bob Deltagon. Suppose that 15

Alice has written an email and sent it to Bob. In this case, the email sent by Alice's terminal is sent from alice@compatent.com and sent to bob@deltagon.com.

The original Return Address (APO) of the message is thus 5 alice@compatent.com

Modified Return Address, or Safe Return Path (TPPO), is alice@s.compatent.com [093] It is noted that the entry "s." In the TPPO is an example, which could be replaced by another entry indicating that 10 email addresses is TPPO.

For the above address conversion, a so-called. MX information could be edited as "normal email" compatent.com. MX mail.compatent.com.

15 "Safe Return Path Email" s.compatent.com. MX tppo.compatent.com, where the "tppo.compatent.com" server contains a forced TLS setting.

Due to the forced TLS setting, the server "tppo.compatent.com" 20 expects to receive the STARTTLS command immediately after the EHLO command.The forced TLS setting can be implemented, for example, by mail delivery software called Postfix or Sendmail.

Alice's e-mail is transmitted to Bob through the sender node and the recipient node.

^ 25 [097] Suppose Bob reads Alice's message, writes a related ° reply message, and sends a reply message to Alice. In this case, the recipient node £ 5, i.e. the Bob serving node, forwards the response message to the TPPO address m alice@s.compatent.com c [098] Due to the above MX information, Bob's response message must

CL

30 passes to the server '' tppo.compatent.com ', which accepts e-mails ^ only through an encrypted connection, i.e. a TLS connection. This server acts as a secure path server (TPP) for a specific domain.

If the server forwarding the response message does not yet have a TLS connection to the TPP, the handshake step involved in establishing the connection may look like, for example: 16

ehlo deltagon.com 250 OK

mail from: bob@deltagon.com 505 Secure path required. Please check https://secure.compatent.com/ 5 [0100] The first result of the handshake step above is that the response message is not forwarded because the return path is insecure. Thus, the confidentiality of the reply message remains. Another end result of the handshake phase is that the sender of the response message, i.e. Bob, is provided with an ad hoc mediation method to retransmit the response message. Specifically, Bob can use the Internet 10 browser to contact https://secure.compatent.com/ and send a response message to Alice in a confidential manner from the server with that address. As a result of the two above-mentioned findings, it is concluded that the handling of the reply message involves both the provision of a secure policy enforcement and the provision of a confidential ad hoc mediation mechanism.

Alternatively, the Policy service included in the Postfix software may maintain the confidentiality of the response message. The Policy service forces the Secure Path Server (TPP) to verify during the RCPT phase of the SMTP session that the connection between the TPP and the server transmitting the response message is encrypted when the recipient address indicated in the response message is the TPPO-20 address. For example, the RCPT phase of an SMTP session might look like this:

ehlo deltagon.com 250 OK

mail from: bob@deltagon.com 250 sender bob@deltagon.com OK 25 rcpt to: alice@s.compatent.com o 505 Secure path required. Please check https://secure.compatent.com/alice

CM

, sL When the recipient address is a TPPO address and the connection is not encrypted, the ^ TPP refuses to receive the response message. Specifically, the SMTP session does not execute the SMTP DATA command, so the SMTP session does not

X

£ 30 Forward reply message content over the Internet.

^ [0103] In the above example, the response message cannot be sent, S because a secure return path is not available. However, Bob may send o his reply message to Alice using a confidential ad hoc mediation method.

A significant advantage of the Postfix Software Policy service is that the same 35 servers can be used to receive both normal e-mail and secure return paths to e-mail. In this case, for example, Alice can receive normal email via her alice@compatent.com address and secure return path email via her alice@s.compatent.com address so that in both cases the same server as 5 mail.compatent.com forwards the email to Alice's terminal.

FIG. 4 shows a system 401 for protecting the confidentiality of the contents of the message 402 and the reply message 403 by e-mail during IP (Internet Protocol) based communication network 404.

System 401 includes control entity 405, forward entity 10 406, available memory 407 for both entities, and check policy 408 stored in memory 407, forward entity 406 including at least a node having a secure return path address (TPPO) 409. The node having a TPPO may be a transmit node. 410.

The control entity 405 receives the message 402 assigned by the sender node 410 to the recipient node 411 and stores in the memory 407 the original return address (APO) 412 contained in the message 402.

The control entity 405 writes the TPPO 409 to the return address 402 of the message 402 so that the reply message 403 associated with the message 402 can be transmitted over the secure return path of the message 402 from the recipient node 411 to the sender node 410, the secure return node 410, located in the relay node 413.

The control entity 405 forwards the message 402 to the recipient node 411 using the secure path address (TPO).

In accordance with the check policy 408, the forwarding entity 406 receives the reply message 403 sent by the recipient node 411 in response to the message 402. Further, according to the check policy 408, the forwarding message 403 replaces the TPPO contained in the recipient's X x a reply message 403 to the sender node £ 30,410.

The control policy 408 controlling the operation of the system 401 can be defined in a number of different ways. Preferably, system 401 includes a user interface 414 through which the authentication policy 408 can be modified by the author of system 401 to the called user. Further or alternatively, the contents of the memory 407 18 can be edited via the user interface 414. Preferably, the user interface 414 is web based.

For example, the following review policies are possible.

According to the check policy 408, the reply message 403 is forwarded to 5 sender nodes 411 without any checks. Alternatively, the response message 403 is transmitted to the sender node 411 only when at least one check has been performed and passed.

In the first optional check, the relay entity 406 verifies the confidential mediation mode of the reply message 403 in the communication network 404 when the recipient address of the reply message 403 contains a TPPO.

In another optional check, the forwarding entity 406 verifies the confidential transmission mode of the reply message 403 in the communication network 404 when the reply message is received over an encrypted connection.

In a third optional check, the relay entity 406 identifies the sender 402 of the sender of the reply message 403 as the recipient of the reply message 403 containing a specific identifier that was transmitted with the message 402 to the recipient node 411. The identifier is intended to counteract spam messages.

For example, '' Cecil '' could send Alice a spam message with the subject labeled 'RE:' in reply messages, even though Alice has not sent any 'Cecil' messages. In the third check above, the message sent by '' Cecil '' is revealed as a spam message because it does not contain a label.

The identifier can be formed in many different ways. The identifier can be ™ stored in the memory 407 together with the original return address (APO) 412 of the message 402. In this case, the identifier can be retrieved from the memory 407 i v? for the third review.

As mentioned above, the control entity 405 writes a TPPO to the return address of the message 402 ^ 30 and then forwards the message using the TPO to the recipient node 411. Thus, the control entity has access to the TPPO 409.

CD

g and the secure path address (TPO).

Preferably, TPPO 409 can be formed based on APO 412, for example, by adding 19 after the "s." @ In the Alice email address alice@compatent.com. Therefore, the TPPO need not be stored in memory 407.

If necessary, the TPO may be stored in memory 407. For example, the TPO may be stored in a list of e-mail address pairs.

5 The first member of the pair is a normal email address and the second member is a TPO. For example, the first member of the pair could be bob@deltagon.com and the second member bob@deltagon.com.very_secure_server.com.

10 "very_secure_server.com" in another pair is an example of a secure path server (TPP) address.

When Alice sends a message 402 to Bob, control entity 405 retrieves bob@deltagon.com.very_secure_server.com from the list 404 with the message 402 and then sends 402 15 to bob@deltagon.com.very_secure_server.com, i.e. TPO.

In addition to or instead of the list stored in memory 407, the control entity 405 may use a forwarding node providing ad hoc confidential transmission. Ad hoc mediation is described in the Technical Background section of the application.

For TPO and TPPO, one or a combination of the following three exchange conditions is available in system 401.

1) At least one of the addresses TPO, TPPO, can be read from memory 407.

2) The memory 407 can read the address of the relay node providing the ad hoc confidential transmission, at least one of the addresses TPO, TPPO being available from the relay node.

3) The control entity 405 of system 401 includes a search device 415 ^ to find at least one of the addresses TPO, TPPO.

Figure 5 shows a search device according to the invention for finding secure I-o paths in an IP-based communication network.

The discovery device 501 includes a node finder 502, a domain determiner 503, a TPP finder 504, a inference unit 505 and a memory 506.

o

Node finder 502 receives as input either message recipient information o or message sender information domain name or individual relay node address, o

™ If the input is a domain name, the node search will perform DNS based on the domain name

(Domain Name System) query, which returns a set of nodes consisting of at least one node 20. If the input is a proxy node address, the node finder produces a set of nodes using the Traceroute tool.

Based on the address of the node included in the set of nodes, the domain determiner 503 determines 5 terrestrial domains, an operator domain, an organization domain, and a server domain.

The TPP lookup 504 performs at least one of the following DNS queries: - a first DNS query based on the server domain, revealing whether a secure path server (TPP) has been defined in the server domain, - a second DNS query based on the organization domain, whether the TPP is defined in the organization domain, - the third DNS query based on the operator domain, revealing whether the operator domain is defined by TPP, - the fourth DNS query, based on the domain domain, revealing whether the TPP is defined in the land domain; and the inference unit 505 concludes that the search was successful when the first, second, third, or fourth DNS queries reveal that the TPP has been determined, wherein the inference unit 505 returns the address of the TPP.

If the paging device 501 received the message recipient information as an input, the TPP address returned by the inference unit 505 can be used to form - TPO.

Similarly, if the search device 501 received the sender information of the message as input, the TPPO from the TPP address returned by the decision unit 505 can be used to establish a TPPO.

X

£ 30 The node set returned by node finder 502 may contain multiple o nodes, which increases the likelihood that at least one node in the node S will be exposed in one of the four DNS queries TPP.

o> o The above order of execution of the first, second, third and fourth DNS queries can be reversed if necessary.

21

The following example describes the search for a safe path. Thus, the example relates to forwarding an e-mail from the sender node to the receiving subscriber Imu.

Assume that the recipient address is bob@deltaaon.com. Based on the area name of the address you click-5, the node finder returns a set of nodes. In the example, a set of nodes consists of one node. The IP address of this recipient node is 194.29.195.40.

Preferably, the secure path search is performed at the latest, during the handshake phase of the SMTP. This so-called. The RCPT step is performed before the SMTP 10 DATA commands. During the handshake phase of the SMTP session, the ESMTP command response can be checked to determine whether the response contains a STARTTLS word to indicate the recipient server as a TPP. However, a secure path can also be searched by the method of the invention even if a secure connection cannot be made directly to the recipient cell.

In a preferred embodiment of system 501, the network domain specifier 503 determines the network domains of the node set as follows: based on the first two parts of the subnet address, 20 based on the first three parts of the organizational network node and server 25. by.

[0138] The IP address is known to consist of four parts. The following simplified domain names can be used to find the secure path ^: x - the first part of the IP address defines the terrestrial domain ^ 30 - the first two parts of the IP address define the ^ operator domain - the first three parts of the IP address define σ> o the organizational domain - the IP address the first four sections define the server network domain.

22

It will be apparent to a person skilled in the art that the domain definitions described in the example can be made by more precise and complex methods. For example, geographic information can be obtained by querying an external geo-ip database based on the IP address. The identifier information associated with the domains may also be expressed in different ways. For example, country information can still be expressed by an ISO standard letter combination instead of a numeric value.

The search includes 1-4 steps. The search will be successful if a safe path is found. If no safe path is found in the last step, the search will be unsuccessful.

In the first step, the TPP is searched for by the server domain. The search is based on the following DNS query: 40.195.29.194. tls.s-domain.net

If a TPP is specified, the DNS query returns the TPP address. Otherwise, the second step of the search is performed, etc.

The second step of the search is based on the DNS query 195.29.194. tls.s-domain.net

The third step of the search is based on a DNS query: 29.194. tls.s-domain.net

The fourth step of the search is based on a DNS query: 20 194.tls.s-domain.net

In one embodiment of the invention using the ISO standard country code, a fourth query could be in the form fi.tls.s-domain.net ^ where F1 is an identifier of the geographical location of the address 194.29.195.40.

h- 9 If, for example, the fourth step of the search returns a positive ^ answer '' fi.mail.s-domain.net '', the address of that server is defined as a TPP.

g The TPO can then be formed by appending the TPP address to the

CL

to the end of the taker address: ^ 30 bob@deltagon.com.fi.mail.s-domain.net o In the example, tls.s-domain.net runs a database that can be used to query DNS. It will be obvious to a person skilled in the art that the query format described using the so-called DNS. A records, alternatively MX or TXT records may be used. Further, it is possible to recombine the DNS information 23, that is, based on the response returned by the DNS query, new DNS queries can be performed. In addition, the data can be processed by various algorithms.

The DNS special-5 database at tls.s-domain.net, for example, may be static, dynamic, or a combination thereof.

The static database contains records registered by different countries, operators, organizations, and individual server owners. A dynamic database contains information created by processing data printed by devices that establish SMTP connections. Devices can establish SMTP connections in batch mode or in real time.

In addition or alternatively, the dynamic database contains information obtained by processing the data printed by the Traceroute tool, or by processing a geographical so-called IP address. geo-IP information, domain information extracted from the RIPE database, telecommunications network routing information, or information from 15 other external sources. Algorithms, heuristics, neural networks and other methods can be used to process the data. processing of the data to take into account information about the asking party's IP address, or other party or related to the transmission of a message or a response message identifier.

[0151] The node finder included in the discovery device may be provided with a region name as input, and the node set is preferably formed by a DNS query. The node finder can also receive the address of the relay node as an input. The node finder can then advantageously form a set of nodes with the Traceroute tool. The tool produces an ordered set of nodes, wherein the first node 25 is the node closest to the paging device and the last node is the node furthest from the paging device.

C \ J

^ When creating a set of nodes with the Traceroute tool, the discoverer can advantageously request information about multiple nodes at a time from a special DNS database. The addresses of the nodes can be separated in the query with the desired identifier 30 known to those skilled in the art. The addresses of the nodes are indicated in this case preferably by an ordered set of nodes produced by the Traceroute tool.

CM

£ in order.

σ> § Further node addresses can be searched by so-called. The RIPE- ^ database, where the domains and routing information in the requested domain can be compared. Here, the node finder preferably returns the address of the node furthest from the search device (in terms of hops), which is in the same domain as the node closest to the search device (in terms of hops).

The discovery device may be used in connection with a system or method according to the invention to ensure the confidentiality of the content of the response message. The search device is then preferably associated with a relay entity, which provides the search device with a relay node address as an input. If the TPP address retrieved for the forwarding node address is the same as the forwarding entity address, the forwarding response message can be considered secure.

Additionally or alternatively, the paging device may be used in connection with a system or method according to the invention to ensure the confidentiality of the content of the message.

For security reasons, it is advisable to try to find a TPP serving the smallest possible domain. The messages may be assigned a security rating, for example on a scale of 1-4, according to which only a TPP of a particular security class can be used for message transmission.

The search device of the above invention may be implemented in a number of other ways which will be apparent to those skilled in the art, due to their skill and the advice given in this patent application.

δ

CVJ

o i

LO

X

CC

CL

o

CM

δ CT)

o

o

CM

Claims (8)

25 A patent was claimed by me A paging device for finding secure paths in an IP (Internet Protocol) based communication network, characterized in that the paging device comprises a node finder, a network 5 area descriptor, a TPP finder, an inference unit and a memory, wherein the node finder receives either message recipient information or message sender information. transmitting the address of the relay node and returning a set of nodes comprising at least one node; the domain determiner determines, based on the address of the node 10 contained in the node set, a terrestrial domain, an operator domain, an organization domain, and a server domain; 15 The TPP lookup performs at least one of the following DNS queries: a first DNS query based on a server domain revealing whether a secure path server (TPP) is defined in the server domain, a second DNS query based on an organization domain 20 revealing whether the organization domain has a TPP defined, a third DNS query operator revealing whether the operator domain has a defined TPP; a fourth DNS query based on the domain domain, revealing whether the domain is defined by TPP; and the inference unit concludes that the search was successful when the first, second, third, or fourth DNS queries reveal that the TPP has been defined, wherein the inference unit returns the address of the TPP. i A search appliance according to claim 1, characterized in that the domain determiner determines g 30 based on the first portion of the GNU node address, based on the first two o ™ portions of the operator domain node, g on the first three ° portion of the gateway domain node and 4 based on the first part. 26 Search device according to claim 1, characterized in that the order of execution of the first, second, third and fourth DNS queries is interchangeable. A search device according to claim 1, characterized in that the node finder generates a set of nodes using the Traceroute tool, A search appliance according to claim 1, characterized in that the node searcher performs a DNS (Domain Name System) query based on the domain name, which produces a set of nodes. A search appliance according to claim 5, characterized in that the special DNS database includes a static database and a dynamic database, whereby when the DNS query generates a negative response from the static database, the DNS query is re-directed to the dynamic database. A search appliance according to claims 4 and 6, characterized in that information on at least two nodes is requested at a time from a special DNS database, the order of the nodes corresponding to the order of the ordered node obtained by the Traceroute tool. A search appliance according to claim 7, characterized in that the address of at least one node of the node set is searched in a RIPE-20 database for comparing network domains and routing information in the requested domain and returning the address of the node furthest from the search appliance in the same domain as the node. δ {M i h- · o tn X en CL O {M δ σ> o o {M 27