ZA200601931B - Message security - Google Patents
Message security Download PDFInfo
- Publication number
- ZA200601931B ZA200601931B ZA200601931A ZA200601931A ZA200601931B ZA 200601931 B ZA200601931 B ZA 200601931B ZA 200601931 A ZA200601931 A ZA 200601931A ZA 200601931 A ZA200601931 A ZA 200601931A ZA 200601931 B ZA200601931 B ZA 200601931B
- Authority
- ZA
- South Africa
- Prior art keywords
- terminal
- key
- seed
- user
- Prior art date
Links
- 238000000034 method Methods 0.000 claims description 41
- 230000015654 memory Effects 0.000 claims description 13
- 230000000977 initiatory effect Effects 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 7
- 230000001360 synchronised effect Effects 0.000 claims description 6
- 230000009471 action Effects 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 230000000644 propagated effect Effects 0.000 claims description 2
- 239000002609 medium Substances 0.000 claims 3
- 241001212789 Dynamis Species 0.000 claims 2
- SKZKKFZAGNVIMN-UHFFFAOYSA-N Salicilamide Chemical compound NC(=O)C1=CC=CC=C1O SKZKKFZAGNVIMN-UHFFFAOYSA-N 0.000 claims 1
- 238000004891 communication Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000003860 storage Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 2
- 208000027653 severe early-childhood-onset retinal dystrophy Diseases 0.000 description 2
- XQFRJNBWHJMXHO-RRKCRQDMSA-N IDUR Chemical compound C1[C@H](O)[C@@H](CO)O[C@H]1N1C(=O)NC(=O)C(I)=C1 XQFRJNBWHJMXHO-RRKCRQDMSA-N 0.000 description 1
- 235000006508 Nelumbo nucifera Nutrition 0.000 description 1
- 240000002853 Nelumbo nucifera Species 0.000 description 1
- 235000006510 Nelumbo pentapetala Nutrition 0.000 description 1
- 241001274189 Pomatomus saltatrix Species 0.000 description 1
- 241001249696 Senna alexandrina Species 0.000 description 1
- 241001441724 Tetraodontidae Species 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000011065 in-situ storage Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 239000003415 peat Substances 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 230000001172 regenerating effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/12—Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
MESSAGE SECURITY
The present invention relates to a method and system for secure and encrypted transmission of messages, in particular e-mails, in a communication network.
The background of the inveration
It is now a normal behaviour to communicate via electrical mail (email) as the access to Internet and other intra networks has increased. Everyday millions of emails are sent over Internet, containing many types of information. Emailing Is also used within the companies and enterprises for Internal and external communications. Many of the e mails contain sensitive and secret information.
Unfortunately, all emails do not reach their destination and might even be received by wrong addressees. Moreove r, it is usually easy for unauthorised persons to crack "servers, or access networks and read emails.
There is provided a number of solutions for sending encrypted e-mails: PGP (Pretty
Good Privacy) (PGP and Pretty Good Privacy are registered trademarks of PGP
Corporation) is one application that is used for sending encrypted emails. This application Is a plug in for ema il programs based on using public-keys. Two users exchange public keys, which then can be used to encrypt and decrypt e-mails or other files. Moreover, when an email is encrypted and transmitted with the recelver’s public key, the sending party cannot access the email.
It is also possible to provide a document and attach It to the e-mail and give the addressee the password for accessing the attachment. .
Both these solutions imply that each time a new encrypted file or e-mail is accessed a password or a personal key must be used. A passwords and personal key can be forgotten or come into possesssion of unauthorised persons. Moreover, tests have shown thaat many people, to avoid forgetting a password/personal key, use family names, peat names etc., which can easily be gLiessed or even make notes.
In the inte=rnational patent application WO 02/ 077773, a system, method, armd computer program product for providing an ercrypted email reader and responder is describeed. The method of distributing and iritializing an encrypted e-mail includes: obtaining by a first user a license fom an emall client software appliscation program Bhaving public/private encryption; recjuesting by the first user that & second usser download a reader/responder sof~tware application program in o-rder to exchange= encrypted emall between the first u ser and the second user; downloading and insta lling the reader/responder software =pplication program by the sec ond user; sermding an email by the second user to the first user including embededing an unencryp -ted public key by using a send key function of the reader/responde=r software application program; receiving the e=mall from the second user by the first user, whe=rein the unencrypted public key is embedded in the email; responding by the first user by sending a second emall to thee first user, where the reader/rexsponder software application progra_m encrypts a message of the second email inteo an encrypted message using the umencrypted public key of the second user; receiving the second email by the secord user with the encrypted messsage as an attachment from the first user into a third party email software applicatieon program, wherein the third party email softw are application program is different from the reader/responder software applicatison program and the email cliert software application program; and opening by the second user the attachm-ent to execute the reader/responder software application program operative to alleow a user without the email client software to reacd and respond to encrypted emuail created zand sent from a user having the emanil client software.
Publisheed US application No. 2002059529, relates to secure email system feor pre- selected email users forming a participating wiser group requiring secure commurm ication, comprising a secure list serwer to which all secure emails a re sent by members of the participating user group, the server comprising a store #or certificatzion data and a CPU which compares the names of intended recipiemnts of each em: ail message with data in the store amd processes the message to facilitate onward certificated transmission provided th-e recipient is duly certificated as indicated by data in the store
US 2003140235 relates to a method for exchanging electronic messages between a sender with an enrolled biometric feature set and a receiv. er with an enrolled biometric fe=ature set, comprising: a. exchanging enrolled biometric feature sets between the sender and receiver; b. generating a live-scaan biometric feature set of the sender; c. generating a first difference key derived from the difference between the sender's live-scan biometric feature set and the sender's enrolled biometric feature sets d. encrypting the message with the first diffe rence key; e. encrypting said sender's live-scan biometric feature set with an encreyption key; f. transmitting to the receliver the encrypted message and said encrypteed sender's live-scan biometric fe=ature set; g. decrypting by the receiver said e=ncrypted sender's live- scan biometric feature set; h. regenerating by the receive=r the first difference key : by calculating the difference between said sender's live-s.can biometric feature set and the semnder's enrolled biometric feature set; and i. de=crypting the message by use of the regenerated first difference key.
WO 01/917366 relates to an apparatus and method for ge=nerating pseudo-random : cryptograpehic keys in cryptographic communications sys®&ems. Given a common set of initializimng configuration data, the pseudo-random cryptographic keys can be duplicative=ly generated by various independent pseudo-r—andom key generators of the cryptosgraphic communications system.
WO 02/39 660 relates to a system and method for cryptographic communication among multiple users and a central service provider usimg in situ generated cryptographic keys. Each user communicates with the central service provider preferably- using a user communication interface that includes a local key generator, which, afteer initialization with the user's own individual sseed value, generates a unique cryptographic key. By distributing different user @individual seeds unique to each user each user's a local key generator generates an unique set of keys. The central se rvice provider also possesses a local key gener—ator, and also preferably possessess a copy of all the individual seeds assigned to authorized users. The central se rvice provider preferably communicates in a secure encrypted fashion with each user using cryptographic keys generated fromm that user's individual seeds. Distribution of additional seed values common tos more than one user, via encrypted communication using the unique individual cr-pytographic key generatio ns, then permit secure conditional access to s&xaid users via signal encryptiom using key generations resulting from a seed value common to the intended group of users.
In OTP: One-time pad generator program is a shareware program distributed through Internet (http://www.fourmilab.ch/onetime) for generating one-time pads or password lists.
The main object according to the best embodiment of the present invention is to provide a secure e-mailing system allowing encryption and decryption of e-mails without a need for repeated use of passwords or personal keys. In particular, the invention concerms generating synchronised encryption keys at, att least two remote sites for encrypting and decrypting emails or similar messages.
Another object of the present invention is to provide an e-mailing system that can filter undesired e ~mails, so-called spam.
Yet another object of the present invention is to provide an e-mail ing system that facilitates purcha se of secure e-mail software programmes.
For these reasonss, the invention according to the best embodimen t relates to a method of transmitting an electrical message, preferably an email from a first user having a first terrminal to a second user having a second terminal, comprising the steps of: transmitting said email in an encrypted form by said first terminal, sald encrypted email being encrypted by means of a key generated by a first key generator using & seed, providing once said second user with said seed for generating a key with a second key generator provided in said sec-ond terminal, providing to and storing said seed in said second terminal, using said seed by said second terminal for generating a key each time an encrypted email from said first user to said second user is received, synchronising a counting value in each terminal; and gererating said key on the basis of said seed and a «counting value in each terminal, independently of other terminal.
Most preferably the seed is obtained only first time initiating time. Preferably a second seed is obtained if said first seed is unusable, e.g. when the application is reinstalled or installed on a new computer.
According to one embodiment, when a numbeer of emalls are sent to a receiver a dynamic serial number is obtained for each e ncrypted email. The dynamic serial number is used for generating a key for correzsponding encrypted email.
According to one embodiment, the invention comprises further steps of synchronising a counting value in each termimnal; and generating said key on the basis of said seed and a counting value in ea ch terminal, independently of other terminal. The seed is saved in a dynamic ancl exchangeable fashion at least in one of the terminal, and preferably In all terminals. The counting value is generated in a counter In each terminal, the synchronisatior of the counting values involving synchronisation of the counters. Following time initial synchronisation of the counters, the terminals execute supplementary synchronisation steps only when needed. The key-generating operation on thes basis of the seed and the counting value is effected by means of a calculating algorithm stored in a non-dynamic and non-changeable fashion in at least one of the terminals.
According to one embodiment the invention &iso comprises the step of generating a : fist of entrusted terminals based on the received seed, and accepting emalls only from registries in said list. Thus, spam can bse stopped. oC
For security reasons, the invention, accordineg to the best embodiment, comprises the step of providing said seed by said first Liser to said second user through at least one of phone call, fax or letter.
The encrypted email is provided with attachrments encrypted together with the email.
The invention also relates to a system for transmitting emails from a first user to a second user. The system comprises a first te=rminal and a second terminal, the system further comprises: means for transmuitting said secure email in form of an encrypted mail by said first terminal, said ermcrypted e-mail being encrypted by means of a key generated by a first key geneerator using a seed, means for providing once sald second user with said se-ed for generating a key with a second key generator, means for providing to and means for storing said seed in said second terminal, means for generating a keyw each time an encrypted emall from said first user to said second user is receivecd by said second terminal using said seed,
Each terminal comprises a key-generating unit, which comprises a memory, im which identical seeds are stored, a counter to periodically change a counting wsalue, and a calculating terminal adapted to generate in each terminal and independently of other terminals, and a key on the basis of the original value and a counting value issued from the counter. The memory for storing of the seed in at least one of the terminals is a dynamic memory arranged to store the seed in a dynamic and exchangeable fashion. The terminals are arranged to sense when they are not synchronised and to then reset synchronisation. The calculating unit of at lea=st one of the terminals comprises a calculating algorithm, which is stored in a non- dynamic and non-changeable fashion, and which preferably is hardware- implemented. One of the terminals is a central terminal comprising a plurality of seeds for secure encrypted transmission involving several different terminals having one original value each.
The invention also relates to a computer program product for transmitting a secure e-mail from a first user having a first terminal to a second user having a second terminal, comprising a code for: encrypting and transmitting sald emall from said first terminal, generating a key using said first seed in said first terminal, obtaining said seed for generating a key with a second key generator in said second te xminal, storing said seed in said second terminal, generating a key each time an encwypted email from said first user to said second user is received by said second termainal using said stored seed.
The invention also relates to a propagated signal for transmitting a secure email from a first user having a first terminal to a second user having a second terminal, comprising signal comprising a code for: encrypting and transmitting said email from said first terminal, generating a key using said first seed in sald first terminal, obtaining said seed for generating a key with a second key generator in said second terminal, storing said seed in said second terminal, generating a key each tirme an encrypted email from said first user to said second user is received by said second terminal using said stored seed.
The Invention also relates to a computer readable medium having stored the rein instruction sets for transmitting a secure e-mail from a first user having a first terminal to a second user having a second terminal, said instruction set comgprising a code for: encrypting and transmitting said email from said first terminal,
generaating a key using said first seed in said first terminal, obtaining said seed for gener-ating a key with a second key generator in sald seconsd terminal, storing said seed En said second terminal, and generating a key each tinge an encrypted email from said first user to said second user is received by said second terminal using said sstored seed. The medium may be a memory unit.
The irwvention also relates to a method of marketing an inst=ruction set for transmitting and receiving a secure e-mail from a first user having a first terminal to a szecond user having a second terminal. The method cormprising: transmitting said ssecure emall In an encrypted form by said first terminal, said encrypted e-mail being encrypted by means of a key generated by a first key generator using a seed, provicding said secure email with an accessible message refeerring to a vendor piace, obtalming from sald vendor place a second instruction set for decrypting said email, and diiebliting said second user for using said second instruction set for encrypting a new email. Most preferably the method is computerised. Tine billing is upon order ing or reception said second instruction set. The secord instruction set is an accesss code to a preinstalled instruction set.
The irvention also relates to a method of filtering emails to- recipient, from a first user Ehaving a first terminal to the recipient being a second user having a second : termi nal, said email being transmitted in an encrypted fornm by said first terminal, said encrypted e-mail being encrypted by means of a key ggenerated by a first key generator using a seed, providing once said second user wi th said seed for gener—ating a key with a second key generator provided in ssaid second terminal, generating a list of trusted senders by said second terminal based on a sender- receiver relation generated by said seed, and acting upon reception of an email, basect on said list. The action can be one of storing, deletin g or returning said email .
Shor description of the drawings
In the following the invention will be described with referermce to enclosed schermatic drawings, illustrating the preferred embodimentss of the invention in a non-I3miting Invention:
Fig. 1 is flow diagram over communication steps in a netw ork according to the invention,
Fig. 2 is a block diagram illustrating a computer terminal,
Fig. 3 Is a flow diagram illustrating steps of a part of the invention, and
Fig. 4 is a flow diagram illustrating part of the invention.
Basically, the invention allows providing an initiation seed to the system from both sending and receiving parties and generates, for each email, different but at each sender/recelver terminal same encryption keys based on same seed and without : need of providing the seed each time an email is transmitted. The present inventior according to a preferred embodirnent is an application, realised as an add-on to an . e-mail program such as Microsoft Outlook, Lotus Notes, Outlook Express etc. In the following, non-limiting examples are given with respect to Microsoft Outlook.
However, it is appreciated that the teachings of the invention can be applied to any” data communication application/system in general and emailing application/system in particular. The invention can thus be applied to SMS and MMS transmissions too.
Fig. 1 Hilustrates the schematic communication flow between two users using computer terminals for sending and receiving e-mails. The transmitting terminal is designated with 110 and receiver with 120. Clearly, two terminals are given as an example and the invention can be applied on several terminals. The communicatiors between the terminals is conducted through Internet or an intranet using an e-mail server running, e.g. Exchange Sesrver.
The system of the invention creates a secure way for e-mail communication. Each sender/receiver relation between two e-mail addresses is concerned unique (channel). The system handles each pare of sender/recelver with their own specific encryption keys.
According to the flow diagram of Fig. 1, the user of terminal 110 sends (1) an emai to the user of the receiving terminal 120, Terminal 110 is equipped with an application according to the present invention, which encrypts the emails. In the following example, the sender is assumed to have email address “110@mail.com” and the receiver *120@mail.com*’. The email message is encrypted using a conventional encryption algorithm such as SHS-1, Blowfish or the like and locked with an encryption key. If the encryption application detects that the receiver is noc one of the entrusted receivers, |.e. the receiver is not In a register of receivers provided with a decryption application or decryption password, thee application asks the sender to provide an initiating password or secret for the particular receiver.
The secret preavided by the sender, e.g. 120xxx, is stored in the ssystem together with other releavant information (such as email address) about thee receiver. The 5S secretis used : - for genewmrating a key and initiating a channel having a key, e2.g. 110120xxX, which is used for transmitting emails to receiver 120; - for gene rates a key, e.g. 120110xxx, which is used when reaceiving emails from 120); and - generati ng a unique encryption key for transmitting emails... The key generati on is described in more detail below.
It should be pointed out that channel herein refers to a virtual channel, and concerns the sender-receiver relation that is obtained.
If the receive: r does not have a decryption application, the email is provided with a non-encrypte~d message to the receiver that the email is encrypt ed and to access (2) a program provider 130, e.g. an Internet service provider, to obtain/download (3) a decryption program. The encrypted email may also be sent: as an attachment to a message (information) email. If the key is missing, i.e. the meceiver has not received decryption permission, after installation of the decrypticon program, the receiver is instructed to obtain a “secret” to be able to generate a key for decrypting th e e-mail. The recelver can for example call (4) the sender to obtain (6) the secre to initiate the key generation. When the encryptio-n part is installed and the secret is inserted the encrypted email can be decrypted~ The application at the recelver sstores information about the sender and: - generates a key and initiates a channel having a key, e.g. 120110xxx, which is used —for transmitting emails to the sender 110; - initiatess a channel using a key, e.g. 110120xxx, which is u=sed when receiving emails rom 120; and - generat ing a unique encryption key for receiving emails from the sender 110.
Thus, a sendeer-receiver relation is created.
In the subsecjuent steps, i.e. when the relation is created and booth the sender and receiver have the initiated keys there Is no need for new excharmge of secrets or passwords. T he sender and receiver applications at each terminal will automatically identify and generate an encryption/decryption key, e.g. based on tthe sender/recei=ver email address.
Next time when an email Is sent from 110 to 120, the sender application detects that the recexiver 120 is in the register and generates a new unique encryption key for the emai }, based on the generated channel. The key is used to encrypt the message. TOgether with the email a dynamic serial number is sent, which identifies the email order and the key used.
At the receiwer site, the decryption application detects the dynamic serial of the encryption ley used for encrypting the message. The decryption application generates a key based on the dynamic serial number (and the earlier stored secret) and decrypts the email. If the dynamic serial number is not in sequLience, e.g. an email with I-ower serial number Is received later than one with high er serial number, the application generates and stores all keys until the serial number, which is used for decrypti ng the specific encrypted email. All stored keys can the n be used for decrypting ®the non-sequential emails. The keys are stored encrypted In the memory/storage unit and can be destroyed after decrypting corressponding encrypted email. Thus, the invention may also allow decrypting emails much later and also in off-line mode.
The sendinag party or email application may supply the message with setting parameterss that will force the receiving party or email application to take special : action. For Instance, the sending party may demand that the recei ved message is stored in a particular way, for instance as encrypted, or else not sored at all. This ensures that the sending party is confident that messages are stoeed at the receiver location in such a way that no unauthorized access is given to the messages. Other possible insstructions is possible and the above mentioned example is only for illustrative purposes and not limiting to the invention, for instancez, the sending party may demand an immediate removal of the email message a fter examination and not all-ow it to be stored in any way for maximum security.
Each termi nal 210, e.g. an ordinary PC, schematically illustrated im Fig. 2, comprises a main processing unit 240, ROM (Read only Memory) 250, RAM (Random Access Memory) 260, and a program storage unit 270. “The ROM contains instruction= set, e.g. for terminal functionality. The RAM stores instruction from applicatiory programmes. The program storage unit includes application programmes such as an email application, encrypting and decrypting applications etc. :
A key-generating application 280 comp rises, in the storage unit or RAM, an identical original values SID, so called seeds, preferably in a dynamic and/inter/exchangeable manner. The storage of original values is preferably effected in connection with the introductory initiation of the application, and advantageously it could be effected viaa a secure channel, e.g. an encrypted message or a phone call or the like. Possibly, the original values need not, however, be transmitted physically but instead the users of the units concerned may themselves input a pre-agreed value. Xn addition, the original values may be exchanged, when needed, but alternatively the same original values are used for the duration of the entire life of the kery-generating unit. In this case the original values need not be stored in dynamic memorles, but instead permanent memories may be used.
In addition, the key-generating application controls a counter 281 to periodically change a counting value X, and a calc ulating unit/application 282 adapted to generate, in each and every unit and independently of other units, a key based on the original value, and a counting value issued by the counter.
Advantageously however, the counter and the calculating unit may be integrated in the same unit, which advantageously may be the processing unit (CPU). An oscillator 283 or a clock, which could likewise be integrated In the processor, may advantageously control the counter. Preferably the real-time-based clock, of the
CPU is used. In addition, the counter is increased stepwise, whereby it becomes easier to keep the terminals In phase with one another (synchronised).
Provided that the same original values are stored in the memory and that the counters are synchronised to deliver the same counting value, identical keys may be generated in several key-generatimg applications, independently of one other, i.e. in each terminal running the appl ication.
These keys may then be used for encrypting or authenticating purposes between the terminals.
Furthermore, the key-generating units preferably are adapted to sense whether they are sy*nchronised or not, and in case they are not, to implement this synchronisation. Sensing may be performed by me=ans of a particular synchronisimg test that is performed prior to the generation of ke ys. Alternative=ly, a need for synchronisation may, however, be identified when different keys are ussed, and only thereafter may synchronissation resetting be effected.
Synchronissation may be effected for example by exchange of counting values between the units.
According —to one example, the calculating unit conprises a calculating algorithm F, which hashes the original value (seed), present ke Yy and the counting value as input parameters, Thereafter the count value increases Edy a number i.e. count= count+1. his calculating algorithm preferably is irmplemented in hardware in the= calculating unit, or alternatively it is stored in a no n-dynamic and unchangeable memory. T he calculating algorithm preferably generates a 160-bit key, but keys -of other lengths are of course also conceivable. Every time an order is given to the key generator to produce a new key therefore a new pseudorandom 160-bit word is generated ,. which is calculated on the basis of the =iseed" and the counting value.
The key-gesnerating application may further compr Ise an interface part serving to enable communication between the communicating unit and the key-generating unit. Prefesrably, this communication comprises emission of instructions to the kevwy- generatings unit to generate a key and the emissior of a thus generated key back to the communicating unit.
The key-ge=nerating unit can be implemented in ha rdware and executed in the form of an integ rated circuit, thereby making It more difficult to tamper with. The circuit may then be added to and used together with esse=ntially any type of communicaative unit. For example, it is possible to suse the key-generating unit in accordance with the invention together with e-mailing applications.
The key-ge=nerating applications in accordance witi the invention may be used either for point-to-point communication or authentzication, i.e. between two terminals, or between a central unit, an email serv-er, or several users, clients. Such a central u nit preferably comprises a plurality of di-fferent key-generating applicatioms, one for each client/user/terminal in communication with the central unit. Alterratively, a key unit could comprise several different original values, in which case the command to the key-generati ng unit to generate a key also comprises Information regarding which origin al value should be used. It is likewise possible for several units that communicate vvith the central unit to have Identical key generating units, enabling them to comnunicate with the same key-generating unit in the central unit.
In the following an encrypted transmission ow authentication with the aid of the above described system is described. In a firsst step, an emall is produced and encrypted using a key generated by the key «generating application in one of the terminals. The email may comprise one or se=veral attachments, e.g. in form of word processed file, image file, JAVA applets or any other digital data. Thus, the email according to the inventions relates botlh to a message with or without an attachment. The email is transmitted to the receiving terminal and the receiver is asked to obtain an initiating value, the so-called secret or seed. By inputting the secret into the decrypting application of the receiver, the terminals intended for future intercommunication are initiated, in which process they are provided with identical original values and preferably are aF so synchronised. The system is now ready for use, and at a later time, which may occur after the lapse of an arbitrary period of time after the initiation and at least= one of the terminals identifies itseif to the other. Identification is achieved when otlner terminal determines whether the E identity given is known and whether it has a corresponding key-generating application, i.e. a key-generating application as defined above and with a corresponding original value. If this Is the casse, the process proceeds to next step otherwise the process is interrupted.
The calculated keys are then used to execute= encrypted/decrypt/ authentication. It should be understood, however, that encryptzed transmission and authentication of course may be effected simultaneously and ir the same process. Encrypting and authentication may be effected with the aid of essentially any encrypting algorithm that uses keys, e.g. as the known DES and R_C6, Bluefish etc..
Another advantage of the invention is that th e application can be used as filter for blocking unwanted e-mails. Today, hundreds of thousands of advertisement emails are sent to receivers. In Outlook, for examplez, there is a function called “junk mail” which based on a name list or some paramet-ers sends the received emalls to a junk mail folder, This function, however, does not work as the names of senders and content of the junk emails are changed. Thee invention attends to this problem in following way:
As mentioned above and with reference to Fig. 3, the recelving terminal or serve r comprising the list of sender-receiver pairs, checks 300 for the received address in the list and compares 310 the sender address with the stored addresses. If the email can be decrypted, i.e. the sender ad dress is in the list the email is decrypted 320 and delivered to the receiver. If the email cannot be decrypted, i.e. the sencler address is in not the list, the email is either removed to a junk storage or returne=d 330 to the sender. A message can be attached to the returned email, e.g. notifyling the sender of unwanted emails that an encryption program is needed to be able to send emails to the intended receiver. Of course, the email might be sent by a sender, which is not in the list but wanted . For this reason the system can store 340 a copy of the emall or just notify the receiver so that the sender can be noti fied to install encryption application and obtair the secret from the receiver. Clearly, the filtering/blocking function is an optional application.
As mentioned above, the invention also ai lows a purchasing of entire or parts of the application in a simple way.
The graph of Fig. 4 illustrates an automatic purchasing system 400. The receivew” 401 receives an information email, to which the encrypted email is attached, to obtain a decryption program. Preferably, the decryption program is provided freee or shareware. However, the encryption application must be purchased. When the decryption program Is downloaded, also the encryption program is downloaded Bbut cannot be used until a license number, pa ssword or similar is provided. For this reason, the buyer is referred to a purchasing address 410, e.g. at Internet, from where a license can be obtained. The purchasing site may require special information about the country, language etc., of the buyer so that a correct verssion can be obtained. Then the buyer is relocated to ordering site 420 for providing : transaction information. The payer may make a transaction in a known way, such as paying by credit card, bank transaction, cash-on-delivery etc. Depending on he transaction method, a clearing 430 or con trol 440 is made. If the transaction is accepted, the purchasing site 420 sends information to a registry 450 and order to delivery department 460. The delivery department sends either a program pack<age, a license number or any other information necessary to (install and) run the encryption program. A delivery office can deliver the program package/license information. If the program Is preinstalled a passwword/license number can be delivered by (encrypted) email or downloaded frorm the site.
It is also possible to provide the email from the se=nder, informing the receiver to obtain a decryption/encryption application, with a reference to a site including a prepaid program download also Including the secr-et to decrypt the email. However, in this case the receiver must obtain a password or other access possibllities to the program.
It is also possible to provide a server arrangemen t, through which encrypted emails are passed, e.g. by tunnelling the addresses. In thhis case each email can be debited separately (so-called ticker) thus without a need oof purchasing the program(s).
Above examples relate to a network where users use two terminals for accessing the emails. The invention can also be applied in c-ases where the users use different terminals. In this case the encryption/decryption program and seed can be provided as mobile application, e.g. in form of hardware pl ug-in (e.g. USB dongle), stored on a information carrying medium such as CD etc. Thus, each time using the email application the key/storage must be provided so &hat the encryption/decryption application can be executed from there.
In a network such as in an organization or enterperise a server handles the clients in the IP network. The clients need only to create ore secure email channel to the servicing server and this server then handles the secure connections to the other users in the network. Each user is supplied with & unique password in order to access emall messages and send email messagess according to the present invention. Moreover, a network administrator may be supplied with a master password that enables the administrator to accesss the messages and administer the accounts. In order to increase the security furthe rit is possible to demand that the administrator have to use a hardware unit generating a unique sequence number that is used for authenticating purposes. This uni que sequence number is controlled against another hardware or software module, lo=cated in for instance the central server, the server based module generates a seq uence number which is identical to the one generated by the administrators module if it is the correct hardware unit and they are synhronized with each other. If they are not identical the two systems wlll try to synchronize with each other a certain &mount of times.
Such a hardware unit for use by an a dministrator may be supplied as for instance, but not limited to, hardware plug-ins using USB (Universal Serial Bus), RS232,
RS485, Ethernet, Firewire, Bluetooth, Centronics, SecureDigital, PCMCIA, PC—Card, or similar hardware connectivity staradards. It is also possible to instead of time hardware unit use a software module located either on an administrative PC, workstation or similar computational device, orona computer medium stora ge device connectable to a network or connectable to a device connected to the network under administration.
It is also possible to provide the systtem with compression facilities for compmressing encrypted emails. Any conventional «compressing method can be used.
Optionally, the encrypted and/or decrypted emails can be saved in decryptecd or encrypted form. In this case, it is preferred that the emails are encrypted us ing a password. For security reasons, especially in the companies, there should bez a personal password and one Master ey (network manager).
The invention is not limited to the ermbodiments described and illustrated. THe invention can be modified within the scope of the attaché claims in several vavays depending on the applications, demands and needs.
Claims (7)
1. A method of transmitting an electrical message, preferably an email from a first user having a first terminal to a =second user having a second terminal, comprising the steps of: - transmitting said email ira an encrypted form by said first terminal, said encrypted emall being ermcrypted by means of a key generated by a first key generator using a se=ed, - providing once said secomd user with said seed for generating a key with a second key generator provided in said second terminal, - providing to and storing said seed In sald second terminal, - using said seed by said second terminal for generating a key each time an encrypted email from said first user to said second user is recexived; - synchronising a counting value in each terminal; and - generating said key on tthe basis of said seed and a counting valu ein each terminal, independ ently of other terminal.
2. The method of claim 1, whereir said seed is obtained only first time initi ating time.
3. The method of claim 1, wherein a second seed is obtained if said first se=ed is unusable. 75
4. The method of claim 1, whereimn a dynamic serial numbers obtained for «ach encrypted email.
5. The method of claim 4, wherel n said dynamic serial number is used for generating a key for correspording encrypted email.
6. The method of claim 5, wherein the seed is saved in a dynamic and exchangeable fashion at least in one of the terminal, and preferably in all terminals. 3=5
7. The method of claim 1 or 6, warherein said counting value is generated isn a counter in each terminal, the synchronisation of the counting values in=volving synchronisation of the counters.
8. The method of one of claims 1-7, wherein following the initial synchronisation of the counters, the terminals execute supplementary synchronisation steps only when needed.
9 . The method as claimed in any one of the clairms 1-8, wherein said key- generating operation on the basis of the seed and the counting value is effected by means of a calculating algorithm stored in a non-dynamic and non- changeable fashion In at least one of the terminals. 14 0. The method of claim 1, comprising the step asf generating a list entrusted terminals based on the received seed. TL1.The method of claim 10, comprising acceptin g emails only from registries In said list.
—12. The method according to any of the precedirmg claims, comprising providing said seed by said first user to said second user tharough at least one of phone call, fax or letter.
13. The method according to any of the precedirg claims, wherein said encrypted email Is provided with attachments encrypte=d together with the email.
14. The method according to any of the precedimng claims, wherein a transmitting party supplies a message with setting pararmneters that forces the receiving party to take special action.
15. The method according to any of the precedi ng claims, wherein a network administrator Is supplied with a master password that enables the administrator to access the messages and administer the accounts.
16. The method according to claim 15, wherein the administrator is provided with a hardware unit generating a unique sequencze number that is used for authenticating purposes.
17.A system for transmitting an electrical message, preferabl y an email from a first user using a first terminal to a second user using a seconcd terminal, the system further commprising:
. means for transmitting said secure email in form of an encrypted mail by sa id first terminal, said encrypted e-mail being encrypted by means of a ke=y generated by a first key generator using a seexd,
. m eans for providing once said second user with s=id seed for generating a key with a second key generator, - means for providing to and means for storing said¥ seed in said second tearminal, - maeans for generating a key each time an encrypteed email from said first usser to said second user Is received by sald secormd terminal using said sexed;
. each terminal comprises a key-generating unit, said key-generating unit comprising a memory, in which identical seeds are stored, a counter to preriodically change a counting value, and a calculating terminal adapted to generate in each terminal and independently osf other terminals, a key on the basis of the original value and a counting -value issued from the counter; and - the terminals are arranged to sense when they a re not synchronised and then to reset synchronisation.
18. The system of claim 17, wherein said memory for storing of the seed in at least one of the terminals is a dynamic memory arranged to store the seed in a dynami« and exchangeable fashion. 19, The system of one of claims 17 to 18, wherein the calculating unit of at least one of £he terminals comprises a calculating algorithm, which is stored in a non- dynami c and non-changeable fashion, and which prefer-ably is hardware- implemented.
20. The sysstem of one of claims 17 to 19, wherein one of the terminals is a central terminal comprising a plurality of seeds for secure encrypted transmission involvitng several different terminals having one origina | value each.
21. The sysstem of one of claims 17 to 20, comprising a firsst unit for generating a unique: sequence of numbers, which is controlled again st a second unit, located in the system, which generates a sequence nun mber which Is identical to the one generated by the first unit, and if it is a correc=t unit and they are synhronized with each other. =
22.A computer program product for transmitting a secure e-mail from a first user having a first terminal to a second user having a second terminal, comprising a code for: - encrypting and transmitting said emai_| from said first terminal, - generating a key using said first seed in said first terminal, - obtaining said seed for generating a kzey with a second key generator in said second terminal, - storing said seed in said second termi nal, . generating a key each time an encrypted emall from sald first user to said second user is received by said ssecond terminal using said stored seed; . obtaining a dynamic serial number fo r each encrypted email; - generating a key for corresponding emcrypted email using said dynamic serial number; - synchronising a counting value in each terminal; and - generating said key on the basis of saaid seed and a counting value in each terminal, independently of othe r terminal.
23. A propagated signal for transmitting a secur-e e-mail from a first user having a first terminal to a second user having a second terminal, comprising signal comprising a code for: - encrypting and transmitting said email from said first terminal, - generating a key using said first seed in said first terminal,
. obtaining said seed for generating a key with a second key generator in sald second terminal, - storing said seed in said second terrminal,
. generating a key each time an encrypted email from sald first user to said second user is received by said second terminal using said stored seed,
35 . obtaining a dynamic serial number for each encrypted email; - generating a key for corresponding encrypted email using said dynamic serial number;
- synchronising a counting value in each terminal; and - generating said key on the basis of sa 1d seed and a counting value in each terminal, independently of other terminal.
24. A cormputer readable medium having stored ®herein instruction sets for trans-mitting a secure e-mail from a first user= having a first terminal to a second user having a second terminal, said instructieon set comprising a code for: - encrypting and transmitting said ema._il from said first terminal, - generating a key using said first seeds in said first terminal, - obtaining said seed for generating a key with a second key generator in sald second terminal, - storing said seed in said second termainal, - generating a key each time an encrypted email from said first user to said second user is received by said =second terminal using said stored seed, — obtaining a dynamic serlal number fOr each encrypted email; — generating a key for corresponding encrypted email using sald dynamic : serial number; — synchronising a counting value in ea ch terminal; and — generating said key on the basis of said seed and a counting value in each terminal, Independently of other terminal.
25. The= medium of claim 24, wherein said med ium is a memory unit.
26. A method of marketing an instruction set for transmitting and receiving electrical messages, In particular a secure e-mail from a first user having a first tereminal to a second user having a second terminal, the method comprising: - transmitting said secure email in ans encrypted form by said first terminal, sald encrypted e-mail beirg encrypted by means of a key generated by a first key generator tising a seed, - providing said secure email with an accessible message referring to a vendor place,
. obtaining from said vendor place 2 second instruction set for decrypting said email, and
. debiting said second user for using said second instruction set for encrypting a new email,
27.Th.e method of claim 26, wherein it is computerised.
28. The method of claim 26, wherein said billing is upon ordering or reception said second instruction set.
29.The method of claim 26, wherein said second & nstruction set is an access code to a preinstalled instruction set.
30. A method of filtering emails to recipient, from a first user having a first terminal to the recipient being a second user having a =second terminal, said email being transmitted in an encrypted form by said first terminal, said encrypted e-mail being encrypted by means of a key generated by a first key generator using a seed, providing once said second user with samid seed for generating a key witli a second key generator provided in said second terminal, generating a list of trusted senders by said second terminal base«d on a sender-receiver relation generated by sald seed, and acting upon rece=ption of an email, based on said list.
31. The method of claim 30, wherein said action is one of storing, deleting or returning said email.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| SE0302456A SE527561C2 (en) | 2003-09-12 | 2003-09-12 | Electronic mail transmission method in internet environment, involves storing seed for key generation provided from sender's terminal, in receiver's terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| ZA200601931B true ZA200601931B (en) | 2007-06-27 |
Family
ID=28787336
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| ZA200601931A ZA200601931B (en) | 2003-09-12 | 2006-03-07 | Message security |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN1849774A (en) |
| SE (1) | SE527561C2 (en) |
| ZA (1) | ZA200601931B (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101170401B (en) * | 2006-10-27 | 2011-02-02 | 鸿富锦精密工业(深圳)有限公司 | Email encryption/decryption system and its method |
| CN101399627B (en) * | 2008-09-27 | 2012-08-29 | 北京数字太和科技有限责任公司 | Method and system for synchronization recovery |
| US9280377B2 (en) | 2013-03-29 | 2016-03-08 | Citrix Systems, Inc. | Application with multiple operation modes |
| US20140032733A1 (en) | 2011-10-11 | 2014-01-30 | Citrix Systems, Inc. | Policy-Based Application Management |
| US8869235B2 (en) | 2011-10-11 | 2014-10-21 | Citrix Systems, Inc. | Secure mobile browser for protecting enterprise data |
| WO2014047168A1 (en) * | 2012-09-18 | 2014-03-27 | Citrix Systems, Inc. | Mobile device management and security |
| US9392077B2 (en) | 2012-10-12 | 2016-07-12 | Citrix Systems, Inc. | Coordinating a computing activity across applications and devices having multiple operation modes in an orchestration framework for connected devices |
| US9774658B2 (en) | 2012-10-12 | 2017-09-26 | Citrix Systems, Inc. | Orchestration framework for connected devices |
| US8910239B2 (en) | 2012-10-15 | 2014-12-09 | Citrix Systems, Inc. | Providing virtualized private network tunnels |
| US20140109176A1 (en) | 2012-10-15 | 2014-04-17 | Citrix Systems, Inc. | Configuring and providing profiles that manage execution of mobile applications |
| US9606774B2 (en) | 2012-10-16 | 2017-03-28 | Citrix Systems, Inc. | Wrapping an application with field-programmable business logic |
| US20140108793A1 (en) | 2012-10-16 | 2014-04-17 | Citrix Systems, Inc. | Controlling mobile device access to secure data |
| WO2014062804A1 (en) | 2012-10-16 | 2014-04-24 | Citrix Systems, Inc. | Application wrapping for application management framework |
| US9971585B2 (en) | 2012-10-16 | 2018-05-15 | Citrix Systems, Inc. | Wrapping unmanaged applications on a mobile device |
| DE102012222995B3 (en) * | 2012-12-12 | 2013-10-02 | Deutsche Post Ag | Method for the secure transmission of a digital message |
| US9985850B2 (en) | 2013-03-29 | 2018-05-29 | Citrix Systems, Inc. | Providing mobile device management functionalities |
| US9355223B2 (en) | 2013-03-29 | 2016-05-31 | Citrix Systems, Inc. | Providing a managed browser |
| US10284627B2 (en) | 2013-03-29 | 2019-05-07 | Citrix Systems, Inc. | Data management for an application with multiple operation modes |
| US9413736B2 (en) | 2013-03-29 | 2016-08-09 | Citrix Systems, Inc. | Providing an enterprise application store |
| CN103379451B (en) * | 2013-06-21 | 2017-09-08 | 宇龙计算机通信科技(深圳)有限公司 | The inspection method and its system of burn-after-reading information |
| CN104159118A (en) * | 2014-07-30 | 2014-11-19 | 天津大学 | Image byte XOR algorithm based on pseudo random sequence and LSB algorithm |
-
2003
- 2003-09-12 SE SE0302456A patent/SE527561C2/en not_active IP Right Cessation
-
2004
- 2004-09-13 CN CNA2004800263389A patent/CN1849774A/en active Pending
-
2006
- 2006-03-07 ZA ZA200601931A patent/ZA200601931B/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| SE0302456D0 (en) | 2003-09-12 |
| CN1849774A (en) | 2006-10-18 |
| SE527561C2 (en) | 2006-04-11 |
| SE0302456L (en) | 2005-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7600121B2 (en) | Message security | |
| ZA200601931B (en) | Message security | |
| US20070172066A1 (en) | Message security | |
| CN110868301B (en) | Identity authentication system and method based on state cryptographic algorithm | |
| EP1722532B1 (en) | Deliver-upon-request secure electronic message system | |
| EP1969544B1 (en) | Communication system for providing the delivery of e-mail message | |
| US20020018566A1 (en) | Apparatus and method for disribution of contents | |
| EP1349034A2 (en) | Service providing system in which services are provided from service provider apparatus to service user apparatus via network | |
| US6988198B1 (en) | System and method for initializing operation for an information security operation | |
| CN1711738A (en) | Providing a user device with a set of access codes | |
| GB2365724A (en) | Method for securing and authenticating a document by attaching to it a biometric characteristic and encrypting the biometric characteristic-document combinatn | |
| CN101405759A (en) | Method and apparatus for user centric private data management | |
| CA2335968A1 (en) | Bi-directional, anonymous electronic transactions | |
| JP2001527333A (en) | data communication | |
| JP2002203068A (en) | Content distribution system, copyright protection system and content reception terminal | |
| IL174176A (en) | Message security | |
| RU2373653C2 (en) | Safety of messages | |
| EP1635529A1 (en) | Method and computer product for proving time and content of data records in a monitored system | |
| EP1122928B1 (en) | A system and method for authentication of electronic messages sent to a network server | |
| JP2000099421A (en) | Method for confirming reception of electronic information | |
| CA2543914A1 (en) | Deliver-upon-request secure electronic message systeme | |
| JP4958014B2 (en) | File data transfer method, file data transfer program, file data transfer system, and communication terminal | |
| JP2003298567A (en) | Information charging and transfer method, and charging and transfer server | |
| JP2003318888A (en) | Method for reminder service | |
| MXPA06004501A (en) | Deliver-upon-request secure electronic message system |