WO2002071719A1 - Procede et systeme pour le chiffrement de messages numeriques - Google Patents

Procede et systeme pour le chiffrement de messages numeriques Download PDF

Info

Publication number
WO2002071719A1
WO2002071719A1 PCT/CA2002/000288 CA0200288W WO02071719A1 WO 2002071719 A1 WO2002071719 A1 WO 2002071719A1 CA 0200288 W CA0200288 W CA 0200288W WO 02071719 A1 WO02071719 A1 WO 02071719A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital
recipient
message
sender
server
Prior art date
Application number
PCT/CA2002/000288
Other languages
English (en)
Inventor
David Paul Wiebe
Whitney Williams
Original Assignee
David Paul Wiebe
Whitney Williams
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by David Paul Wiebe, Whitney Williams filed Critical David Paul Wiebe
Publication of WO2002071719A1 publication Critical patent/WO2002071719A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Definitions

  • the invention relates to the field of data processing systems. More specifically, the invention relates to message encryption and transmission. BACKGROUND OF THE INVENTION
  • X.509 v3 Public Key Certificates under RFC 2459 is built into many of today's most popular email programs including Microsoft's Outlook and Outlook Express, Netscape's Messenger, and Lotus's cc:Mail. Encryption is not used to the extent that it could be because current email programs require the sender to obtain the recipient's public key or "Digital ID", as Microsoft refers to it. Very few email users today have such a Digital ID. In fact, the current process of obtaining a Digital ID has been an impediment to widespread adoption of email encryption.
  • a Public Key Infrastructure (PKI), which forms the basis of present Internet encryption standards, is a system for allowing users to exchange information over an unsecure public network through the use of private and public key pairs in an asymmetric encryption system.
  • PKI Public Key Infrastructure
  • the key pairs are obtained and shared through a trusted authority (i.e. Certificate Authority or CA).
  • a trusted authority i.e. Certificate Authority or CA.
  • public key encryption it is the recipient's public key that determines the encryption algorithm and strength (e.g. key length).
  • encryption algorithm and strength e.g. key length
  • PKI Public Key Integrity
  • Currently available email encryption systems have several drawbacks. First, they often use a proprietary encryption method which requires both the sender and receiver to have special software for encryption and decryption. This special software is often not interoperable with the SMIME email encryption standard. Second, these systems often require a separate mail client (i.e.
  • the email message (including attachments) is not effectively encrypted in several of these systems. That is, while the email transmission may be encrypted, the email content itself is not. The result is that the email message may remain in an unencrypted form in both the sender's and recipient's computer systems.
  • encrypted messages are often forwarded to, stored on, and retrieved from a server located on the Internet, as opposed to going directly from the sender to the recipient.
  • encryption is often password based (i.e. symmetric, private key) rather than public key based (i.e. asymmetric). Again, asymmetric encryption is the defacto PKI standard which includes the use of secure and reliable digital
  • a method and system that will allow an email sender (i.e. Registration Authority in the PKI model) to obtain (i.e. from a Certificate Authority) a Digital ID on behalf of the email recipient.
  • an email sender i.e. Registration Authority in the PKI model
  • obtain i.e. from a Certificate Authority
  • a Digital ID on behalf of the email recipient.
  • the invention provides a method and system for sending encrypted email. According to one aspect of the invention, a method is described that allows a sender to transmit encrypted email over the Internet following PKI standards but without prior knowledge of the recipient's public key.
  • the method comprising the steps of requesting a Digital ID on behalf of a recipient from a server by a sender, creating a Digital ID by the server, transmitting the Digital ID to the sender from the server, transmitting a first message to the recipient from the server informing the recipient that the sender has initiated the creation of a Digital ID for the recipient thereby enabling the sender and said recipient to exchange encrypted messages, transmitting the Digital ID to the recipient from the server, encrypting a second message by the sender using the recipient's Digital ID and sending the encrypted second message directly to the recipient, receiving the encrypted second message from the sender by the recipient and decrypting the encrypted second message by the recipient using the Digital ID.
  • a data processing system has stored therein data representing sequences of instructions which when executed cause the above described method to be performed.
  • the data processing system generally has a Digital ID Server, a sender client, a recipient client, Internet access, databases, and Digital ID Manager software.
  • the method and system may facilitate other forms of electronic or digital messaging including voice, peer-to-peer, and instant messaging.
  • FIG. 1 is a screen capture illustrating the first step used by Microsoft's Outlook Express for encrypting an email
  • FIG. 2 is a screen capture illustrating an error message received by an email sender using Microsoft's Outlook Express when there is no digital ID for the intended encrypted email recipient;
  • FIG. 3 is a block diagram of the digital ID server and manager system and method in. accordance with the preferred embodiment
  • FIG. 4 is a screen capture illustrating the first step in creating a digital ID using a digital ID manager in accordance with the preferred embodiment
  • FIG. 5 is a screen capture illustrating the results of a successful digital ID request using a digital ID manager in accordance with the preferred embodiment
  • FIG. 6 is a screen capture illustrating the addition of a recipient's digital ID to a sender's email address book in accordance with the preferred embodiment
  • FIG. 7 is a screen capture illustrating the results of a successful addition to a sender's email address book of a recipient's digital ID in accordance with the preferred embodiment
  • FIG. 8 is a screen capture illustrating a recipient's digital ID icon in a sender's email address book in accordance with the preferred embodiment
  • FIG. 9 is a screen capture illustrating an email log indicating that an encrypted email was sent in accordance with the preferred embodiment. ' '
  • the term data processing system is used herein to refer to any machine for processing data, including the computer systems and network arrangements described herein.
  • Digital ID is used herein to refer to public key or to a public and private key pair.
  • the method and system described herein is applicable to the encryption of electronic or digital messages in general including email, voice, peer-to-peer, and instant messaging. According to one aspect of the invention, a method is described that allows a sender to transmit encrypted email over the Internet following PKI standards but without prior knowledge of the recipient's public key.
  • FIG. 1 is a screen capture 100 illustrating the first step used by Microsoft's Outlook Express for encrypting an email.
  • Microsoft's Outlook Express for example, if a user wants to send an encrypted email to a receiver named "Rick" 110, then the after entering the email message 120, the user would click the "Encrypt” button 130. To successfully encrypt this message, the receiver "Rick” must have a public key, or a Digital ID as Microsoft calls it, and the sender must have a copy of this Digital Id in the sender's email address book.
  • FIG. 2 is a screen capture 200 illustrating the error message 210 the user receives from Outlook Express if there is no digital ID for the intended recipient "Rick” 110 in the user's email address book.
  • the user would have to find out if "Rick” has a Digital ID. If “Rick” does have a Digital ID, then the user would have to obtain a copy of it from “Rick” and place this copy in the user's email address book. If “Rick” does not have a Digital ID, which is very often the case at present, the user would have to ask “Rick” to obtain one from a public key provider (i.e. Certificate Authority) and then forward a copy of Digital ID received to the user.
  • a public key provider i.e. Certificate Authority
  • One solution to this problem as contemplated by the present invention is to enable a sender to generate a Digital ID on behalf of the recipient and to place this Digital ID in the sender's email address book.
  • This solution is accomplished in a data processing system using a Digital ID Server and Digital ID Manager software according to one embodiment of the invention.
  • the Digital ID Server upon creation of the Digital ID, notifies the recipient, via email, that the sender has created a Digital ID for the recipient.
  • the recipient downloads the Digital ID from the Digital ID Server by simply clicking a secure link (i.e. SSL -secure socket layer) embedded in the email message provided by the Digital ID Server.
  • SSL -secure socket layer embedded in the email message provided by the Digital ID Server.
  • password authentication may be provided for this email message.
  • the Digital ID is downloaded from the Digital ID Server only once for a recipient rather than for each of the sender's subsequent emails.
  • the Digital ID. Manager software enables the sender to create Digital IDs for recipients and place them 'in the sender's email address book.
  • the Digital ID Server issues Digital IDs to recipients and provides the sender with copies of these Digital IDs.
  • the Digital ID Server facilitates the issuing of Digital IDs while the sender client's SMIME compliant email software performs email encryption using the issued Digital ID.
  • the sender acts as the Registration Authority and the Digital ID Server acts as the Certificate Authority in accordance with PKI terminology and standards. Now, referring to FIG.
  • the data processing system 300 includes a sender 310, a recipient 320, a "Digital ID Server” 330, the Internet 340, and databases 350.
  • the sender client 310, recipient client 320, and digital ID server 330 have stored therein data representing sequences of instructions which when executed cause the method described herein to be performed. In the following description, these software instructions will be referred to by the term "Digital ID Manager" 360.
  • the data processing system 300, the sender 310, recipient 320, and Digital ID Server 330 may contain additional software and hardware a description of which is not necessary for understanding the invention.
  • the sender 310 initiates a secure session with the Digital ID Server 330 and requests a Digital ID (i.e. a X.509 digital certificate) on behalf of the recipient 320 using Digital ID Manager software 360.
  • a Digital ID i.e. a X.509 digital certificate
  • An exemplary screen 400 presented to the sender 310 by the Digital ID Manager 360 illustrating this step is shown in FIG. 4.
  • the recipient's 320 common name 410 is "Rick" 420.
  • the sender 310 requests a Digital ID by clicking on the "Generate Certificate” button 430.
  • the sender 310 may also request a Digital ID from the Digital ID Server 330 if the sender 310 does not already have its own Digital ID.
  • the Digital ID Server 330 processes the sender's 320 Digital ID request. This processing includes validation of the sender 320 which may include a check that the sender 310 has paid any required Digital ID Server annual service fees. Typically, as part of a sender's 310 annual service fee the sender 310 will receive a Digital ID allowing the sender 310 to apply digital signatures to email and to receive and open encrypted email sent by any email user using an X.509 and SMIME compliant email program.
  • the Digital ID Server also performs a database 350 lookup to check if a Digital ID has already been created for the recipient 320. This lookup may include accessing third party digital certificate registries such as that maintained by Verisign, for example.
  • the Digital ID Server 330 creates a Digital ID (i.e. X.509 digital certificate) for the recipient 320. If the recipient 320 already has a Digital ID, then the Digital ID Server 330 will create a link to this Digital ID.
  • a Digital ID i.e. X.509 digital certificate
  • FIG. 5 shows an exemplary screen 500 presented to the sender 310 by the Digital ID Manager 360 illustrating a successful Digital ID request message 510.
  • the Digital ID Manager 360 may provide the sender with instructions for installing the recipient's 320 Digital ID in the sender's 310 email address book.
  • FIG. 6 shows an exemplary screen 600 presented to the sender 310 illustrating a Digital ID download instruction. It is a unique feature and advantage of the exemplary embodiment that the instructions provided by the Digital ID Manager 360 are easy to understand and follow by users.
  • FIG. 5 shows an exemplary screen 500 presented to the sender 310 by the Digital ID Manager 360 illustrating a successful Digital ID request message 510.
  • the Digital ID Manager 360 may provide the sender with instructions for installing the recipient's 320 Digital ID in the sender's 310 email address book.
  • FIG. 6 shows an exemplary screen 600 presented to the sender 310 illustrating a Digital ID download instruction. It is a unique feature and advantage of the exemplary embodiment that the instructions provided by the Digital ID Manager 360 are easy to
  • FIG. 7 shows an exemplary screen 700 presented to the sender 310 illustrating the results of a successful addition to the sender's email address book of the Digital ID for the recipient 320 "Rick" 710.
  • FIG. 8 shows an exemplary screen 800 presented to the sender 310 illustrating the Digital ID icon for the recipient 310 "Rick" 810 in the sender's 310 email address book.
  • the Digital ID Server 330 sends an email to the recipient 320 informing the recipient 320 that the sender has created a Digital ID for the recipient 320 thereby enabling the sender 310 and the recipient 320 to exchange encrypted emails.
  • the sender 310 provides the recipient 320 with a password that has been assigned to the recipient 320 by the Digital ID Manager 360 at the sender's 310 end.
  • the sender 310 provides this password to the recipient 320 by verbal communications using the telephone.
  • the password is provided as a measure of security to ensure that only the intended recipient receives the Digital ID, which typically includes the recipient's 320 private key, from the Digital ID Server 330.
  • the password may consist of information known to and verifiable by the Digital ID Server 330.
  • the recipient 320 provides the password obtained from the sender in step 5 to the Digital ID Server 300. If the password is accepted by the Digital ID Server 330, then the recipient 320 downloads the recipient's 320 new Digital ID from the Digital ID Server 330 by clicking on a secure link (i.e. SSL) in the email received from the Digital ID Server 330 in step 4. Assuming the recipient 320 provides the correct password, the Digital ID Server 330 provides the recipient 320 with instructions for installing the new Digital ID (including a private key).
  • This Digital ID is a fully functional X.509 digital certificate (i.e.
  • FIG. 9 shows an exemplary screen 900 presented to the sender 310 by the Digital ID Manager 360 illustrating an email log message indicating that an encrypted email was sent to the recipient 320 "Rick" 910.
  • the system and method of the exemplary embodiment of the invention described has the following unique features and advantages: empowers a user to send an encrypted email, following PKI standards, to a recipient without the recipient's prior possession of a Digital ID; allows a user to request a Digital ID from a Digital ID Server rather than from the recipient; allows both the sender and recipient to use their normal (i.e.
  • SMIME compliant email programs leverage off of the encryption capabilities already built into such programs rather than having to install additional applications to facilitate encrypted email communications; neither the sender nor receiver have to learn a new email program; messages sent appear in the sender and recipient's "normal" message store, that is, there is only one set or instance of send and receive logs; Digital IDs issued by the Digital ID Server are interoperable with other X.509 compliant digital certificates; simplifies the process of obtaining, distributing, and installing Digital IDs (i.e. digital certificates); provides users with instructions for installing Digital IDs that are easy to understand and follow; shifts the focus off the Digital ID issue and onto the more important issue of email security through encryption; and, encourages the use of encrypted email and the security it provides.
  • the method and system may facilitate other forms of electronic or digital messaging including voice, peer-to-peer, and instant messaging.
  • a method of message encryption and transmission comprising the steps of: a) requesting a Digital ID on behalf of a recipient from a server by a sender; b) creating said Digital ID by said server; c) transmitting said Digital ID to said sender from said server; d) transmitting a first message to said recipient from said server informing said recipient that said sender has initiated the creation of said Digital ID for said recipient thereby enabling said sender and said recipient to exchange encrypted messages; e) transmitting said Digital ID to said recipient from said server; f) encrypting a second message by said sender using said recipient's said Digital ID and sending said encrypted second message directly to said recipient; g) receiving said encrypted second message from said sender by said recipient and decrypting said encrypted second message by said recipient using said Digital ID.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un système de traitement de données qui exécute un programme d'instructions et englobe un client expéditeur, un client destinataire, un serveur, une pluralité de bases de données, une pluralité d'interconnexions, ainsi qu'un procédé de chiffrement et de transmission de message selon les étapes suivantes: demande d'identificateur (ID) numérique au nom d'un destinataire par un expéditeur auprès d'un serveur, création d'ID numérique par le serveur, transmission de l'ID numérique à l'expéditeur par le serveur, transmission d'un premier message au destinataire par le serveur afin d'informer le destinataire que l'expéditeur a engagé la création d'un ID numérique pour le destinataire, ce qui permet à l'expéditeur et au destinataire d'échanger des messages chiffrés, transmission de l'ID numérique au destinataire par le serveur, chiffrement d'un second message par l'expéditeur sur la base de l'ID numérique du destinataire et transmission du second message chiffré directement au destinataire, réception du second message chiffré envoyé par l'expéditeur au destinataire et déchiffrement dudit message sur la base de l'ID numérique.
PCT/CA2002/000288 2001-03-05 2002-03-05 Procede et systeme pour le chiffrement de messages numeriques WO2002071719A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CA002339564A CA2339564A1 (fr) 2001-03-05 2001-03-05 Methode et systeme de chiffrement des messages numeriques
CA2,339,564 2001-03-05

Publications (1)

Publication Number Publication Date
WO2002071719A1 true WO2002071719A1 (fr) 2002-09-12

Family

ID=4168512

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2002/000288 WO2002071719A1 (fr) 2001-03-05 2002-03-05 Procede et systeme pour le chiffrement de messages numeriques

Country Status (2)

Country Link
CA (1) CA2339564A1 (fr)
WO (1) WO2002071719A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007073943A1 (fr) * 2005-12-29 2007-07-05 Regify Ag Systeme de communication permettant la distribution d'un message de courrier electronique

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998017042A2 (fr) * 1996-10-15 1998-04-23 Mordhai Barkan Procede relatif au courrier electronique
WO1998056179A1 (fr) * 1997-06-06 1998-12-10 Thomson Consumer Electronics, Inc. Systeme d'acces conditionnel pour boitiers de raccordement
WO2000046952A1 (fr) * 1999-02-05 2000-08-10 Fundsxpress, Inc. Procede permettant d'envoyer un courrier electronique, de maniere sure, via un explorateur

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998017042A2 (fr) * 1996-10-15 1998-04-23 Mordhai Barkan Procede relatif au courrier electronique
WO1998056179A1 (fr) * 1997-06-06 1998-12-10 Thomson Consumer Electronics, Inc. Systeme d'acces conditionnel pour boitiers de raccordement
WO2000046952A1 (fr) * 1999-02-05 2000-08-10 Fundsxpress, Inc. Procede permettant d'envoyer un courrier electronique, de maniere sure, via un explorateur

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007073943A1 (fr) * 2005-12-29 2007-07-05 Regify Ag Systeme de communication permettant la distribution d'un message de courrier electronique
EA012795B1 (ru) * 2005-12-29 2009-12-30 Регифи Аг Система связи, обеспечивающая доставку сообщения электронной почты
US8949601B2 (en) 2005-12-29 2015-02-03 Regify Ag Communication system for providing the delivery of e-mail message
US9537813B2 (en) 2005-12-29 2017-01-03 Regify S.A. Communication system for providing the delivery of an e-mail message

Also Published As

Publication number Publication date
CA2339564A1 (fr) 2002-09-05

Similar Documents

Publication Publication Date Title
US8370444B2 (en) Generating PKI email accounts on a web-based email system
US7360079B2 (en) System and method for processing digital documents utilizing secure communications over a network
US9509681B2 (en) Secure instant messaging system
US8489877B2 (en) System, method and computer product for sending encrypted messages to recipients where the sender does not possess the credentials of the recipient
US8145707B2 (en) Sending digitally signed emails via a web-based email system
US7146009B2 (en) Secure electronic messaging system requiring key retrieval for deriving decryption keys
US7644268B2 (en) Automated electronic messaging encryption system
US8166299B2 (en) Secure messaging
US8060746B2 (en) E-mail transfer method and device
US8117438B1 (en) Method and apparatus for providing secure messaging service certificate registration
US20030115448A1 (en) Methods and apparatus for securely communicating a message
JP2006520112A (ja) セキュリティ用キーサーバ、否認防止と監査を備えたプロセスの実現
US8352742B2 (en) Receiving encrypted emails via a web-based email system
US20070288746A1 (en) Method of providing key containers
EP1387239B1 (fr) Messagerie sécurisée
WO2002071719A1 (fr) Procede et systeme pour le chiffrement de messages numeriques
Razali et al. A Framework for Electronic Bill Presentment and Off-Line Message Viewing
AU2005220240B1 (en) Method of providing key containers
WO2002033891A2 (fr) Distribution sure et fiable de documents a l'aide de listes d'acheminement

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP