FI123250B - Procedure for protecting the confidentiality of the content of a message and a reply - Google Patents

Description

A method of protecting the confidentiality of the content of a message and a reply message

FIELD OF THE INVENTION The invention relates generally to e-mail and data security. In particular, the invention relates to solutions for ensuring that the content of an e-mail message remains confidential when the content is transmitted from the sender to the recipient over the Internet. If the recipient of the e-mail replies to the message, that is, sends a reply message, the content of the reply message must also remain confidential.

Background of the Invention It is known that the Internet transmits IP (Internet Protocol) packets. These IP packets are encapsulated in different ways for different types of communication needs. For example, encapsulation produces TCP / IP Transmission Control 15 Protocol / (Internet Protocol) packets. The e-mail message consists of at least one Internet-based communication packet, such as an IP packet or a TCP / IP packet.

[03] There are servers on the Internet that are considered secure and servers that are considered insecure. Generally speaking, the sender of an email does not know which servers are secure and which are unsafe. Even if the sender knows which servers are secure, it may not be possible for the sender to control the Internet so that his or her message passes through the secure servers.

CVJ [04] A server that connects a LAN to the Internet is commonly referred to as a £ 3 25 firewall. A firewall is connected to a local area network to terminals that have ό allocated Internet addresses within a specific address space. E-mail messages addressed to the address space are routed through the firewall and LAN to the recipient's terminals. In this application, the term '' firewall 'also refers to the so-called firewall. an e-mail firewall capable of handling e-mail messages as a whole, rather than individual communication packets;

CD

g very complex checks and conversions for e-mails, o ° [05] If the sent message passes through at least one unsafe server, the confidentiality of the message is compromised. To resolve this issue, the message may be encrypted.

2 [06] The following are some of the encryption-based e-mail solutions and related problems.

[07] IPsec (IP security) is a set of protocols that secures IP connections. The IPsec solution can use the ESP (Encapsulating Security 5 Payload) protocol, whereby each IP packet associated with a secure IP connection is encrypted.

[08] In an IPsec solution, traffic on certain terminals or all terminals on a LAN is routed through a single point, such as a firewall. The firewall encrypts the outgoing traffic and decrypts the incoming traffic 10. Alternatively, the terminals perform the outgoing traffic encryption and the incoming traffic decryption.

[09] IPsec has been used to establish confidential communication channels between communication parties. These parties can communicate via a Virtual Private Network (VPN), which contains 15 confidential communication channels.

The problem with IPsec is that maintaining communication channels is quite laborious as it requires the exchange of encryption keys between the communication parties. As such, IPsec is poorly suited to typical open e-mail environments where organizations and their representatives have 20 non-organizational communication parties.

The S / MIME (Secure Multipurpose Internet Mail Extensions) solution requires the sender and the recipient to have encryption keys and compatible encryption software. S / MIME is based on the use of a public and private encryption key. While most email clients support 5 25 S / MIME, only a few users have encryption keys.

CVJ

o As with the IPsec solution, the problem with the S / MIME solution is ό the hassle of changing and maintaining the keys.

g Another problem with the S / MIME solution relates to the prevention of harmful traffic.

If the sender's workstation has been compromised, the maliciousoh-co g 30 jelma can send malicious messages encrypted with the recipient's public key

LO

g to the recipient. Because messages are encrypted, harmful content inside them, such as spam or a virus, cannot be effectively identified by a typical network-based email gateway. Thus, 3 malicious messages can pass through multiple checks all the way to the recipient's desktop.

Although the prior art provides the ability to copy the private key of each sender / receiver to the protection server and decrypt it during content scanning, the procedure is complicated.

Encrypting messages is therefore a negative measure to prevent harmful traffic.

In the IBE (Identity Based Encryption) solution, a set of keys is derived for different identities based on a master key. The first 10 options associated with the solution require that the sender and recipient of the message have compatible encryption software. If the sender does not have the recipient's public encryption key, the sender may use a method to speculatively encrypt the message. This method generates an encryption key based on the recipient's email address and encrypts the message with the encryption key generated.

IBE simplifies key management over the S / MIME method, but it causes a new problem, the recipient identification problem. The prior art does not provide a user-friendly method of identifying a recipient in a situation where the recipient is not known for anything other than 20 email addresses.

As mentioned above, message encryption is a negative measure in the prevention of harmful traffic. Therefore, the preferred alternative to the IBE solution is considered problematic.

[018] The alternative alternative to the IBE solution uses WWW (World Wide Web) based messaging instead of encryption software, while the IBE-related WWW based messaging and the D3 server created by the applicant are some examples of so-called email messages ad hoc mediation.

x [020] The applicant's D3 server is compatible with existing e-mail systems. The D3 server enables reliable e-mail communication between organizations without the hassle of managing distributed software and servers. Based on the contents of the e-mail message, the D3 server creates at least one file S and then performs the same steps as the following method.

The method comprises the steps of: 1) encrypting a file for a recipient, 2) placing the encrypted file on a web server, 3) creating an e-mail message containing a link to an encrypted file placed on a web server, and 4) sending the created e-mail message to the recipient.

Upon receipt of the message, the recipient can read the file via a web browser via the link contained in the message. Clicking on the link establishes an HTTPS (Hypertext Transfer Protocol Secure) connection between the recipient's terminal and the server on which the file is located, allowing the contents of the file to be read in a confidential manner.

[023] The first problem with the above method is that the recipient needs a web browser on their terminal, otherwise the file cannot be read.

Another problem with the method is that the email may end up in the wrong person. In this case, the wrong person will be able to read 15 files if the method does not use person authentication, such as a password. Thus, the confidentiality of the file is compromised without encryption when the message containing the link passes through an insecure server. On the other hand, the method is considered to have the advantage of ensuring that e-mail confidentiality is fairly well protected, without the hassle of sending and maintaining an encryption key.

End-to-end secure data communications have become commonplace on the Internet. A Transport Layer Security (TLS) protocol has been developed to meet the needs of confidential communication. TLS is a protocol that protects the transmission of Internet applications over the Internet. The most common use of TLS 25 is to protect the transmission of VWWV pages when using the HTTPS protocol mentioned above. You can use the TLS plug-in for ESMTP (Extended Simple) for confidential email forwarding

Mail Transfer Protocol). It is known that the encryption technology supported by the receiving server g can be checked by an SMTP session opening check device, co g. The nodes of the telecommunication network form the paths through which the telecommunication packets contained in the electronic mail message can be transmitted over the telecommunication network. Known methods for studying paths are discussed below.

Traceroute is an operating system command using the TCP / IP protocol, which determines which path, i.e. packets, are transmitted to a particular node in the telecommunications network. For example, a node is a server or router. Moving one or more packets from one node to the next node is called 5 hops.

The Traceroute command increments the "To Time" value of packets it transmits, indicating the number of hops to be performed. Specifically, the first packet has a "Time To Live" value of one, the second packet has a "Time To Live" value of two, etc. Thus, the first packet returns after the first 10 routers, the second packet returns after the second router, etc. based on this, the traceroute command generates a list of nodes in the communication network. List nodes form a path along which packets travel to a particular node in a telecommunications network.

The Traceroute command is derived from Unix operating systems. Most 15 Linux operating systems include the "Matt's Traceroute" tool used with the "mtr" command instead of the same command or traceroute. Similarly, Vindovvs operating systems use the '' tracert 'command.

In the application, the term "Traceroute" or "Traceroute Tool" refers to commands "" traceroute "," mtr "," "tracert" and other possible commands that can be used to determine the path of packets.

Although the use of the Traceroute tool is restricted for security reasons, many Internet backbone routers accept its use. As a result, Traceroute can sometimes find out which servers or countries ^ 25 the e-mail sends to on the Internet,

CVJ

Assume that the path traversed by the message is cleared by the Traceroute tool and the list generated by the tool contains a number of servers. This is a list

O

is compared to a list of secure servers available on the Internet, or list of insecure servers. The comparison made reveals whether all the servers in the path passed by the co 30 message are secure or not.

CD

CD

g [033] It is known that e-mails transmitted by the Internet are routed o through the firewall and the LAN to the terminals of the recipients, and e-mails sent from the terminals to the outside of the LAN are routed through the firewall to the Internet. Because of traffic management, the firewall may be referred to as the Message Transfer Agent (MTA).

In addition to firewalls, other servers can also act as MTAs. In source routing, the sender of the communication packet 5 is able to direct the communication packet to the recipient along a specific route. Source routing can be applied to individual e-mail messages instead of individual communication packages. In this case, the addresses of the MTAs that are on a particular route are included in the recipient address of the message. When the MTA receives a message, it shortens the recipient address by deleting its own address from the recipient address. The MTA then forwards the message according to the truncated recipient address.

With source routing, the sender can test different paths or order the message to be transmitted along a faster, cheaper, or more reliable path. However, for security reasons, the use of source routing is often prohibited.

[036] The basic principle of the Internet is that the Internet routes the transmitted communication packets from the sender node to the recipient node.

As mentioned above, the prior art provides: - limited access to the Traceroute tool, - the security of the server running the path of the communication packets 20 can be determined by the list of secure servers or the list of insecure servers - if source routing is allowed.

The first problem with the prior art is that even if secure paths are available through the e-mail message, the sender of the message is generally unaware of the existence of secure paths and the system used by the sender T is unable to direct the message to the secure path, ox. the problem with the prior art is that the sender has * no opportunity to influence the path along which the recipient of the message 2 30 sends its reply message associated with the message. Frequently reply message

CD

g contains the entire message to which the recipient of the message replied o in his reply message.

CM

Even if the message is passed along a secure path to the recipient, the path passed by the reply message, i.e. the so-called. the return path presents a security risk 7 if the return path is unsafe. In particular, a security risk means that sensitive information contained in a reply message will end up in the wrong person trying to misuse the information due to an unsafe return path.

BRIEF SUMMARY OF THE INVENTION One object of the invention is to solve the above-mentioned prior art problems. The invention is characterized by what is stated in the appended claims.

An attempt is made to ensure the confidentiality of e-mail by using a secure path over the Internet.

The method of the invention includes the following steps to be performed in the control entity.

Based on the message recipient information, the control entity retrieves the secure path address (TPO) from the memory, where the secure path contains at least one node.

15 In the absence of a TPO in memory, the control entity searches for a secure path on the discovery device, the searcher receives the message recipient information as input, and outputs the TPO.

The control entity writes a message to the recipient's TPO address to forward the message over a secure path to the recipient node in the communication network.

Based on the message sender information, the control entity retrieves the Secure Return Path Address (TPPO) from the memory, wherein the secure return path includes at least one relay node between the message sending node and the receiving node.

cvj 25 In the absence of a TPPO, the control entity searches for a secure £ 3 return path on the paging device, the paging device inputs the message sender information and outputs the TPPO.

o Finally, the control entity writes the message to the return address TPPO so that the response message associated with the message can be forwarded over the communication network to secure a 30 return path from the recipient node to the sender node.

co g The invention is defined in the appended claims, m

C/O

o o

CVJ

8

BRIEF DESCRIPTION OF THE FIGURES The invention will now be described in more detail with reference to the following schematic diagrams, of which Figure 1A illustrates nodes and entities associated with the invention, Figure 1B illustrates an example of control and relay entity, and Figure 4 illustrates the system for safely transmitting a message and a reply message via email.

DETAILED DESCRIPTION OF THE INVENTION Figures 1A and 1B illustrate some of the terms related to the invention, and Fig. 3 illustrates an Application Example of the invention in which the imaginary persons, Alice and Bob, send each other e-mails.

Figure 1A shows nodes and entities associated with the invention. The sender node 101, the relay node 102, and the recipient node 103 are nodes of an IP based communication network such as the Internet. Nodes 101-103 are different nodes.

20 Server, router, and terminal are some examples of communication network nodes. Generally, the sending node 101 is a terminal and the receiving node 103 is a terminal.

Both control entity 104 and forward entity 105 include at least one node. The control entity 104 may be the same entity as the transmission entity 105 of the forwarding entity, or the entities (104 and 105) may include at least one common node.

° Sender node 101 transmits message 106 to recipient node 103.

The control entity 104 receives the message 106. The control entity 104 may g include the sender node 101, or the control entity 104 may be included in the sender node 101.

C/O

CD

g After the first address change of the message 106, the control entity 104 forwards the message 106 along the secure path 107 to the recipient node 103.

00 The secure path contains at least one node in the telecommunications network. The node contained in the secure path 107 may be the recipient node 103.

In response to message 106, recipient node 103 transmits response message 108 along a secure reverse path 109. The forward entity 105 receives the response message 108. The forward entity 105 may include the sender node 101, or the forward entity 105 may be included in the sender node 101.

The forwarding entity 105 forwards the reply message 108 after the second address change to the sender node 101.

To maintain the confidentiality of the message 106, the message 106 is securely transmitted from the sender node 101 to the control entity 104 and the control entity 104 along a secure path 107 to the recipient node 103.

To maintain the confidentiality of the reply message 108, the reply message 108 moves along the secure reverse path 109 to the forward entity 105 and the forward entity 105 in a secure manner to the sender node 101.

The aforementioned first address conversion performed by control entity 104 is such that the control entity replaces the original return address (APO) contained in the return address 15 of the message 106 with a secure return path address (TPPO).

The second address transformation, i.e. the address transformation performed by the forward entity 105, is such that the forward entity replaces the secure reverse path address (TPPO) 20 of the recipient address of the reply message 108 with the original return address (APO).

A secure path server (TPP) is defined as a server that meets the following two requirements: 1) TPP is able to receive e-mail messages in a trusted manner, such as using the TLS protocol, ^ 2) TPP is capable of relaying messages in a confidential manner tavalla TPP: KSI defined verkoa- ό holder lueen or other trusted party body.

The secure path 107 includes at least the recipient node 103. If the secure path contains only the recipient node 103, the recipient node 103 is a TPP. The first node of the secure path is TPP, which has g TPO. The first node of the secure path is the node to which the control entity 104 forwards the message 106.

The secure return path 109 includes at least a forward entity 103. The forward entity 103 has a TPPO. More specifically, the relay entity 103 includes a node which is a TPP and has a TPPO. Figure 1B shows an example of a control and relay entity. In this example, the sending node 101 and the receiving node 103 are terminals. The sender node 101 is connected by LAN 110 to the sender firewall 111. Similarly, the receiver node is connected by LAN 112 to the recipient firewall 113.

An email message sent from the sender node 101 passes through the sender 10 firewall 111, the Internet 114, and the recipient firewall 113 to the recipient node 103.

Similarly, the response message sent from the recipient node 103 in connection with the e-mail message passes through the recipient firewall 113, the Internet 114, and the sender firewall 111 to the sender node 103.

Figure 1B illustrates the forwarding of an e-mail message and a related reply message with double-headed arrows.

With respect to Internet 114, it should be noted that Internet 114 is a network of networks. Fig. 1B illustrates, from the networks included in the Internet 114, the sender operator network 115 and the receiver operator network 116. The sender 20 operator network 115 provides broadband connections to the sender node 101 and the receiver operator network 116 to the recipient node 103 respectively.

The control entity 104 and the forward entity 105 are located on one or more devices in the LAN 110, the sender firewall 111, and / or ^ 25 the sender operator network 115. The control entity 104 and the forward entity ό 105 can be deployed in several different ways. For example, both entities ό 104 and 105 can be located on the same e-mail server on the sender's operator network 115 x.

CC

□ _ With reference to Fig. 1A, it was mentioned that the reply message 108 goes to the relay

C/O

g 30 from entity 105 in a secure way to sender node 101. A secure way

LO

g means, for example, that messaging from the sender's operator network ° 115 to the sender node 101 is secure. An individual or organization is expected to have confidence in their broadband provider.

Correspondingly, it is assumed that message transmission is secure between the recipient node 103 and the recipient operator network 116.

Messaging security problems are related to traffic between the sender operator network 115 and the recipient operator network 116.

5 There are typically several alternative paths between networks 115 and 116. Only some of the alternative paths are safe paths.

FIG. 2 illustrates a method for protecting the confidentiality of message and reply message content by e-mail over an IP (Internet Protocol) based communication network.

[070] The method utilizes at least control entity. Generally, the control entity is one of the following entities: a telecommunications network terminal, an email relay node in a telecommunications network, or an entity comprising at least one terminal and at least one email relay node. An e-mail server and a firewall are typical examples of an e-15 mail forwarding node.

The method includes the following steps to be performed in a control entity: first, retrieving a secure path address (TPO) from the memory of the 201 message recipient information, wherein the secure path contains at least 20 one node. TPO is the node's e-mail address that configures e-mail to pass through a secure path server (TPP). Node means a server, terminal, or other node in a telecommunications network.

The memory used by the method or system of the invention includes at least one memory device. The memory is available for at least one node. Memory is available locally or globally, o ^ - In the absence of TPO 202, a safe path is searched 203? exploration device. As shown above in Figure 1B, the sender operator network 115 and the recipient operator network 116 typically have a plurality of g paths, some of which are secure. The search device 30 attempts to find at least one secure path, more specifically at least one co g TPP. The discovery device receives the message recipient information as an input and prints it

LO

g TPP address. Based on the TPP address, the original recipient information is converted to TPO. The conversion can be accomplished by adding the TPP address to the end of the original recipient address.

12 - then writing 204 to the TPO of the recipient of the message to forward the message over a secure path to the recipient node in the communication network.

- Next, retrieving based on 205 message sender information 5 secure return path address (TPPO) from the memory, wherein the secure return path includes at least one relay node located between the message sending node and the receiving node. A TPPO is a node email address that specifies a possible reply message for an email to pass through a secure path server (TPP). An e-mail reply message refers to a so-called "spam" as defined below. message to the return address.

In the absence of the TPPO in the memory 206, a secure return path 207 is searched by the paging device, the paging device receives the message sender information as input, and outputs the TPP address. Based on the TPP address, the original return address is converted to TPPO. The conversion can be performed by adding the TPP address to the end of the original sender address domain name.

It will be appreciated that the above transformations resulting in TPO or TPPO may be accomplished in any other manner obvious to one skilled in the art.

- lastly, writing 208 messages to the return address TPPO so that the response message associated with the 20 messages can be forwarded over the secure return path from the recipient node to the sender node in the communication network.

Descriptions of the method and system of the invention include the terms sender node and recipient node. The sender node and the receiving node may use the same carrier network. However, the advantages of the invention are best exemplified in the situation of FIG. 1B, where my sender node and receiver node use different operator networks. In the prior art, protecting the confidentiality of message and reply message contents is known to be challenging when the sender node and the recipient node use different carrier networks.

1 30 [073] The return address of a message is used in different contexts, co The return address is, for example, one of the following addresses: SMTP (Simple Mail

CD

g The "From:" address in the Transfer Protocol envelope, the "Reply-To:" address in the Multipurpose o Internet Mail Extensions (MIME) header, or another address in the ^ MIME header ('' Sender ' - or '' Receiver '').

The memory used by the control entity can be initialized so that at least one of the searches is performed: searching for a safe path or searching for a safe return path.

The memory may be initialized once or repeatedly so that, when retrieving the Secure Path Address (TPO) from the 201 message recipient information, no TPO is found. The method then performs a secure path search.

Further, or alternatively, the memory may be initialized once or repeatedly so that when retrieving a secure reverse path address (TPPO) from a message based on 205 message sender information, no TPPO is found. The method then performs a search for a safe return path.

Thus, by initializing memory, the control entity may be forced to use a search device to find a secure path or a secure return path.

Alternatively, the use of the search device may be dispensed with completely or for a period of time. The method then stores at least one of the TPO or TPPO addresses in the memory by the control entity. As long as the TPO is stored in memory, no secure path is searched. Similarly, as long as the TPPO is stored in memory, no safe return path is searched.

Figure 3 illustrates optional further steps of the method. Steps 201 -208 shown in Figure 20 are illustrated in Figure 3 by dashed line 301.

Preferably, the following optional additional step is performed before steps 201-208.

The method provides 200 at least a message's original return address (APO) from a control entity to a relay entity containing at least a node having a TPPO. APO is caring about the control entity? was done in several ways obvious to a person skilled in the art. For example, the APO may be encoded into a TPPO and transmitted with the message.

| In response to the message, in an embodiment c0 of the invention, the transmitting entity receives a response message having the recipient node

CD

g 30 posted by. If necessary, different types of checks may be applied to the response message. Preferably, adjustments may also be made during the handshake phase of the 00 SMTP session associated with the response message.

The method includes the following steps to be performed in the broker entity after any checks.

replacing the TPPO APO of the 210 response message recipient address sent by the control entity to the relay entity, and forwarding 5 211 response messages to the sender node.

As mentioned above, the control entity replaces the APO contained in the return address of the message with a TPPO. TPPO can be formed in many different ways. The following is a simple way of forming a TPPO.

[085] "s." Is added before the area name in the return address. In addition, the MX 10 (Mail exchange) information must be modified so that the domain name, based on the custom MX information, points to a server that receives e-mail messages only through an encrypted connection such as a TLS connection.

Use example. Let's say Alice works for a company called Compatent 15 and Bob Deltagon. Let's assume that

Alice has written an email and sent it to Bob. In this case, the email sent by Alice's terminal is sent from alice@compatent.com and sent to bob@deltagon.com.

The original Return Address (APO) of the message is thus 20 alice@compatent.com

Modified Return Address, or Safe Return Path (TPPO), is alice@s.compatent.com It is noted that the entry "s." In the TPPO is an example, that could be replaced by another entry indicating that 25 email addresses is TPPO. o C \ l ^ [089] For the above address conversion, a so-called. MX information could be edited as follows: o "normal email" | compatent.com. MX mail.compatent.com.

co 30 "Safe Return Path Email"

CD

g s.compatentcom. MX tppo.compatent.com, where the '' tppo.compatent.com 'server contains a forced TLS configuration.

[090] Due to the forced TLS setting, the server '' tppo.compatent.com 'expects to receive the STARTTLS command immediately after the EHLO command. The forced TLS setting can be implemented, for example, by mail delivery software called Postfix or Sendmail.

5 [091] Alice's e-mail is transmitted through the sender node and the receiver node to Bob.

Suppose Bob reads Alice's message, writes a related reply message, and sends a reply message to Alice. The recipient node, i.e. the Bob serving node, then forwards the response message to the TPPO address 10 ai ice @ s. compatent.com [093] Due to the above MX information, Bob's response message must be forwarded to the server '' tppo.compatent.com ', which accepts e-mails only through an encrypted connection, i.e. a TLS connection. This server acts as a secure path server (TPP) for a specific domain.

15 [094] If the response message forwarding server does not yet have a TLS connection to the TPP, the handshake phase associated with the connection may look like, for example:

ehlo deltagon.com 250 OK

20 mail from: bob@deltagon.com 505 Secure path required. Please check https://secure.compatent.com/ [095] The first result of the handshake phase above is that the response message is not forwarded because the return path is insecure. Therefore, the confidentiality of the reply message remains. Another end result of the handshake step is that the sender of the reply message ^ 25, i.e. Bob, is provided with an ad hoc mediation mode to retransmit the reply message. Specifically, Bob can use his Internet browser to contact o at https://secure.compatent.com/ and send a response message to Alice in a confidential manner from a server with said address x.

As a result of the two above-mentioned results, it is noted that the processing of the reply message 230 includes both the provision of a secure policy enfor ce cement and the provision of a confidential ad hoc mediation mechanism. Alternatively, the Policy service included in the Postfix software can maintain the confidentiality of the reply message. The Policy service forces the Secure Path Server (TPP) to verify at the RCPT step of the SMTP session that the connection between the TPP and the server transmitting the response message is encrypted when the recipient address indicated in the response message is a TPPO address. For example, the RCPT phase of an SMTP session might look like this:

ehlo deltagon.com 5,250 OK

mail from: bob@deltagon.com 250 sender bob@deltagon.com OK rcpt to: aiice @ s. compatent.com 505 Secure path required. Please check https://secure.compatent.com/alice 10 [097] When the recipient address is a TPPO address and the connection is not encrypted, the TPP refuses to receive a response message. More specifically, the SMTP session does not execute the SMTP DATA command, so the content of the reply message is not transmitted over the Internet in the SMTP session.

In the previous example, sending a reply message fails because a secure return path is not available. However, Bob may send his reply message to Alice using a confidential ad hoc transmission method.

A significant advantage of the Postfix Software Policy service is that the same server can be used to receive both standard e-mail and secure return path to e-mail. In this case, for example, Alice can receive normal email through her alice@compatent.com address and secure return path email via her alice@s.compatent.com address, so that in both cases the same server as mail.compa-tent.com forwards the email to Alice. to the terminal.

Fig. 4 shows the content of the message 402 of the system 401 and the reply message 403 o 25 to protect the confidentiality of the e-mail (Internet)

CM

^ Protocol) -based communication network 404.

System 401 includes a control entity 405, a forward entity 406, a memory 407 available to both entities, and a check policy 408 stored in the memory 407 *, the broker entity 406 including at least 2,30 nodes having a Secure Return Path Address (TPPO) 409. The TPPO

CD

The node having g may be the sender node 410.

c3 The control entity 405 receives the message 402 addressed by the sender node 410 to the recipient node 411 and stores in the memory 407 the original return address (APO) 412 contained in the message 402.

17

The control entity 405 writes a TPPO 409 to the return address 402 of the message 402 so that the reply message 403 associated with the message 402 can be transmitted along the secure return path of the message node 411 to the sender node 410, the secure return node 413.

The control entity 405 forwards the message 402 to the recipient node 411 using the secure path address (TPO).

According to the check policy 408, the forwarding entity 406 receives the 10 response message 403 sent by the receiving node 411 in response to the message 402. Further, according to the check policy 408, the forwarding entity 406 replaces the response message 403 with the APO transmitted 412 to node 410.

The control policy 408 controlling the operation of system 401 can be defined in a number of ways. Preferably, system 401 includes a user interface 414 through which the scan policy 408 can be modified by an authorized user of system 401. Further or alternatively, the contents of the memory 407 can be edited via the user interface 414. The user interface 414 is preferably VWWV based.

For example, the following review policies are possible.

According to the check policy 408, the reply message 403 is forwarded to the sender node 411 without any checks. Alternatively, the response message 403 is transmitted to the sender node 411 only when at least one check has been completed and passed.

CM

In the first optional check, the forwarding entity 406 ό verifies the confidential transmission mode of the reply message 403 in the communication network 404 when the recipient address of the reply message 403 contains a TPPO.

cc

In another optional check, the transmission entity 406 is confirmed

C/O

In a third optional check, the transmitting entity 406 identifies the sender 402 of the reply message 403 as the recipient of the message 402 containing the particular identifier 402. to the recipient node 411. The purpose of the tag is to prevent spam messages that appear to be response messages, even if they are not actually.

For example, '' Cecil '' could send Alice a spam message with the subject labeled 'RE:' in reply messages, even though Alice has not sent any 'Cecil' messages. In the third check above, the message sent by '' Cecil '' is revealed as a spam message because it does not contain a label.

The identifier can be formed in many different ways. The identifier may be stored in the memory 407 together with the original return address (APO) 412 contained in the message 402. The identifier can then be retrieved from memory 407 for a third check.

As mentioned above, the control entity 405 writes a TPPO to the return address of the message 402 and then forwards the message to the recipient node 411 using the TPO. Thus, the control entity has access to the TPPO 409 and a secure path address (TPO).

Preferably, the TPPO 409 can be formed on the basis of APO 412, for example, by adding 20 after the "s." @ To the Alice email address alice@compatent.com. Therefore, the TPPO need not be stored in memory 407.

If necessary, the TPO may be stored in memory 407. For example, the TPO may be stored in a list of e-mail address pairs. The first member of the pair is a normal email address and the second member is the TPO.

o 25 The first member of a couple could be, for example

CVJ

ό bob@deltagon.com ό and another member bob@deltagon.com.very_secure_server.com.

^ Another member of the pair, "very_secure_server.com", is an example of a g 30 secure path server (TPP) address.

CD

g [0117] When Alice sends a message 402 to Bob, the control entity 405 retrieves the address bob@deltagon.com.very_secure_server.com from the address 402 contained in the message 402 and then sends the message 402 to bob@deltagon.com.very_secure_server.com or TPO.

19

In addition to or instead of the list stored in the memory 407, the control entity 405 may use a forwarding node providing ad hoc confidential transmission. Ad hoc mediation is described in the Technical Background section of the application.

With respect to TPO and TPPO, one or a combination of the following three alternatives is available in system 401.

1) At least one of the addresses TPO, TPPO, can be read from memory 407.

2) The memory 407 can read the address of the relay node providing the ad hoc confidential transmission, at least one of the addresses TPO, TPPO being available from the relay node.

3) The control entity 405 of system 401 includes a search device 415 for detecting at least one of the addresses TPO, TPPO.

In addition to the above embodiments, descriptions and examples of the invention, the method and system of the invention may be implemented in a number of other ways which will be apparent to those skilled in the art by virtue of their skill and guidance in this application.

CVJ

δ

CVJ

ό o

X

X

Q.

C/O

CD

CD

LO

C/O

O

O

CVJ

Claims (8)

20 A method for protecting the confidentiality of the contents of a message to be transmitted and of a reply message via e-mail over an IP (Internet Protocol) based communication network, characterized in that the method comprises steps in a control entity: retrieving (201) a secure path address (TPO) the secure path defines a secure path for the message to be transmitted from the sender node to the recipient node 10 and includes at least one node receiving and forwarding messages over a secure connection, in the absence of the secure path address (TPO) (202) searching the memory for a secure path for the message recipient information, searches at least one secure path in the sender's 15 operator network and the recipient operator network and outputs a secure path address (TPO) , writing (204) to the recipient address of the message to be transmitted a secure path address (TPO) to forward the message along a secure path to the recipient node in the network 20, retrieving (205) based on the sender information of node and includes at least one relay node between the sender node of the message to be transmitted and the recipient node 25, which forwards the messages via a cvj secure connection, in the absence of a secure return path address (TPPO) (206) for the message sender information entered, the sender 30 searches the at least one secure return path (TPP) from the operator's network and the recipient's operator network and outputs 2 a secure return path address (TPPO), and CD g writing (208) a secure return path address (TPPO) to the message to be transmitted so that the 35 response messages associated with the message to be transmitted are transmitted over the secure return path from the recipient node to the sender node. 21 A method according to claim 1, characterized in that the method provides (200) at least the original return address (APO) of the message to be transmitted from the control entity to the transmission entity containing at least a node having a secure reverse path address (TPPO). A method according to claim 2, characterized in that the method receives (209) a response message addressed to a secure return path address (TPPO) in a forward entity sent by the recipient node in response to the message. A method according to claim 3, characterized in that the method includes the steps to be performed in the relay entity: replacing (210) the secure return path address (TPPO) contained in the response message recipient address with the original return address (APO) transmitted by the control entity to the relay entity. A method according to claim 1, characterized in that at least one of the addresses 20 is stored in the memory by the control entity: secure path address (TPO), secure return path address (TPPO). A method according to claim 1, characterized in that the memory can be initialized so that at least one of the searches is performed: searching for a safe path, searching for a safe return path. A method according to claim 1, characterized in that the CM0 25 control entity is one of the following entities: a communication network terminal CM1 device, an email relay node in a telecommunication network, or an entity comprising at least one terminal device and at least one email relaying CO 0 node. X A method according to claim 1, characterized in that the return address 2 30 is one of the following addresses: The "From:" address contained in the Simple Mail Transfer CD g Protocol (SMTP) envelope, in the MIME (Multipurpose Internet o Mail Extensions) header section "Reply-To:" address or any other address contained in the MIME header. 22