WO2009156597A2 - Method and system for protecting confidentiality of messages and search device - Google Patents

Method and system for protecting confidentiality of messages and search device Download PDF

Info

Publication number
WO2009156597A2
WO2009156597A2 PCT/FI2009/050580 FI2009050580W WO2009156597A2 WO 2009156597 A2 WO2009156597 A2 WO 2009156597A2 FI 2009050580 W FI2009050580 W FI 2009050580W WO 2009156597 A2 WO2009156597 A2 WO 2009156597A2
Authority
WO
WIPO (PCT)
Prior art keywords
node
message
address
recipient
secure
Prior art date
Application number
PCT/FI2009/050580
Other languages
French (fr)
Other versions
WO2009156597A3 (en
Inventor
Pasi Koistinen
Original Assignee
Deltagon Group Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deltagon Group Oy filed Critical Deltagon Group Oy
Priority to EP09769440A priority Critical patent/EP2297906A2/en
Publication of WO2009156597A2 publication Critical patent/WO2009156597A2/en
Publication of WO2009156597A3 publication Critical patent/WO2009156597A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/54Store-and-forward switching systems 
    • H04L12/56Packet switching systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2596Translation of addresses of the same type other than IP, e.g. translation from MAC to MAC addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the invention generally relates to e-mail and data security.
  • the invention relates to solutions which aim to ensure that the content of an email remains confidential when the content is transmitted through the Internet, from a sender, to a recipient. If the e-mail recipient answers the message, i.e. sends a reply message, also the content of the reply message must remain confidential.
  • IP Internet Protocol
  • IP packets are encapsulated, in different ways, for different types of communication needs.
  • the encapsulation results in, for example, TCP/IP (Transmission Control Protocol / Internet Protocol) packets.
  • TCP/IP Transmission Control Protocol / Internet Protocol
  • the e- mail message consists of at least one packet transmitted by the Internet, such as an IP packet or a TCP/IP packet.
  • the Internet includes servers, some of which are considered to be secure and some of which are considered to be insecure. In general, the e- mail sender does not know which servers are secure and which are insecure. Even if the sender knew which of the servers are secure, the sender does not necessarily have a possibility to control the Internet so that his/her message would only travel through the secure servers.
  • the server which combines a LAN (Local area network) with the Internet, is usually termed a firewall. The firewall is connected by the firewall to a number of terminals whose addresses are included in a specific address space. Emails, which are addressed to the specific address, are directed through the firewall and the LAN, to the terminals of recipients.
  • LAN Local area network
  • firewall refers in this application also to a so-called e-mail firewall, which is, instead of individual data communication packets, capable to process e-mail messages as entities and capable to make very complex analysis and modifications for the messages.
  • IPsec IP security
  • An ESP Encapsulating Security Payload
  • IPsec solution the traffic of certain terminals, or the traffic of the all terminals of the local network, is directed through a single point such as the firewall. The firewall encrypts the outbound traffic and decrypts the inbound traffic. Alternatively, the terminals perform the encryption of the outbound traffic and the decryption of the inbound traffic.
  • Confidential communication channels between the communication parties have been carried out by means of IPsec. These parties can communicate in a VPN (Virtual Private Network) which contains the confidential communication channels.
  • VPN Virtual Private Network
  • IPsec IP Security
  • S/MIME Secure Multipurpose Internet Mail Extensions
  • the second problem of the S/MIME solution is related to protection of malicious traffic. If a malicious program has intruded into a workstation of the sender of the message, the malicious program can send malicious messages encrypted with a recipient's public key to the recipient. Because the messages have been encrypted, a harmful content, for example, a spam or virus, inside them cannot be effectively identified by a typical e-mail gateway which functions at the edge of the network. Thus, the malicious message may pass through even a number of checks, as far as to the recipient's desk. [014] Even though the prior art provides a possibility to copy a private key of each sender/recipient to a protection server and decrypt the encryption in connection with the content checking, the procedure is complex.
  • the encryption of messages is a negative action from the point of view of the filtering of the malicious traffic.
  • IBE Identity Based Encryption
  • a set of keys is deduced for different identities on the basis of a master key.
  • a primary option of the solution requires that a sender and a recipient of the message have compatible encryption programs in use. If the sender does not have the recipient's public encryption key, the sender can use a method with which the message is speculatively encrypted. This method creates an encryption key on the basis of the recipient's e-mail address and encrypts the message with the created encryption key.
  • IBE simplifies the control of keys compared to the S/MIME method but it causes a new problem, i.e. the problem of authenticating a recipient.
  • the prior art does not provide a user-friendly method for authenticating the recipient in a situation in which nothing else but an e-mail address of the recipient is known.
  • WWW World Wide Web
  • the WWW based message handling related to IBE and a D3 server created by the applicant are some examples of a so-called ad hoc transmission of confidential e-mail.
  • the applicant's D3 server is compatible with the existing e-mail systems.
  • the D3 server enables a reliable e-mail transmission between organisations without control problems of decentralised software and servers.
  • the D3 server creates at least one file on the basis of the content of an e- mail message and after that it performs partly the same steps as the following method.
  • the method comprises the steps of: 1 ) encrypting a file intended to a recipient, 2) placing the encrypted file into a WWW server, 3) creating an e- mail message which contains a link to the encrypted file placed into the WWW server, and 4) sending the created e-mail message to the recipient.
  • the recipient After receiving the e-mail message the recipient is able to read the file with the WWW browser through the link contained in the message. Clicking of the link creates a HTTPS (Hypertext Transfer Protocol Secure) connection between the recipient's terminal and the server containing the file, at which time the content of the file is readable in a confidential way.
  • HTTPS Hypertext Transfer Protocol Secure
  • TLS Transport Layer Security
  • ESMTP Extended Simple Mail Transfer Protocol
  • the cryptography supported by a receiving server can be checked with a check device which opens the SMTP session.
  • Nodes of a communications network form paths along which the IP packets contained in an e-mail message can be transferred over the communications network. In the following, known methods for examining the paths are discussed.
  • Traceroute is an operating system command which uses the TCP/IP protocol and determines along which path, i.e. along which route, the sent packets will move to a certain node of the communications network.
  • the node is, for example, a server or a router.
  • the transition of one or more packets from one node to a following node is termed a hop.
  • the traceroute command increases a "Time To Live” (TTL) value of packet which it has sent, the TTL indicating the number of the hops to be performed.
  • TTL Time To Live
  • the "Time To Live” value of the first packet is one
  • the “Time To Live” value of the second packet is two, etc.
  • the traceroute command forms a list of the nodes of communications network on the basis of the packets which have come back. The nodes of the list form the path along which the packets moved to the certain node of the communications network.
  • the traceroute command is from the Unix operating system.
  • Traceroute or “Traceroute tool” refers to the commands “traceroute”, “mtr”, “tracert” and to other possible commands which can be used to determine the path travelled by the packets.
  • Traceroute tool Even though the use of Traceroute tool has been restricted for security reasons, many main routers of the Internet accept its use. Thus, sometimes it can be determined with Traceroute tool through which servers or through which countries the e-mail message travels in the Internet.
  • e-mail messages transmitted by the Internet are directed through a firewall and a local area network to terminals of recipients, and e-mail messages, which have been sent from the terminals and are addressed outside of the local area network, are routed through the firewall to the Internet. Due to the nature of the firewall as a control mean of the
  • firewalls In addition to firewalls, other servers can also serve as MTAs.
  • a sender of a packet In a source routing a sender of a packet is able to direct the packet along a certain route to the recipient. Instead of an individual packet, the source routing can be applied to an e-mail message. Then the addresses of those
  • MTAs which are located on a certain route, are included in the recipient address of the message.
  • an MTA obtains the message, it shortens the recipient address by removing its own address from the recipient address.
  • the MTA transmits the message in accordance with the shortened recipient address.
  • the sender can test with the source routing different routes, or the sender can order the message to be transmitted along the route which is quicker, cheaper, or more reliable.
  • the use of the source routing is often forbidden.
  • a basic principle of the Internet is that the Internet routes the sent packet from a sender node to a recipient node.
  • the security of the servers on the path travelled by a packet can be determined on the basis of the list of the secure servers, or on the basis of the list of the insecure servers,
  • the e-mail message can be routed with the source routing to a secure path.
  • a first problem related to the prior art is that even if secure paths would be available for a transmission of an e-mail message, a sender of the message does not usually know the existence of the secure paths, and the system used by the sender is not able to route the message to a secure path.
  • Another problem related to the prior art is that the sender has vary small chances to effect along what kind of path the recipient of the message sends his/her reply message associated with the message. The reply message often contains the whole message to which the recipient of the message replied with his/her reply message.
  • a transmission path of the reply message i.e. a so-called return path, causes an information security risk, if the return path is insecure.
  • the information security risk especially means that due to the insecure return path the sensitive information contained in the reply message ends up a wrong person who aim to abuse of the information.
  • An objective of the invention is to solve of the above-mentioned problems of the prior art.
  • One aim is to ensure confidentiality of e-mail by using a secure path over the Internet.
  • the method of the invention comprises the following steps to be performed at a control entity.
  • the control entity searches, on the basis of recipient information of a message, a memory for an address of a secure path (ASP), where the secure path includes at least one node.
  • ASP secure path
  • the control entity searches for the secure path by a search device which obtains the recipient information of the message as an input and outputs the ASP.
  • the control entity writes the ASP in a recipient address of the message to transmit the message in the communications network along the secure path to the recipient node.
  • the control entity searches, on the basis of sender information of the message, the memory for an address of a secure return path (ASRP), where the secure return path includes at least one transmission node located between a recipient node and a sender node of the message.
  • ASRP secure return path
  • the control entity searches for the secure return path by the search device which obtains the sender information of the message as an input and outputs the ASRP. Finally, the control entity writes the ASRP in the return address of the message so that a reply message related to the message can be transmitted in the communications network from the recipient node along the secure return path to the sender node.
  • the invention comprises a system for sending the reply message securely by e-mail and the search device for finding the secure path.
  • Figure 1A shows nodes and entities which are related to the invention
  • Figure 1 B shows an example of the control entity and the transmission entity
  • Figure 2 shows the method for transmitting a message and a reply message securely by e-mail
  • Figure 3 shows optional additional steps of the method
  • Figure 4 shows the system for transmitting a message and reply message securely by a-mail
  • Figure 5 shows the search device to find secure paths.
  • FIG. 1A shows the nodes and the entities related to the invention.
  • a sender node 101 , a transmission node 102, and a recipient node 103 are nodes of the IP based communications network such as the Internet.
  • the nodes 101 -103 are different nodes.
  • a server, a router and a terminal are some examples of the nodes of the communications network.
  • the sender node 101 is a terminal and the recipient node 103 is a terminal.
  • Both a control entity 104 and a transmission entity 105 include at least one node.
  • the control entity 104 may be the same entity as the transmission entity 105 or the entities (104 and 105) may include at least one common node.
  • the sender node 101 sends a message 106 to the recipient node 103.
  • the control entity 104 receives the message 106.
  • the control entity 104 may include the sender node 101 , or the sender node 101 may include the control entity 104. [051]
  • the control entity 104 transmits the message 106 along a secure path
  • the secure path includes at least one node of a communications network.
  • the node included in the secure path 107 may be the recipient node 103.
  • the recipient node 103 sends a reply message 108 in response to the message 106 along the secure return path 109.
  • the transmission entity 105 receives the reply message 108.
  • the transmission entity 105 may include the sender node 101 , or the sender node 101 may include the transmission entity
  • the transmission entity 105 transmits the reply message 108 to the sender node 101 after a second address conversion.
  • the message 106 is transmitted from the sender node 101 to control entity 104 in a secure way, and from the control entity 104 to recipient node
  • the reply message 108 is transmitted to the transmission entity 105 along a secure return path 109, and from the transmission entity 105 to sender node 101 in a secure way to retain the confidentiality of the reply message 108.
  • the above-mentioned first address conversion performed by the control entity means that the control entity 104 replaces an original return address (ORA) included in the message 106 with the address of the secure return path (ASRP).
  • ORA original return address
  • ASRP secure return path
  • the second address conversion i.e. the address conversion performed by the transmission entity, means that the transmission entity 105 replaces the address of the secure return path (ASRP) included in the reply message 108 with the original return address (ORA).
  • ASRP secure return path
  • ORA original return address
  • a server which is termed a "server of the secure path" (SSP) meets the following two demands:
  • the SPP is able to receive e-mail messages in the confidential way, such as using the TLS protocol; 2) the SPP is able to transmit messages in the confidential way within a domain/subnet for which it has been defined as the SSP by a holder of the domain/subnet or by another trusted party.
  • the secure path 107 includes at least the recipient node 103. If the secure path includes only the recipient node 103, the recipient node 103 will be the SSP. The first node of the secure path is the SSP which has the ASP.
  • the first node of the secure path is the node to which the control entity 104 transmits the message 106.
  • the secure return path 109 includes at least the transmission entity 103.
  • the transmission entity 103 has the ASRP.
  • the transmission entity 103 includes the node which is the SSP and has the
  • FIG. 1 B shows an example of the control entity and the transmission entity.
  • the sender node 101 as well as the recipient node 103 are terminals.
  • the sender node 101 has been connected with a local area network 110 to a firewall 111 of the sender.
  • the recipient node has been connected with a local area network 112 to a firewall 113 of the recipient.
  • the sent e-mail message moves from the sender node 101 to the recipient node 103 through the firewall 111 of the sender, through the
  • the reply message which is related to the e-mail message 106 and which has been sent from the recipient node 103, moves through the firewall 113 of the recipient, through the Internet 114, and through the firewall 111 of the sender to the sender node 103.
  • FIG. 1 B illustrates with bi-directional arrows the transmission of the e-mail message and the related reply message.
  • the Internet 114 is the network of networks.
  • the figure 1 B shows, of the networks included in the Internet 114, an operator network 115 of the sender and an operator network 116 of the recipient.
  • the operator network 115 of the sender provides broadband connections for the sender node 101 and correspondingly the operator network 116 of the recipient provides broadband connections for the recipient node 103.
  • the control entity 104 and the transmission entity 105 are located in one or more devices in the local area network 110, in the firewall 111 of the sender and/or in the operator network 115 of the sender.
  • the transmission entity 104 and the control entity 105 can be placed in various ways. For example, the both entities 104 and 105 can be placed in the same e-mail server which is located in the operator network of the sender.
  • the reply message 108 is transmitted from the transmission entity 105 to the sender node 101 in a secure way.
  • the secure way means, for example, that the message transmission from the operator network 115 of the sender to the sender node 101 is secure. It is supposed that a person or an organisation can trust its operator who provides broadband connections.
  • FIG. 2 shows the method for protecting the confidentiality of the contents of the message and the reply message in e-mail in an IP (Internet Protocol) based communications network.
  • control entity is one of the following entities: a terminal of a communications network, a node which transmits e-mail in the communications network, or an entity which includes at least one terminal and at least one node which transmits e-mail.
  • An e-mail server and a firewall are typical examples of the node which transmits the e-mail.
  • the method comprises the following steps to be performed in the control entity. At first it is searched 201 , on the basis of recipient information of the message, the memory for an address of a secure path (ASP), where the secure path includes at least one node.
  • the ASP is the e-mail address which determines the secure path through the server (SSP).
  • the node refers to the server, to the terminal, or to another node of the communications network.
  • the memory used by the method or system according to the invention includes at least one memory device. The memory is available for at least one node. The memory is available locally or globally.
  • the secure path is searched 203 by the search device.
  • the search device tries to find at least one secure path, or in more detail, the search device tries to find at least one SSP.
  • the search device obtains the recipient information of the message as the input and outputs the address of the SSP.
  • the original recipient information is converted on the basis of the address of the SSP into the form of the ASP. The conversion can be performed by adding the address of the SSP to the end of the original recipient address.
  • the ASP is written 204 in the recipient address of the message to transmit the message in the communications network along the secure path to the recipient node.
  • the ASRP is the e-mail address of the node which orders a possible reply message of the e-mail to pass through the server of the secure path (SSP).
  • the reply message of the e-mail refers to the message that is directed to a so-called return address defined later on.
  • the secure return path is searched 207 by the search device which obtains the sender information of the message as the input and outputs the ASRP.
  • the search device obtains the sender information of the message as the input and outputs the address of the SSP.
  • the original return address is converted on the basis of the address of the SSP into the form the ASRP. The conversion can be performed by adding the address of the SSP to the end of the domain name of the original sender address. It is stated that the above-mentioned conversions (producing the ASP or the ASRP) can be performed in some other way obvious to the person skilled in the art.
  • the ASRP is written 208 in the return address of the message so that the reply message related to the message can be transmitted in the communications network from the recipient node along the secure return path to the sender node.
  • the description of the method and system according to the invention contain the terms "sender node” and "recipient node”.
  • the sender node and the recipient node may use the same operator network.
  • the advantages of the invention are most obvious in the situation which is described in the figure 1 B and in which the sender node and the recipient node use different operator networks.
  • protecting the confidentiality of the contents of the message and the relating reply message is challenging in the prior art, when the sender node and recipient node use different operator networks.
  • the return address is, for example, one of the following addresses: "From" address included in an SMTP (Simple Mail Transfer Protocol) envelope, "Reply To” address included in a header part of a MIME (Multipurpose Internet Mail Extensions) envelope, or other address (such as “From, "Sender” or “Receiver” address) included in the MIME header.
  • SMTP Simple Mail Transfer Protocol
  • MIME Multipurpose Internet Mail Extensions
  • the memory used by the control entity can be initialised so that at least one of the searches will return a positive result: finding of the secure path or finding of the secure return path.
  • the memory can be initialized once or repeatedly so that the address of the secure path (ASP) is not found when the memory is searched 201 for the ASP, on the basis of the recipient information of the message. In that case, the search of the secure path will be carried out in the method.
  • the memory can be initialised once or repeatedly so that the address of the secure return path (ASRP) is not found when the memory is searched 205 for the ASRP, on the basis of the sender information of the message. In that case, the search of the secure return will be carried out in the method.
  • ASRP secure return path
  • the control entity can be forced to use the search device to find the secure path or the secure return path.
  • the use of the search device can be terminated for a moment or permanently. Then at least one of the addresses ASP or ASRP is stored by the control entity in the memory. As long as the ASP is stored in the memory, the secure path will not be searched for. Correspondingly, the secure return path will not be searched for as long as the ASRP is stored in the memory.
  • FIG. 3 shows the optional additional steps of the method. Steps 201 - 208 that have been presented in figure 2 are illustrated on dash line 301 in figure 3.
  • At least the original return address (ORA) of the message is delivered 200 in the method from the control entity to the transmission entity which includes at least the node which has the ASRP.
  • the ORA can be transmitted from the control entity to the transmission entity in a number of ways obvious to the person skilled in the art.
  • the ORA can be encoded as a part of the ASRP and transmitted with the message.
  • the reply message which has been sent by the recipient node in response to the message, is received 209 in the transmission entity. If necessary, different types of checks can be performed for the reply message.
  • the checks can be preferably performed in the handshake stage of the SMTP session related to the reply message.
  • the method comprises the following step to be performed in the transmission entity after the possible checks.
  • the ASRP included in the recipient address of the reply message is replaced 210 with the ORA, which had been sent by the control entity to the transmission entity, and the reply message is transmitted 211 to the sender node.
  • the control entity replaces the ASRP (included in the return address of the message) with the ORA.
  • the ASRP can be formed in various ways. In the following, a simple way to form ASRP is presented. [086] In front of the domain name included in the return address is added "s.”. In addition, the MX (Mail exchange) information must be modified so that the domain name points, on the basis of the modified MX information, to such server which receives e-mail messages only through an encrypted connection, such as a TLS connection.
  • the MX information could be modified for the address conversion (that has been presented above) as follows: "normal e-mail" compatent.com. MX mail.compatent.com. "e-mail of the secure return path” s. compatent. com. MX tppo.compatent.com. where the tppo.compatent.com server includes the forced TLS configuration.
  • the tppo.compatent.com server verifies that it obtains a STARTTLS command immediately after an EHLO command.
  • the forced TLS setup can be configured with an email delivery software, such as Postfix or Sendmail, for example.
  • Alice's e-mail message is transmitted through a sender node and a recipient node to Bob.
  • Bob reads Alice's message, writes a related reply message and sends the reply message to Alice.
  • the recipient node i.e. the node serving Bob transmits the reply message to the ASRP address: alice@s. compatent. com
  • Bob's reply message must be transmitted to the server "tppo.compatent.com" which accepts e-mail messages only through the encrypted connection (i.e. through a TLS connection).
  • This server serves as the server of the secure path (TPP) in a certain domain.
  • the handshake stage (related to the connection) may look, for example, as follows: ehlo deltagon.com 250 OK mail from: bob@deltagon.com
  • a first result of the handshake stage is the fact that the reply message is not transmitted because the return path is insecure. Thus, the confidentiality of the reply message is remained.
  • a second result of the handshake stage is that an ad hoc transmission way to send the reply message is provided for the sender of the reply message, i.e. for Bob. In more detail, Bob can contact the address https://secure. compatent.com with Internet-browser and send to Alice a reply message with the confidential way from the server having said address. Due to the above-mentioned results it is stated that the processing of the reply message includes both the forcing (secure policy enforcement) to the protection policy and the offering of the confidential ad hoc transmission way.
  • the confidentiality of the reply message can be retained with Policy service included in Postfix software.
  • Policy service forces during the RCPT stage the server of a secure path (SSP) to check the SMTP session that the connection between the server which transmits the SSP and the reply message has been encrypted when the recipient address marked to the reply message is an ASRP address.
  • SSP secure path
  • the RCPT stage of the SMTP session may look, for example, following: ehlo deltagon.com
  • FIG. 4 shows the system 401 to protect the confidentiality of contents of a message 402 and a reply message 404 in transmissions which occur by email in an IP-based (Internet Protocol) communications network.
  • IP-based Internet Protocol
  • the system 401 comprises a control entity 405, a transmission entity 406, a memory 407 usable for the both entities, and a checking policy 408 stored in the memory 407, the transmission entity 406 including at least a node that have an address of the secure return path (ASRP) 409.
  • the node having the ASRP may be a sender node 410.
  • the control entity 405 receives the message 402, which the sender node 410 has addressed to a recipient node 411 , and stores an original return addresses (ORA) 412 included in the message 402 into the memory 407.
  • ORA original return addresses
  • the control entity 405 writes the ASRP 409 into the return address of the message 402 in order that the reply message 403 related to the message 402 can be transmitted in the communications network along a secure return path to the sender node 410 of the message 402, the secure return path including at least one transmission node 413 which is located between the sender node 410 and the recipient node 411.
  • the control entity 405 transmits the message 402 using the address of the secure path (ASP) to the recipient node 411.
  • the transmission entity 406 receives according to the checking policy 408 the reply message 403 which the recipient node 411 has sent as a response to message 402. Furthermore, according to the checking policy 408, the transmission entity 406 replaces the ASRP included in the recipient address of the reply message 403 with the ORA read from the memory 407 and transmits the reply message to the sender node 410.
  • the checking policy 408 controlling the operation of the system can be defined in various ways.
  • the system 401 preferably includes a user interface 414 through which an authorised user of the system 401 can change the checking policy 408.
  • contents of the memory 407 can be changed through the user interface 414.
  • the user interface 414 is preferably WWW based.
  • the reply message 403 is transmitted according to the checking policy to the sender node without any 411 checks. Alternatively, the reply message 403 is transmitted to the sender node 411 only when at least one check has been performed and passed.
  • the transmission entity 406 is ensured about the confidential transmission way of the reply message 403 in the communications network 404 when the recipient address of the reply message 403 includes the ASRP.
  • the transmission entity 406 is ensured about the confidential transmission way of the reply message 403 in the communications network 404 when the reply message 403 has been received through an encrypted connection.
  • the transmission entity 406 detects that the sender of the reply message 403 is the recipient of the message 402 when the reply message 403 includes a certain identifier which was transmitted with the message 402 to the recipient node 411. The purpose of the identifier is to block spam messages which seem like reply messages, though they are in reality not.
  • "Cecil" could send to Alice a spam message with the heading which includes "RE" notation commonly used in reply messages, though Alice has not sent any message to Cecil.
  • the message is disclosed as a spam message, because it does not contain the identifier.
  • the identifier can be generated in various ways.
  • the identifier can also be saved into the memory 407 together with the original return address (ORA) 412 included in the message 402. Then the identifier can be fetched from the memory 407 for the third check.
  • the control entity 405 writes the ASRP into the return address of the message 402 and then transmits the message, using the ASP, to the recipient node 411. Therefore, the control entity has the ASRP 409 and the address of the secure path (ASP) in its use.
  • the ASRP 409 is preferably formed on the basis of the ORA 412, for example, by adding the notation "s.” after the character @ to Alice's email address alice@compatent.com. Thus, the ASRP does not need to be necessarily stored in the memory 407.
  • the ASP can be stored in memory 407, if necessary.
  • ASP can be stored into the memory in a list which consists of pairs of e-mail addresses.
  • the first member of a pair is a normal e-mail address and the second member of the pair is the ASP.
  • the first member of the pair could be, for example, bob@deltagon .com and the second member bob@deltagon .com .very_secure_server.com .
  • very_secure_server.com included in the second member of the pair is one example of the address of the server of the secure path (SSP).
  • the control entity 405 fetches with address bob@deltagon.com included in the message 402 address bob@deltagon.com.very_secure_server.com from the list and then sends the message 402 to address bob@deltagon.com.very_secure_server.com, i.e. to the ASP.
  • the control entity 405 can use the transmission node which provides the confidential ad hoc transmission. The Ad hoc transmission has been discussed in "Background of the invention" part of the patent application.
  • the ASP and the ASRP one of the following three options or a their combination is usable in the system 401. 1 ) At least one of the addresses ASP, ASRP can be read in the memory 407.
  • the address of the transmission node, which offers the confidential ad hoc transmission, can be read in the memory, at least one of the addresses ASP, ASRP being obtainable from the transmission node.
  • the control entity 405 of the system 401 comprises the search device 415 for finding at least one of the addresses ASP, ASRP.
  • FIG. 5 shows the search device to find secure paths in the IP based communications network.
  • the search device 501 comprises a node finder 502, a domain descriptor 503, a SSP finder 504, a deduction unit 505, and a memory 506.
  • the node finder 502 obtains as its input either a domain name of the recipient information of the message or an address of an individual transmission node. If the input is the domain name, the node finder performs, on the basis of the domain name a DNS (Domain Name System), a query which returns a node set consisting of at least one node. If the input is the address of the transmission node, the node finder will result in the node set with Traceroute tool.
  • DNS Domain Name System
  • the domain descriptor 503 determines on the basis of the address of the node included in the node set: a country domain, an internet service provider domain, an organizational domain, and a server domain.
  • the SSP finder 504 performs at least one of the following DNS queries:
  • the deduction unit 505 deduces that the search has succeeded when the first, second, third or fourth DNS query discloses that the SSP has been defined in which case the deduction unit 505 returns the address of the SSP.
  • the ASP can be formed of the address of the SSP returned by the deduction unit 505, if the search device 501 obtained the recipient information of the message as its input.
  • the ASRP can be formed of the address of SSP returned by the deduction unit 505, if the search device 501 obtained the sender information of the message as its input.
  • the node set returned by the node finder 502 may contain a great number of nodes which increases the probability that for at least one node of the node set the SSP is disclosed by one of the four DSN queries.
  • the performance order of the first, second, third, and fourth DNS query presented above can be changed, if necessary.
  • the following example describes the search of the secure path. Therefore, the example is related to transmitting of an e-mail message from the sender node to the recipient node.
  • the node finder returns, on the basis of domain name of the address, the node set.
  • the node set consists of one node.
  • the IP address of this recipient node is 194.29.195.40.
  • the search of the secure path is preferably performed, at the latest, during the handshake stage of SMTP. This so-called RCPT stage is performed before DATA command of SMTP.
  • RCPT stage is performed before DATA command of SMTP.
  • the handshake stage of the SMTP session one can check from the answer of the ESMTP command whether the answer contains the word "STARTTLS" which indicates the confidential transmission way and on the basis of which the recipient server could be determined as the SSP. Nevertheless the secure path can be searched with the method also in such a case that a secure connection cannot be directly formed to a recipient cell.
  • the domain descriptor 503 determines domains for a node of the node set in the following way: a country domain on the basis of a first part of the address of the node, an internet service provider domain on the basis of first two parts of the address of the node, an organizational domain on the basis of first three parts of the address of the node, and a server domain on the basis of first four parts of the address of the node.
  • IP address consists of four parts.
  • the following simplified domain determinations can be made for the search of the secure path:
  • the first two parts of the IP address determines the internet service provider domain
  • - the first three parts of the IP address determines the organizational domain
  • the server domain determines the server domain.
  • the domain determinations can be made with more exact and more complex methods.
  • the country information can be clarified by making a query to external "geo IP" database on the basis of the IP address.
  • the identifier information related to the domains can also be presented in different ways. For example, the country information can be presented, instead of the number value, with a combination of letters according to ISO standard.
  • the search comprises 1 -4 steps. The search succeeds, if the secure path is found. If the secure path is not found even at the last step, the search ends without result.
  • the SSP is searched for on the basis of the server domain. The search is based on the following DNS query: 40.195.29.194.tls.s-domain.net
  • the DNS query results in the address of the SSP. Otherwise the second step of the search is performed, etc. [0139] The second step of the search is based on the DNS query 195.29.194.tls.s-domain.net
  • the third stage of the search is based on the DNS query: 29.194.tls.s-domain.net
  • the fourth stage of the search is based on the DNS query: 194.Tls.s-domain.net
  • the fourth query could be presented in a form fi.tls.s-domain.net wherein "fi" is an identifier describing the geographical location of address 194.29.195.40.
  • the address of the server concerned is determined to be the SSP.
  • the ASP can be formed by adding the address of the SSP to the end of the recipient address: bob@deltagon.com.fi.mail.s-domain.net
  • the database in which DNS queries can be made, operates in the tls.s-domain.net. It is obvious for the person skilled in the art that, for example, MX or TXT records can be used as alternatives for the described query format in which so-called A records of the DNS were used. In addition, it is possible to join information of the DNS in a recursive way, i.e. new DNS queries can be performed on the basis of the answer returned by the DNS query. Furthermore, the information can be handled by means of different algorithms. [0145] In the example, the special database operating in the address tls.s.domain.net can be, from its character, static, dynamic, or their combination.
  • the static database contains the separate countries, operators, organisations as well as records registered by holders of individual servers.
  • the dynamic database contains the information that has been achieved by handling the information output by the SMTP connection-forming devices.
  • the devices can form the SMTP connections as a batch process or in real time.
  • the dynamic database contains the information which has been achieved by handling information output by Traceroute tool, or by handling so-called geo IP geographical information of the IP address, domain information that have been fetched from so-called RIPE database, the routing information of the communications network, or information originated from other external sources.
  • An IP address of a party, which queries information, or another identifier, which is related to the party or the transmission of a message or a reply message, can be taken into account in the handling of information.
  • the node finder which belongs to the search device, can obtain a domain name as its input in which case the node set is preferably formed by means of a DNS query.
  • the node finder can alternatively obtain the address of the transmission node as its input.
  • the node finder preferably uses Traceroute tool to form the node set.
  • the tool results in an arranged node set in which the first node is the nearest node in regard to jumps and the last node is a node farthest away from the search device in regard to jumps.
  • the search device preferably queries from the DNS special database information concerning more than one node.
  • the addresses of the nodes can be separated in a query with a desired identifier with methods known by the person skilled in the art.
  • the addresses of the nodes are preferably disclosed in the query in an order, which is the order of the arranged node set resulted in by Traceroute tool.
  • the node finder preferably returns an address of the farthest node with respect to the search device (in regard to jumps) which node is located in the same domain with the nearest node with respect to the search device (in regard to jumps).
  • the search device can be used to secure the confidentiality of content of a reply message.
  • the search device is preferably coupled to a transmission entity, which outputs an address of the transmission node to the search device as the input. If the address of the SSP, which is searched for the transmission node, is the same as the address of the transmission entity, the transmission method of the reply message can be considered secure.
  • the search device can be used, in the method and system according to the invention, to secure the confidentiality of the content of the message.

Abstract

The system according to the invention is intended to transmit an e-mail message (402) and a reply message (403) related to it securely over the Internet. In more detail, the system forces to use only secure paths over the Internet. The system comprises a control entity (405), a transmission entity (406), a memory (407) usable for the both entities, and checking policy stored in the memory. The control entity (405) receives the message (402), which the sender node (410) has addressed to the recipient node (411 ), and stores into the memory an original return address (ORA) included in the message. Then the control entity writes an address of a secure return path (ASRP) in a return address of the message so that the reply message (403) can be transmitted from the recipient node (411 ), along the secure return path, to the sender node (410) of the message. Finally, the control entity (405) transmits the message along a secure path to the recipient node (411 ). Assuming that the recipient of the message sends the reply message (403), the transmission entity (406) included in the system receives the reply message. Then, according to the checking policy, the transmission entity replaces the ASRP (409) included in the recipient address of the reply message with the ORA (412) read in the memory and transmits the reply message to the sender node (410). In addition to the system, the invention comprises a method and a search device.

Description

Method and system for protecting confidentiality of messages and search device
Field of the invention
[001] The invention generally relates to e-mail and data security. In particular, the invention relates to solutions which aim to ensure that the content of an email remains confidential when the content is transmitted through the Internet, from a sender, to a recipient. If the e-mail recipient answers the message, i.e. sends a reply message, also the content of the reply message must remain confidential.
Background of the invention
[002] As generally known, the Internet transmits IP (Internet Protocol) packets. These IP packets are encapsulated, in different ways, for different types of communication needs. The encapsulation results in, for example, TCP/IP (Transmission Control Protocol / Internet Protocol) packets. The e- mail message consists of at least one packet transmitted by the Internet, such as an IP packet or a TCP/IP packet.
[003] The Internet includes servers, some of which are considered to be secure and some of which are considered to be insecure. In general, the e- mail sender does not know which servers are secure and which are insecure. Even if the sender knew which of the servers are secure, the sender does not necessarily have a possibility to control the Internet so that his/her message would only travel through the secure servers. [004] The server, which combines a LAN (Local area network) with the Internet, is usually termed a firewall. The firewall is connected by the firewall to a number of terminals whose addresses are included in a specific address space. Emails, which are addressed to the specific address, are directed through the firewall and the LAN, to the terminals of recipients. The term "firewall" refers in this application also to a so-called e-mail firewall, which is, instead of individual data communication packets, capable to process e-mail messages as entities and capable to make very complex analysis and modifications for the messages. [005] If a sent message passes through at least one insecure server, the confidentiality of the message is compromised. The message can be encrypted to solve this problem.
[006] Some encryption-based e-mail solutions and problems related to them are presented below.
[007] IPsec (IP security) is a series of protocols protecting IP connections. An ESP (Encapsulating Security Payload) protocol can be used in an IPsec solution, at which time each packet relating to a secure IP connection is encrypted. [008] In the IPsec solution the traffic of certain terminals, or the traffic of the all terminals of the local network, is directed through a single point such as the firewall. The firewall encrypts the outbound traffic and decrypts the inbound traffic. Alternatively, the terminals perform the encryption of the outbound traffic and the decryption of the inbound traffic. [009] Confidential communication channels between the communication parties have been carried out by means of IPsec. These parties can communicate in a VPN (Virtual Private Network) which contains the confidential communication channels. [010] One problem of IPsec is that maintenance of the communication channels is quite laborious because it requires the mutual exchange of the communication parties' cipher keys. Thus, IPsec is poorly suitable for typical open e-mail environments in which organisations and people who represent them have several communication parties that locate outside of the organisations. [011] An S/MIME (Secure Multipurpose Internet Mail Extensions) solution requires that a sender and a recipient use encryption keys and compatible encryption programmes. S/MIME is based on use of public and private cipher keys. Even though most e-mail programs support S/MIME, only few users have the encryption keys. [012] As in the IPsec solution, also in the S/MIME solution the problem is the diligence in changing and maintaining of the keys. [013] The second problem of the S/MIME solution is related to protection of malicious traffic. If a malicious program has intruded into a workstation of the sender of the message, the malicious program can send malicious messages encrypted with a recipient's public key to the recipient. Because the messages have been encrypted, a harmful content, for example, a spam or virus, inside them cannot be effectively identified by a typical e-mail gateway which functions at the edge of the network. Thus, the malicious message may pass through even a number of checks, as far as to the recipient's desk. [014] Even though the prior art provides a possibility to copy a private key of each sender/recipient to a protection server and decrypt the encryption in connection with the content checking, the procedure is complex. Therefore, the encryption of messages is a negative action from the point of view of the filtering of the malicious traffic. [015] In an IBE (Identity Based Encryption) solution a set of keys is deduced for different identities on the basis of a master key. A primary option of the solution requires that a sender and a recipient of the message have compatible encryption programs in use. If the sender does not have the recipient's public encryption key, the sender can use a method with which the message is speculatively encrypted. This method creates an encryption key on the basis of the recipient's e-mail address and encrypts the message with the created encryption key.
[016] IBE simplifies the control of keys compared to the S/MIME method but it causes a new problem, i.e. the problem of authenticating a recipient. The prior art does not provide a user-friendly method for authenticating the recipient in a situation in which nothing else but an e-mail address of the recipient is known.
[017] As mentioned above, the encryption of messages is the negative action from the point of view of the protection against malicious traffic. Therefore, the primary option of the IBE method is considered to be problematic.
[018] In a secondary option of the IBE solution, WWW (World Wide Web) based message handling is used instead of the encryption programs. [019] The WWW based message handling related to IBE and a D3 server created by the applicant are some examples of a so-called ad hoc transmission of confidential e-mail.
[020] The applicant's D3 server is compatible with the existing e-mail systems. The D3 server enables a reliable e-mail transmission between organisations without control problems of decentralised software and servers. The D3 server creates at least one file on the basis of the content of an e- mail message and after that it performs partly the same steps as the following method. [021] The method comprises the steps of: 1 ) encrypting a file intended to a recipient, 2) placing the encrypted file into a WWW server, 3) creating an e- mail message which contains a link to the encrypted file placed into the WWW server, and 4) sending the created e-mail message to the recipient. [022] After receiving the e-mail message the recipient is able to read the file with the WWW browser through the link contained in the message. Clicking of the link creates a HTTPS (Hypertext Transfer Protocol Secure) connection between the recipient's terminal and the server containing the file, at which time the content of the file is readable in a confidential way. [023] The fact that the recipient needs the WWW browser in his/her terminal is considered as a first problem of the method described above. Otherwise, the file cannot be read.
[024] The fact that the e-mail message may end up to a wrong person is considered as a second problem of the method. The wrong person is then able to read the file, if person identification, for example, by means of a password, is not used in the method. Thus, without the encryption, the confidentiality of the file is jeopardized when the message containing the link passes through an insecure server. On the other hand, as an advantage of the method is considered that it guarantees fairly well the confidentiality of the e-mail without an encryption key and without the diligence related to sending and maintaining the encryption key.
[025] End-to-end secured data transfer connections have become common in the Internet. TLS (Transport Layer Security) protocol is developed for needs of the confidential data transfer. TLS is the protocol which can be used for Internet applications to protect data transfer over the Internet. The most ordinary use of TLS is to protect a transfer of WWW pages when the above- mentioned HTTPS protocol is used in the transfer of the pages. A TLS extension can be used in connection with ESMTP (Extended Simple Mail Transfer Protocol) in the confidential transmission of e-mail. As generally known, the cryptography supported by a receiving server can be checked with a check device which opens the SMTP session.
[026] Nodes of a communications network form paths along which the IP packets contained in an e-mail message can be transferred over the communications network. In the following, known methods for examining the paths are discussed. [027] Traceroute is an operating system command which uses the TCP/IP protocol and determines along which path, i.e. along which route, the sent packets will move to a certain node of the communications network. The node is, for example, a server or a router. The transition of one or more packets from one node to a following node is termed a hop.
[028] The traceroute command increases a "Time To Live" (TTL) value of packet which it has sent, the TTL indicating the number of the hops to be performed. In more detail, the "Time To Live" value of the first packet is one, the "Time To Live" value of the second packet is two, etc. Thus, the first packet will return from the first router, the second packet will return from the second router etc. The traceroute command forms a list of the nodes of communications network on the basis of the packets which have come back. The nodes of the list form the path along which the packets moved to the certain node of the communications network. [029] The traceroute command is from the Unix operating system. Most Linux operating systems contain the command which is used with same name or, instead of traceroute, a "Matt' s Traceroute" tool, which is used with the command "mtr". Correspondingly, a command "tracert" is used in the Windows operating systems. [030] Regarding terms in the application, "Traceroute" or "Traceroute tool" refers to the commands "traceroute", "mtr", "tracert" and to other possible commands which can be used to determine the path travelled by the packets. [031] Even though the use of Traceroute tool has been restricted for security reasons, many main routers of the Internet accept its use. Thus, sometimes it can be determined with Traceroute tool through which servers or through which countries the e-mail message travels in the Internet. [032] Let us assume that the route travelled by the packet is determined with Traceroute tool and the list formed by the tool contains a group of servers. This list can be compared with a list of secure servers, which is available from the Internet, or with a list of insecure servers. The performed comparison discloses whether all the servers included in the transmission path of the message are secure or not.
[033] As generally known, e-mail messages transmitted by the Internet are directed through a firewall and a local area network to terminals of recipients, and e-mail messages, which have been sent from the terminals and are addressed outside of the local area network, are routed through the firewall to the Internet. Due to the nature of the firewall as a control mean of the
Communications, the firewall can also be termed an "MTA" (Message
Transfer Agent).
[034] In addition to firewalls, other servers can also serve as MTAs. In a source routing a sender of a packet is able to direct the packet along a certain route to the recipient. Instead of an individual packet, the source routing can be applied to an e-mail message. Then the addresses of those
MTAs, which are located on a certain route, are included in the recipient address of the message. When an MTA obtains the message, it shortens the recipient address by removing its own address from the recipient address.
Then the MTA transmits the message in accordance with the shortened recipient address.
[035] The sender can test with the source routing different routes, or the sender can order the message to be transmitted along the route which is quicker, cheaper, or more reliable. However, due to the information security reasons, the use of the source routing is often forbidden.
[036] A basic principle of the Internet is that the Internet routes the sent packet from a sender node to a recipient node.
[037] As mentioned above, the prior art provides: - a restricted possibility to use Traceroute tool,
- the security of the servers on the path travelled by a packet can be determined on the basis of the list of the secure servers, or on the basis of the list of the insecure servers,
- if the source routing is allowed, the e-mail message can be routed with the source routing to a secure path.
[038] A first problem related to the prior art is that even if secure paths would be available for a transmission of an e-mail message, a sender of the message does not usually know the existence of the secure paths, and the system used by the sender is not able to route the message to a secure path. [039] Another problem related to the prior art is that the sender has vary small chances to effect along what kind of path the recipient of the message sends his/her reply message associated with the message. The reply message often contains the whole message to which the recipient of the message replied with his/her reply message. [040] Even if the message were transmitted along the secure path to the recipient, a transmission path of the reply message, i.e. a so-called return path, causes an information security risk, if the return path is insecure. The information security risk especially means that due to the insecure return path the sensitive information contained in the reply message ends up a wrong person who aim to abuse of the information.
Brief summary of the invention
[041] An objective of the invention is to solve of the above-mentioned problems of the prior art. [042] One aim is to ensure confidentiality of e-mail by using a secure path over the Internet.
[043] The method of the invention comprises the following steps to be performed at a control entity.
The control entity searches, on the basis of recipient information of a message, a memory for an address of a secure path (ASP), where the secure path includes at least one node.
When the ASP is missing from the memory, the control entity searches for the secure path by a search device which obtains the recipient information of the message as an input and outputs the ASP. The control entity writes the ASP in a recipient address of the message to transmit the message in the communications network along the secure path to the recipient node.
The control entity searches, on the basis of sender information of the message, the memory for an address of a secure return path (ASRP), where the secure return path includes at least one transmission node located between a recipient node and a sender node of the message.
When the ASRP is missing from the memory, the control entity searches for the secure return path by the search device which obtains the sender information of the message as an input and outputs the ASRP. Finally, the control entity writes the ASRP in the return address of the message so that a reply message related to the message can be transmitted in the communications network from the recipient node along the secure return path to the sender node. [044] In addition to the method, the invention comprises a system for sending the reply message securely by e-mail and the search device for finding the secure path. [045] The invention is specified in the enclosed claims.
Brief description of the drawings
[046] The invention is described more closely with reference to the figures of the accompanying drawings, in which
Figure 1A shows nodes and entities which are related to the invention, Figure 1 B shows an example of the control entity and the transmission entity, Figure 2 shows the method for transmitting a message and a reply message securely by e-mail,
Figure 3 shows optional additional steps of the method, Figure 4 shows the system for transmitting a message and reply message securely by a-mail, Figure 5 shows the search device to find secure paths.
Detailed description of the invention
[047] The Figures 1A and 1 B illustrate some terms which are related to the invention. After Figure 3 it is presented an example of the use of the invention in which imaginary persons, Alice and Bob, send each other e-mail messages.
[048] FIG. 1A shows the nodes and the entities related to the invention. A sender node 101 , a transmission node 102, and a recipient node 103 are nodes of the IP based communications network such as the Internet. The nodes 101 -103 are different nodes. A server, a router and a terminal are some examples of the nodes of the communications network. Generally speaking, the sender node 101 is a terminal and the recipient node 103 is a terminal. [049] Both a control entity 104 and a transmission entity 105 include at least one node. The control entity 104 may be the same entity as the transmission entity 105 or the entities (104 and 105) may include at least one common node. [050] The sender node 101 sends a message 106 to the recipient node 103.
The control entity 104 receives the message 106. The control entity 104 may include the sender node 101 , or the sender node 101 may include the control entity 104. [051] The control entity 104 transmits the message 106 along a secure path
107 to the recipient node 103 after a first address conversion. The secure path includes at least one node of a communications network. The node included in the secure path 107 may be the recipient node 103.
[052] The recipient node 103 sends a reply message 108 in response to the message 106 along the secure return path 109. The transmission entity 105 receives the reply message 108. The transmission entity 105 may include the sender node 101 , or the sender node 101 may include the transmission entity
105.
[053] The transmission entity 105 transmits the reply message 108 to the sender node 101 after a second address conversion.
[054] The message 106 is transmitted from the sender node 101 to control entity 104 in a secure way, and from the control entity 104 to recipient node
103 along the secure path 107 to retain the confidentiality of the message
106. [055] The reply message 108 is transmitted to the transmission entity 105 along a secure return path 109, and from the transmission entity 105 to sender node 101 in a secure way to retain the confidentiality of the reply message 108.
[056] The above-mentioned first address conversion performed by the control entity means that the control entity 104 replaces an original return address (ORA) included in the message 106 with the address of the secure return path (ASRP).
[057] The second address conversion, i.e. the address conversion performed by the transmission entity, means that the transmission entity 105 replaces the address of the secure return path (ASRP) included in the reply message 108 with the original return address (ORA).
[058] A server, which is termed a "server of the secure path" (SSP), meets the following two demands:
1 ) the SPP is able to receive e-mail messages in the confidential way, such as using the TLS protocol; 2) the SPP is able to transmit messages in the confidential way within a domain/subnet for which it has been defined as the SSP by a holder of the domain/subnet or by another trusted party.
[059] The secure path 107 includes at least the recipient node 103. If the secure path includes only the recipient node 103, the recipient node 103 will be the SSP. The first node of the secure path is the SSP which has the ASP.
The first node of the secure path is the node to which the control entity 104 transmits the message 106.
[060] The secure return path 109 includes at least the transmission entity 103. The transmission entity 103 has the ASRP. In more detail, the transmission entity 103 includes the node which is the SSP and has the
ASRP.
[061] FIG. 1 B shows an example of the control entity and the transmission entity. In this example, the sender node 101 as well as the recipient node 103 are terminals. The sender node 101 has been connected with a local area network 110 to a firewall 111 of the sender. Correspondingly, the recipient node has been connected with a local area network 112 to a firewall 113 of the recipient.
[062] The sent e-mail message moves from the sender node 101 to the recipient node 103 through the firewall 111 of the sender, through the
Internet 114 and through the firewall 113 of the recipient.
[063] Correspondingly the reply message, which is related to the e-mail message 106 and which has been sent from the recipient node 103, moves through the firewall 113 of the recipient, through the Internet 114, and through the firewall 111 of the sender to the sender node 103.
[064] The figure 1 B illustrates with bi-directional arrows the transmission of the e-mail message and the related reply message.
[065] It should be noticed that the Internet 114 is the network of networks.
The figure 1 B shows, of the networks included in the Internet 114, an operator network 115 of the sender and an operator network 116 of the recipient. The operator network 115 of the sender provides broadband connections for the sender node 101 and correspondingly the operator network 116 of the recipient provides broadband connections for the recipient node 103. [066] The control entity 104 and the transmission entity 105 are located in one or more devices in the local area network 110, in the firewall 111 of the sender and/or in the operator network 115 of the sender. The transmission entity 104 and the control entity 105 can be placed in various ways. For example, the both entities 104 and 105 can be placed in the same e-mail server which is located in the operator network of the sender. [067] Regarding the figure 1A, it was mentioned that the reply message 108 is transmitted from the transmission entity 105 to the sender node 101 in a secure way. The secure way means, for example, that the message transmission from the operator network 115 of the sender to the sender node 101 is secure. It is supposed that a person or an organisation can trust its operator who provides broadband connections.
[068] Correspondingly, it is supposed that the transmission of the message between the recipient node 103 and the operator network 116 of the recipient is secure. [069] Information security problems of the message transmission relate to the connection between the operator network 116 of the recipient and the operator network of the sender 115. Typically, there are a number of alternative paths between the networks 115 and 116. Only some of the alternative paths are secure paths. [070] FIG. 2 shows the method for protecting the confidentiality of the contents of the message and the reply message in e-mail in an IP (Internet Protocol) based communications network.
[071] The method utilises at least the control entity. Generally speaking, the control entity is one of the following entities: a terminal of a communications network, a node which transmits e-mail in the communications network, or an entity which includes at least one terminal and at least one node which transmits e-mail. An e-mail server and a firewall are typical examples of the node which transmits the e-mail.
[072] The method comprises the following steps to be performed in the control entity. At first it is searched 201 , on the basis of recipient information of the message, the memory for an address of a secure path (ASP), where the secure path includes at least one node. The ASP is the e-mail address which determines the secure path through the server (SSP). The node refers to the server, to the terminal, or to another node of the communications network. The memory used by the method or system according to the invention includes at least one memory device. The memory is available for at least one node. The memory is available locally or globally.
When the ASP is missing 202 from the memory, the secure path is searched 203 by the search device. As was presented earlier in the figure 1 B, there are typically a number of alternative paths (some of which are secure) between the operator network 115 of the sender and the operator network 116 of the recipient. The search device tries to find at least one secure path, or in more detail, the search device tries to find at least one SSP. The search device obtains the recipient information of the message as the input and outputs the address of the SSP. The original recipient information is converted on the basis of the address of the SSP into the form of the ASP. The conversion can be performed by adding the address of the SSP to the end of the original recipient address. After that the ASP is written 204 in the recipient address of the message to transmit the message in the communications network along the secure path to the recipient node.
Next it is searched 205, on the basis of the sender information of the message, the memory for an address of a secure return path (ASRP), where the secure return path includes at least one transmission node located between the recipient node and the sender node of the message. The ASRP is the e-mail address of the node which orders a possible reply message of the e-mail to pass through the server of the secure path (SSP). The reply message of the e-mail refers to the message that is directed to a so-called return address defined later on.
When the ASRP is missing 206 from the memory, the secure return path is searched 207 by the search device which obtains the sender information of the message as the input and outputs the ASRP. The search device obtains the sender information of the message as the input and outputs the address of the SSP. The original return address is converted on the basis of the address of the SSP into the form the ASRP. The conversion can be performed by adding the address of the SSP to the end of the domain name of the original sender address. It is stated that the above-mentioned conversions (producing the ASP or the ASRP) can be performed in some other way obvious to the person skilled in the art.
Finally, the ASRP is written 208 in the return address of the message so that the reply message related to the message can be transmitted in the communications network from the recipient node along the secure return path to the sender node.
[073] The description of the method and system according to the invention contain the terms "sender node" and "recipient node". The sender node and the recipient node may use the same operator network. However, the advantages of the invention are most obvious in the situation which is described in the figure 1 B and in which the sender node and the recipient node use different operator networks. As generally known, protecting the confidentiality of the contents of the message and the relating reply message is challenging in the prior art, when the sender node and recipient node use different operator networks.
[074] Different names for the return address of the message are used in different situations. The return address is, for example, one of the following addresses: "From" address included in an SMTP (Simple Mail Transfer Protocol) envelope, "Reply To" address included in a header part of a MIME (Multipurpose Internet Mail Extensions) envelope, or other address (such as "From, "Sender" or "Receiver" address) included in the MIME header. [075] The memory used by the control entity can be initialised so that at least one of the searches will return a positive result: finding of the secure path or finding of the secure return path.
[076] The memory can be initialized once or repeatedly so that the address of the secure path (ASP) is not found when the memory is searched 201 for the ASP, on the basis of the recipient information of the message. In that case, the search of the secure path will be carried out in the method. [077] In addition or alternatively, the memory can be initialised once or repeatedly so that the address of the secure return path (ASRP) is not found when the memory is searched 205 for the ASRP, on the basis of the sender information of the message. In that case, the search of the secure return will be carried out in the method. [078] Thus, by initialising the memory, the control entity can be forced to use the search device to find the secure path or the secure return path. [079] Alternatively, the use of the search device can be terminated for a moment or permanently. Then at least one of the addresses ASP or ASRP is stored by the control entity in the memory. As long as the ASP is stored in the memory, the secure path will not be searched for. Correspondingly, the secure return path will not be searched for as long as the ASRP is stored in the memory. [080] FIG. 3 shows the optional additional steps of the method. Steps 201 - 208 that have been presented in figure 2 are illustrated on dash line 301 in figure 3.
[081] The following optional additional step of is preferably performed before steps 201-208. [082] At least the original return address (ORA) of the message is delivered 200 in the method from the control entity to the transmission entity which includes at least the node which has the ASRP. The ORA can be transmitted from the control entity to the transmission entity in a number of ways obvious to the person skilled in the art. For example, the ORA can be encoded as a part of the ASRP and transmitted with the message. [083] In one embodiment of the invention, the reply message, which has been sent by the recipient node in response to the message, is received 209 in the transmission entity. If necessary, different types of checks can be performed for the reply message. The checks can be preferably performed in the handshake stage of the SMTP session related to the reply message. [084] The method comprises the following step to be performed in the transmission entity after the possible checks. The ASRP included in the recipient address of the reply message is replaced 210 with the ORA, which had been sent by the control entity to the transmission entity, and the reply message is transmitted 211 to the sender node. [085] As mentioned above, the control entity replaces the ASRP (included in the return address of the message) with the ORA. The ASRP can be formed in various ways. In the following, a simple way to form ASRP is presented. [086] In front of the domain name included in the return address is added "s.". In addition, the MX (Mail exchange) information must be modified so that the domain name points, on the basis of the modified MX information, to such server which receives e-mail messages only through an encrypted connection, such as a TLS connection.
[087] Usage example. Let us assume that Alice works at a company called Compatent and Bob at a company called Deltagon. Let us assume that Alice has written an e-mail message and sends it to Bob. In that case, alice@compatent.com is the sender and bob@deltagon.com is the recipient in the e-mail message sent by Alice's terminal. [088] Thus, the original return address of the message (ORA) is alice@compatent.com The return address is modified, i.e. the address of the secure return path (ASRP) is alice@s. compatent. com
[089] It is stated that the note "s", which is included in ASRP, is an example. In other words, some other notation which indicates that the e-mail address is the ASRP could be used instead.
[090] The MX information could be modified for the address conversion (that has been presented above) as follows: "normal e-mail" compatent.com. MX mail.compatent.com. "e-mail of the secure return path" s. compatent. com. MX tppo.compatent.com. where the tppo.compatent.com server includes the forced TLS configuration.
[091] Due to the forced TLS configuration, the tppo.compatent.com server verifies that it obtains a STARTTLS command immediately after an EHLO command. The forced TLS setup can be configured with an email delivery software, such as Postfix or Sendmail, for example.
[092] Alice's e-mail message is transmitted through a sender node and a recipient node to Bob. [093] Let us assume that Bob reads Alice's message, writes a related reply message and sends the reply message to Alice. Then the recipient node, i.e. the node serving Bob transmits the reply message to the ASRP address: alice@s. compatent. com [094] Due to the above-mentioned MX information, Bob's reply message must be transmitted to the server "tppo.compatent.com" which accepts e-mail messages only through the encrypted connection (i.e. through a TLS connection). This server serves as the server of the secure path (TPP) in a certain domain.
[095] If the server which transmits the reply message does not currently have the TLS connection to SSP, the handshake stage (related to the connection) may look, for example, as follows: ehlo deltagon.com 250 OK mail from: bob@deltagon.com
505 Secure path required. Please check https://secure. compatent.com/
[096] A first result of the handshake stage is the fact that the reply message is not transmitted because the return path is insecure. Thus, the confidentiality of the reply message is remained. A second result of the handshake stage is that an ad hoc transmission way to send the reply message is provided for the sender of the reply message, i.e. for Bob. In more detail, Bob can contact the address https://secure. compatent.com with Internet-browser and send to Alice a reply message with the confidential way from the server having said address. Due to the above-mentioned results it is stated that the processing of the reply message includes both the forcing (secure policy enforcement) to the protection policy and the offering of the confidential ad hoc transmission way. [097] Alternatively, the confidentiality of the reply message can be retained with Policy service included in Postfix software. Policy service forces during the RCPT stage the server of a secure path (SSP) to check the SMTP session that the connection between the server which transmits the SSP and the reply message has been encrypted when the recipient address marked to the reply message is an ASRP address. The RCPT stage of the SMTP session may look, for example, following: ehlo deltagon.com
250 OK mail from: bob@deltagon.com 250 sender bob@deltagon.com OK rcpt to: alice@s. compatent.com
505 Secure path required. Please check https://secure. compatent.com/alice [098] When the recipient address is the ASRP address and the connection has not been encrypted, the SSP refuses to receive the reply message. In more detail, DATA command of SMTP is not executed and so the content of the reply message is not transmitted over the Internet in the SMTP session. [099] In the previous example the sending of the reply message fails because there is no secure return path available. However, Bob can send Alice its reply message with the confidential ad hoc transmission way. [0100] A significant advantage of Policy service of Postfix software is that the same server can be used for receiving normal e-mail as well as e-mail of the secure return path. Then, for example, Alice can receive normal e-mail through her alice@compatent.com address and the e-mail of the secure return path through her alice@s.compatent.com address so that in the both cases the same server, such as mail.compatent.com, transmits the e-mail to Alice's terminal. [0101] FIG. 4 shows the system 401 to protect the confidentiality of contents of a message 402 and a reply message 404 in transmissions which occur by email in an IP-based (Internet Protocol) communications network. [0102] The system 401 comprises a control entity 405, a transmission entity 406, a memory 407 usable for the both entities, and a checking policy 408 stored in the memory 407, the transmission entity 406 including at least a node that have an address of the secure return path (ASRP) 409. The node having the ASRP may be a sender node 410.
[0103] The control entity 405 receives the message 402, which the sender node 410 has addressed to a recipient node 411 , and stores an original return addresses (ORA) 412 included in the message 402 into the memory 407.
[0104] The control entity 405 writes the ASRP 409 into the return address of the message 402 in order that the reply message 403 related to the message 402 can be transmitted in the communications network along a secure return path to the sender node 410 of the message 402, the secure return path including at least one transmission node 413 which is located between the sender node 410 and the recipient node 411.
[0105] The control entity 405 transmits the message 402 using the address of the secure path (ASP) to the recipient node 411. [0106] The transmission entity 406 receives according to the checking policy 408 the reply message 403 which the recipient node 411 has sent as a response to message 402. Furthermore, according to the checking policy 408, the transmission entity 406 replaces the ASRP included in the recipient address of the reply message 403 with the ORA read from the memory 407 and transmits the reply message to the sender node 410.
[0107] The checking policy 408 controlling the operation of the system can be defined in various ways. The system 401 preferably includes a user interface 414 through which an authorised user of the system 401 can change the checking policy 408. In addition or alternatively, contents of the memory 407 can be changed through the user interface 414. The user interface 414 is preferably WWW based.
[0108] For example, the following checking policies are possible. [0109] The reply message 403 is transmitted according to the checking policy to the sender node without any 411 checks. Alternatively, the reply message 403 is transmitted to the sender node 411 only when at least one check has been performed and passed.
[0110] In a first optional check the transmission entity 406 is ensured about the confidential transmission way of the reply message 403 in the communications network 404 when the recipient address of the reply message 403 includes the ASRP.
[0111] In a second optional check the transmission entity 406 is ensured about the confidential transmission way of the reply message 403 in the communications network 404 when the reply message 403 has been received through an encrypted connection. [0112] In a third optional check the transmission entity 406 detects that the sender of the reply message 403 is the recipient of the message 402 when the reply message 403 includes a certain identifier which was transmitted with the message 402 to the recipient node 411. The purpose of the identifier is to block spam messages which seem like reply messages, though they are in reality not. [0113] For example, "Cecil" could send to Alice a spam message with the heading which includes "RE" notation commonly used in reply messages, though Alice has not sent any message to Cecil. When the above-mentioned third check is applied to the Cecil's message, the message is disclosed as a spam message, because it does not contain the identifier.
[0114] The identifier can be generated in various ways. The identifier can also be saved into the memory 407 together with the original return address (ORA) 412 included in the message 402. Then the identifier can be fetched from the memory 407 for the third check. [0115] As mentioned above, the control entity 405 writes the ASRP into the return address of the message 402 and then transmits the message, using the ASP, to the recipient node 411. Therefore, the control entity has the ASRP 409 and the address of the secure path (ASP) in its use. [0116] The ASRP 409 is preferably formed on the basis of the ORA 412, for example, by adding the notation "s." after the character @ to Alice's email address alice@compatent.com. Thus, the ASRP does not need to be necessarily stored in the memory 407.
[0117] The ASP can be stored in memory 407, if necessary. For example, ASP can be stored into the memory in a list which consists of pairs of e-mail addresses. The first member of a pair is a normal e-mail address and the second member of the pair is the ASP. The first member of the pair could be, for example, bob@deltagon .com and the second member bob@deltagon .com .very_secure_server.com .
"very_secure_server.com" included in the second member of the pair is one example of the address of the server of the secure path (SSP).
[0118] When Alice sends the message 402 to Bob, the control entity 405 fetches with address bob@deltagon.com included in the message 402 address bob@deltagon.com.very_secure_server.com from the list and then sends the message 402 to address bob@deltagon.com.very_secure_server.com, i.e. to the ASP. [0119] In addition to the list stored in the memory, or instead of it, the control entity 405 can use the transmission node which provides the confidential ad hoc transmission. The Ad hoc transmission has been discussed in "Background of the invention" part of the patent application. [0120] Regarding to the ASP and the ASRP, one of the following three options or a their combination is usable in the system 401. 1 ) At least one of the addresses ASP, ASRP can be read in the memory 407.
2) The address of the transmission node, which offers the confidential ad hoc transmission, can be read in the memory, at least one of the addresses ASP, ASRP being obtainable from the transmission node. 3) The control entity 405 of the system 401 comprises the search device 415 for finding at least one of the addresses ASP, ASRP.
[0121] FIG. 5 shows the search device to find secure paths in the IP based communications network.
[0122] The search device 501 comprises a node finder 502, a domain descriptor 503, a SSP finder 504, a deduction unit 505, and a memory 506.
[0123] The node finder 502 obtains as its input either a domain name of the recipient information of the message or an address of an individual transmission node. If the input is the domain name, the node finder performs, on the basis of the domain name a DNS (Domain Name System), a query which returns a node set consisting of at least one node. If the input is the address of the transmission node, the node finder will result in the node set with Traceroute tool.
[0124] The domain descriptor 503 determines on the basis of the address of the node included in the node set: a country domain, an internet service provider domain, an organizational domain, and a server domain.
[0125] The SSP finder 504 performs at least one of the following DNS queries:
- a first DNS query, on the basis of the server domain, disclosing whether the server of the secure path (SSP) has been defined in the server domain, - a second DNS query, on the basis of the organizational domain, disclosing whether the SSP has been defined in the organizational domain,
- a third DNS query, on the basis of the internet service provider domain, disclosing whether the SSP has been defined in the internet service provider domain,
- a fourth DNS query, on the basis of the country domain, disclosing whether the SSP has been defined in the country domain; and the deduction unit 505 deduces that the search has succeeded when the first, second, third or fourth DNS query discloses that the SSP has been defined in which case the deduction unit 505 returns the address of the SSP.
[0126] The ASP can be formed of the address of the SSP returned by the deduction unit 505, if the search device 501 obtained the recipient information of the message as its input. [0127] Correspondingly, the ASRP can be formed of the address of SSP returned by the deduction unit 505, if the search device 501 obtained the sender information of the message as its input.
[0128] The node set returned by the node finder 502 may contain a great number of nodes which increases the probability that for at least one node of the node set the SSP is disclosed by one of the four DSN queries.
[0129] The performance order of the first, second, third, and fourth DNS query presented above can be changed, if necessary. [0130] The following example describes the search of the secure path. Therefore, the example is related to transmitting of an e-mail message from the sender node to the recipient node.
[0131] Let us assume that the recipient address is bob@deltagon.com. The node finder returns, on the basis of domain name of the address, the node set. In the example the node set consists of one node. The IP address of this recipient node is 194.29.195.40. [0132] The search of the secure path is preferably performed, at the latest, during the handshake stage of SMTP. This so-called RCPT stage is performed before DATA command of SMTP. During the handshake stage of the SMTP session one can check from the answer of the ESMTP command whether the answer contains the word "STARTTLS" which indicates the confidential transmission way and on the basis of which the recipient server could be determined as the SSP. Nevertheless the secure path can be searched with the method also in such a case that a secure connection cannot be directly formed to a recipient cell.
[0133] In a preferable embodiment of the system 501 the domain descriptor 503 determines domains for a node of the node set in the following way: a country domain on the basis of a first part of the address of the node, an internet service provider domain on the basis of first two parts of the address of the node, an organizational domain on the basis of first three parts of the address of the node, and a server domain on the basis of first four parts of the address of the node.
[0134] As generally known, the IP address consists of four parts. The following simplified domain determinations can be made for the search of the secure path:
- the first part of the IP address determines the country domain,
- the first two parts of the IP address determines the internet service provider domain , - the first three parts of the IP address determines the organizational domain,
- the first four parts of the IP address determines the server domain.
[0135] It is obvious for the person skilled in the art that the domain determinations can be made with more exact and more complex methods. For example, the country information can be clarified by making a query to external "geo IP" database on the basis of the IP address. The identifier information related to the domains can also be presented in different ways. For example, the country information can be presented, instead of the number value, with a combination of letters according to ISO standard. [0136] The search comprises 1 -4 steps. The search succeeds, if the secure path is found. If the secure path is not found even at the last step, the search ends without result. [0137] At the first step the SSP is searched for on the basis of the server domain. The search is based on the following DNS query: 40.195.29.194.tls.s-domain.net
[0138] If the SSP has been defined, the DNS query results in the address of the SSP. Otherwise the second step of the search is performed, etc. [0139] The second step of the search is based on the DNS query 195.29.194.tls.s-domain.net
[0140] The third stage of the search is based on the DNS query: 29.194.tls.s-domain.net [0141] The fourth stage of the search is based on the DNS query: 194.Tls.s-domain.net
[0142] In one embodiment of the invention, in which a country code according to the ISO standard is used, the fourth query could be presented in a form fi.tls.s-domain.net wherein "fi" is an identifier describing the geographical location of address 194.29.195.40.
[0143] If, for example, the fourth step of the search returns "fi.mail.s- domain.net" as the positive answer, the address of the server concerned is determined to be the SSP. Hereafter the ASP can be formed by adding the address of the SSP to the end of the recipient address: bob@deltagon.com.fi.mail.s-domain.net
[0144] In the example, the database, in which DNS queries can be made, operates in the tls.s-domain.net. It is obvious for the person skilled in the art that, for example, MX or TXT records can be used as alternatives for the described query format in which so-called A records of the DNS were used. In addition, it is possible to join information of the DNS in a recursive way, i.e. new DNS queries can be performed on the basis of the answer returned by the DNS query. Furthermore, the information can be handled by means of different algorithms. [0145] In the example, the special database operating in the address tls.s.domain.net can be, from its character, static, dynamic, or their combination. The static database contains the separate countries, operators, organisations as well as records registered by holders of individual servers. The dynamic database contains the information that has been achieved by handling the information output by the SMTP connection-forming devices. The devices can form the SMTP connections as a batch process or in real time.
[0146] In addition or alternatively, the dynamic database contains the information which has been achieved by handling information output by Traceroute tool, or by handling so-called geo IP geographical information of the IP address, domain information that have been fetched from so-called RIPE database, the routing information of the communications network, or information originated from other external sources. An IP address of a party, which queries information, or another identifier, which is related to the party or the transmission of a message or a reply message, can be taken into account in the handling of information.
[0147] The node finder, which belongs to the search device, can obtain a domain name as its input in which case the node set is preferably formed by means of a DNS query. The node finder can alternatively obtain the address of the transmission node as its input. Then the node finder preferably uses Traceroute tool to form the node set. The tool results in an arranged node set in which the first node is the nearest node in regard to jumps and the last node is a node farthest away from the search device in regard to jumps. [0148] When the node set is created with Traceroute tool, the search device preferably queries from the DNS special database information concerning more than one node. The addresses of the nodes can be separated in a query with a desired identifier with methods known by the person skilled in the art. The addresses of the nodes are preferably disclosed in the query in an order, which is the order of the arranged node set resulted in by Traceroute tool.
[0149] In addition, it is possible to make a search from RIPE database with the addresses of the nodes to compare the domains found from it to routing information of the queried domain. Then the node finder preferably returns an address of the farthest node with respect to the search device (in regard to jumps) which node is located in the same domain with the nearest node with respect to the search device (in regard to jumps).
[0150] In the method and system according to the invention the search device can be used to secure the confidentiality of content of a reply message. In that case the search device is preferably coupled to a transmission entity, which outputs an address of the transmission node to the search device as the input. If the address of the SSP, which is searched for the transmission node, is the same as the address of the transmission entity, the transmission method of the reply message can be considered secure. [0151] In addition or alternatively, the search device can be used, in the method and system according to the invention, to secure the confidentiality of the content of the message.
[0152] Because of the information security reasons it is recommended to try to find an SSP that serves as small a domain as possible. It can be determined, for example, with scale 1-4 a protection classification for messages according to which only the SSP of a certain protection class can be used for the message transmission.
[0153] In addition to the embodiments, descriptions and examples of the invention that have been presented above, the method, system and search device according to the invention can be implemented in various ways which, however, are obvious to the person skilled in the art due to his/her professional skill and advices given by this patent application.

Claims

Claims
1. A method to protect confidentiality of contents of a message and a reply message in transmission occurring by e-mail in a communications network of an IP (Internet Protocol) -based network, characterized in that the method comprises the following steps to be performed at a control entity: searching (201), on the basis of recipient information of the message, a memory for an address of a secure path (ASP), where the secure path includes at least one node; when the ASP is missing (202) from the memory, searching (203) for the secure path by a search device which obtains the recipient information of the message as an input and outputs the ASP; writing (204) the ASP in a recipient address of the message to transmit the message in the communications network along the secure path to the recipient node; searching (205), on the basis of sender information of the message, the memory for an address of a secure return path (ASRP), where the secure return path includes at least one transmission node located between a recipient node and a sender node of the message; when the ASRP is missing (206) from the memory, searching (207) for the secure return path by the search device which obtains the sender information of the message as an input and outputs the ASRP, and writing (208) the ASRP in the return address of the message so that the reply message related to the message can be transmitted in the communications network from the recipient node along the secure return path to the sender node.
2. The method as in claim ^characterized in that the method comprises a step of delivering (200) at least an original return address (ORA) from the control entity to the transmission entity which includes at least the node having the ASRP
3. The method as in claim 2, characterized in that the method comprises a step of receiving (209) in the transmission entity the reply message which is addressed to the ASRP and which the recipient node has sent in response to the message.
4. The method as in claim 3, characterized in that the method comprises the following steps to be performed in the transmission entity : replacing (210) the ASRP included in the recipient address of the reply message with the APO, which the control entity sent to the transmission entity, and transmitting (211) the reply message to the sender node.
5. The method as in claim ^characterized in that the method comprises a step of storing by the control entity at least one of the addresses the ASP, the ASRP into the memory.
6. The method as in claim ^ characterized in that a memory is installable so that at least one of the searches is to be performed: the search of the secure path, the search of the secure return path.
7. The method as in claim ^ characterized in that the control entity is one of the following entities: a terminal of the communications network, a node transmitting e-mail in the communications network, or an entity which comprises at least one terminal and at least one node transmitting e-mail.
8. The method as in claim ^ characterized in that the return address is one of the following addresses: "From" address included in an SMTP (Simple Mail Transfer Protocol) envelope:, "Reply To" address included in a MIME (Multipurpose Internet Mail Extensions) header, or another address included in the MIME header.
9. A system to protect confidentiality of contents of a message and a reply message in transmission occurring by e-mail in a communications network of an IP (Internet Protocol) -based network, characterized in that the system comprises a control entity, a transmission entity, a memory for the both entities, and a checking policy stored in the memory, the transmission entity including at least a node which has an address of a secure return path (ASRP), wherein the control entity receives the message, which a sender node has addressed to a recipient node, and stores an original return address (ORA) of the message into the memory, the control entity writes the ASRP in a return address of the message so that the reply message related to the message can be transmitted in the communications network along the secure return path to the sender node of the message, the secure return path comprising at least one transmission node located between the sender node and the recipient node; the control entity transmits the message using the address of the secure path (ASP) to the recipient node of the message; the transmission entity receives according to the checking policy the reply message which the recipient node has sent in response to the message, and according to the checking policy: the transmission entity replaces the ASRP included in a recipient address of the reply message with the ORA, which is read in the memory, and transmits the reply message to the sender node.
10. The system as in claim 9, characterized in that the reply message is transmitted according to the checking policy to the sender node without any checking.
11. The system as in claim 9, characterized in that according to the checking policy the reply message is transmitted to the sender node only when at least one checking has been performed and passed.
12. The system as in claim 11, characterized in that in a first checking the transmission entity is ensured about a confidential transmission way of the reply message in the communications network when the recipient address of the reply message includes the ASRP.
13. The system as in claim 11, characterized in that in a second checking the transmission entity is ensured about a confidential transmission way of the reply message in the communications network when the reply message has been received through an encrypted connection.
14. The system as in claim 11, characterized in that in a third checking the transmission entity identifies a sender of the reply message as a recipient of the message when the reply message includes a certain identifier, which was transmitted to the recipient node with the message.
15. The system as in claim 9, characterized in that at least one of the addresses the ASP, the ASRP is readable in the memory.
16. The system as in claim 9, characterized in that an address of a transmission node providing ad hoc transmission with confidence is readable in the memory, at least one of the addresses the ASP, the ASRP being available from the transmission node.
17. The system as in claim 9, characterized in that the control entity comprises a search device for finding at least one of the addresses the ASP, the ASRP.
18. The system as in claim 9, characterized in that the transmission entity rejects the reply message, if the ASRP is missing from the reply message.
19. The system as in claim 9, characterized in that the transmission entity rejects the reply message, if encryption is missing from a connection intended for transmission of the reply message.
20. The system as in claim 18 or 19, characterized in that the transmission entity returns in connection with rejection of the reply message an address of a server which provides the ad hoc transmission.
21. A search device for finding secure paths in a communications network of IP (Internet Protocol) -based network, characterized in that the search device comprises a node finder, a domain descriptor, a SSP finder, a deduction unit, and a memory, wherein the node finder obtains either recipient information of the message or a domain of a sender information or an address of a transmission node as an input and returns a node set consisting of at least of one node; the domain descriptor determines on the basis of an address of a node included in the node set: a country domain, an internet service provider domain, an organizational domain, and a server domain; the SSP finder performs at least one of the following DNS (Domain Name System) queries: - a first DNS query, on the basis of the server domain, disclosing whether a server of a secure path (SSP) has been defined in the server domain,
- a second DNS query, on the basis of the organizational domain, disclosing whether the SSP has been defined in the organizational domain, - a third DNS query, on the basis of the internet service provider domain, disclosing whether the SSP has been defined in the internet service provider domain,
- a fourth DNS query, on the basis of the country domain, disclosing whether the SSP has been defined in the country domain, and the deduction unit deduces that a search has succeeded when the first, second, third or fourth DNS query discloses that the SSP has been defined in which case the deduction unit returns an address of the SSP.
22. The search device as in claim 21, characterized in that the domain descriptor determines the country domain on the basis of a first part of the address of the node, the internet service provider domain on the basis of first two parts of the address of the node, the organizational domain on the basis of first three parts of the address of the node, and the server domain on the basis of first four parts of the address of the node.
23. The search device as in claim 21, characterized in that performance order of the first, second, third and fourth DNS query can be changed.
24. The search device as in claim 21, characterized in that the node finder results in the node set using Traceroute tool.
25. The search device as in claim 21, characterized in that the node finder performs on the basis of a domain name an DNS query which results in the node set.
26. The search device as in claim 25, characterized in that a DNS special database comprises a static database and a dynamic database at which time the DNS query is re-addressed to the dynamic database when the DNS query to static database results in a negative answer.
27. The search device as in claim 24 and 26, characterized in that the DNS special database is queried at once information concerning at least two nodes, order of the nodes corresponding to order of nodes in the node set obtained by Traceroute tool.
28. The search device as in claim 27, characterized in that on the basis of least one node of the node set a search is performed in RIPE database, domains found from which and routing information in a queried domain are compared, and an address of the farthest node in regard to jumps, which is nearest node in regard to jumps and which is located in the same domain, is returned.
PCT/FI2009/050580 2008-06-27 2009-06-26 Method and system for protecting confidentiality of messages and search device WO2009156597A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP09769440A EP2297906A2 (en) 2008-06-27 2009-06-26 Method and system for protecting confidentiality of messages and search device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20085663A FI123250B (en) 2008-06-27 2008-06-27 Procedure for protecting the confidentiality of the content of a message and a reply
FI20085663 2008-06-27

Publications (2)

Publication Number Publication Date
WO2009156597A2 true WO2009156597A2 (en) 2009-12-30
WO2009156597A3 WO2009156597A3 (en) 2010-10-07

Family

ID=39589424

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2009/050580 WO2009156597A2 (en) 2008-06-27 2009-06-26 Method and system for protecting confidentiality of messages and search device

Country Status (3)

Country Link
EP (1) EP2297906A2 (en)
FI (1) FI123250B (en)
WO (1) WO2009156597A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103918000A (en) * 2011-09-28 2014-07-09 迈可菲公司 Securing email conversations
WO2016170226A1 (en) * 2015-04-24 2016-10-27 Suomen Turvaposti Oy Method for transmitting electronic mail messages securely encrypted and a secured mail server
US10742617B2 (en) 2017-05-24 2020-08-11 Esipco, Llc System for sending verifiable e-mail and/or files securely

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6643687B1 (en) * 2000-04-07 2003-11-04 Avid Technology, Inc. Email system delivers email message to a proxy email address that corresponds to a sender and recipient pairing
JP2001358750A (en) * 2000-06-13 2001-12-26 Nec Corp Mail transfer device, system provided with the same, telephone number transfer device and system provided with the same

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103918000A (en) * 2011-09-28 2014-07-09 迈可菲公司 Securing email conversations
CN103918000B (en) * 2011-09-28 2018-02-02 迈可菲公司 Ensure email conversations safety
WO2016170226A1 (en) * 2015-04-24 2016-10-27 Suomen Turvaposti Oy Method for transmitting electronic mail messages securely encrypted and a secured mail server
US10341120B2 (en) 2015-04-24 2019-07-02 Info Center International ICF OY Method for transmitting electronic mail messages securely encrypted and a secured mail server
US10742617B2 (en) 2017-05-24 2020-08-11 Esipco, Llc System for sending verifiable e-mail and/or files securely
US10944729B2 (en) 2017-05-24 2021-03-09 Esipco, Llc System for sending verifiable e-mail and/or files securely
US11516187B2 (en) 2017-05-24 2022-11-29 Esipco, Llc System for sending verifiable e-mail
US11582205B2 (en) 2017-05-24 2023-02-14 Esipco, Llc System for sending e-mail and/or files securely
US11848921B2 (en) 2017-05-24 2023-12-19 Esipco, Llc System for sending e-mail and/or files securely

Also Published As

Publication number Publication date
WO2009156597A3 (en) 2010-10-07
FI20085663A (en) 2009-12-28
FI123250B (en) 2013-01-15
FI20085663A0 (en) 2008-06-27
EP2297906A2 (en) 2011-03-23

Similar Documents

Publication Publication Date Title
EP1536601B1 (en) Encryption method and system for emails
Oppliger Internet and intranet security
Rhee Internet security: cryptographic principles, algorithms and protocols
Goldberg et al. Freedom network 1.0 architecture and protocols
Alani Guide to OSI and TCP/IP models
FI118619B (en) Method and system for encrypting and storing information
EP1396979B1 (en) System and method for secure group communications
US8346949B2 (en) Method and system for sending a message through a secure connection
US7725931B2 (en) Communications system with security checking functions for file transfer operation
US20040249911A1 (en) Secure virtual community network system
US20040249974A1 (en) Secure virtual address realm
US20040249973A1 (en) Group agent
US20100192202A1 (en) System and Method for Implementing a Secured and Centrally Managed Virtual IP Network Over an IP Network Infrastructure
New et al. Reliable Delivery for syslog
US20040243837A1 (en) Process and communication equipment for encrypting e-mail traffic between mail domains of the internet
Gabber et al. On secure and pseudonymous client-relationships with multiple servers
WO2002017558A2 (en) Method and apparatus for data communication between a plurality of parties
EP2297906A2 (en) Method and system for protecting confidentiality of messages and search device
US20070297408A1 (en) Message control system in a shared hosting environment
Goldberg et al. Freedom network 1.0 architecture
EP1973275A1 (en) Data communications method and apparatus
FI122184B (en) Search appliance for the discovery of secure paths in an Internet Protocol-based communication network
CA2328548A1 (en) Privacy system
New et al. RFC3195: Reliable Delivery for syslog
Pahlevan Signaling and policy enforcement for co-operative firewalls

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09769440

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2009769440

Country of ref document: EP