Secure messaging
Encyclopedia
Secure messaging is a server based approach to protect sensitive data when sent beyond the corporate borders and provides compliance with industry regulations such as HIPAA, GLBA and SOX
. Advantages over classical secure e-Mail are that confidential and authenticated exchanges can be started immediately by any internet user worldwide since there is no requirement to install any software nor to obtain or to distribute cryptographic keys
beforehand. Secure messages provide non-repudiation as the recipients (similar to online banking
) are personally identified and transactions are logged by the secure email platform.
or via other equally protecting methods to any recipient. If the recipient is contacted for the first time a message unlock code (see below MUC) is needed to authenticate the recipient. Alternatively, Secure Messaging can be used out of any standard email program without installing software.
or PGP
encrypted communication or TLS
secured connections to email domains or individual eMail clients. One single secure message can be sent to different recipients with different types of secure delivery the sender does not have to worry about.
. This method synthesizes the authentication approach of web of trust, known from PGP
, with the advantages of hierarchical structures, known from centralized PKI systems
. Those combined with certificates provide high quality of electronic identities. This approach focuses on the user and allows for immediate and personal bootstrapping of trust, respectively revocation.
change to the well known email technology
and protocol. Secure Messages are encrypted bidirectionally and are stored on a network or internet server. This has the advantage of archiving the data centrally and providing added security—since message data downloaded to a local hard drive are subject to breach if the computer is ever lost or stolen. This is a common vulnerability with computers using traditional client-server based Email.
, Mozilla Thunderbird
, Lotus Notes
, Groupwise, Microsoft Entourage
, Postfix
, Exim
, Sendmail
, etc.).
In the government context, secure messaging can offer electronic Registered mail
functions. For this to be binding, some countries require it to be accredited as a secure platform (e.g. Switzerland)
.
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
. Advantages over classical secure e-Mail are that confidential and authenticated exchanges can be started immediately by any internet user worldwide since there is no requirement to install any software nor to obtain or to distribute cryptographic keys
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
beforehand. Secure messages provide non-repudiation as the recipients (similar to online banking
Online banking
Online banking allows customers to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society.-Features:...
) are personally identified and transactions are logged by the secure email platform.
Functionality
Secure messaging works as an online service. Users enroll to a secure messaging platform. The user logs into his account by typing in his username and password (or strong authentication) similar to a web based email account. Out of a message center messages can be sent over a secure SSL-connectionTransport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
or via other equally protecting methods to any recipient. If the recipient is contacted for the first time a message unlock code (see below MUC) is needed to authenticate the recipient. Alternatively, Secure Messaging can be used out of any standard email program without installing software.
Secure delivery
Secure Messaging possesses different types of delivery: secured web interface, S/MIMES/MIME
S/MIME is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc...
or PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
encrypted communication or TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
secured connections to email domains or individual eMail clients. One single secure message can be sent to different recipients with different types of secure delivery the sender does not have to worry about.
Trust management
Secure Messaging relies on the method of the dynamic personal web of trustWeb of trust
In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure ,...
. This method synthesizes the authentication approach of web of trust, known from PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
, with the advantages of hierarchical structures, known from centralized PKI systems
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
. Those combined with certificates provide high quality of electronic identities. This approach focuses on the user and allows for immediate and personal bootstrapping of trust, respectively revocation.
Difference between e-Mail and Secure Messaging
Secure Messaging is a paradigmParadigm
The word paradigm has been used in science to describe distinct concepts. It comes from Greek "παράδειγμα" , "pattern, example, sample" from the verb "παραδείκνυμι" , "exhibit, represent, expose" and that from "παρά" , "beside, beyond" + "δείκνυμι" , "to show, to point out".The original Greek...
change to the well known email technology
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
and protocol. Secure Messages are encrypted bidirectionally and are stored on a network or internet server. This has the advantage of archiving the data centrally and providing added security—since message data downloaded to a local hard drive are subject to breach if the computer is ever lost or stolen. This is a common vulnerability with computers using traditional client-server based Email.
Application
Secure Messaging is used in many business areas with company-wide and sensitive data exchanges. Financial institutions, insurance companies, public services, health organizations and service providers rely on the protection by Secure Messaging. Secure messaging can be easily integrated into the corporate email infrastructures (Microsoft Exchange ServerMicrosoft Exchange Server
Microsoft Exchange Server is the server side of a client–server, collaborative application product developed by Microsoft. It is part of the Microsoft Servers line of server products and is used by enterprises using Microsoft infrastructure products...
, Mozilla Thunderbird
Mozilla Thunderbird
Mozilla Thunderbird is a free, open source, cross-platform e-mail and news client developed by the Mozilla Foundation. The project strategy is modeled after Mozilla Firefox, a project aimed at creating a web browser...
, Lotus Notes
Lotus Notes
Lotus Notes is the client of a collaborative platform originally created by Lotus Development Corp. in 1989. In 1995 Lotus was acquired by IBM and became known as the Lotus Development division of IBM and is now part of the IBM Software Group...
, Groupwise, Microsoft Entourage
Microsoft Entourage
Microsoft Entourage was an e-mail client and personal information manager developed by Microsoft for Mac OS 8.5 and higher. Microsoft first released Entourage in October 2000 as part of the Microsoft Office 2001 office suite; Office 98, the previous version of Microsoft Office for Mac OS included...
, Postfix
Postfix (software)
In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....
, Exim
Exim
Exim is a mail transfer agent used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail....
, Sendmail
Sendmail
Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
, etc.).
In the government context, secure messaging can offer electronic Registered mail
Registered mail
Registered mail describes letters, packets or other postal documents considered valuable and need a chain of custody that provides more control than regular mail. The posted item has its details recorded in a register to enable its location to be tracked, sometimes with added insurance to cover loss...
functions. For this to be binding, some countries require it to be accredited as a secure platform (e.g. Switzerland)
Technical Requirements
There is no software required for using Secure Messaging. Users only need a valid email address and a working internet connection with an up-to-date web browserWeb browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
.
History
- 1965: Mainframe computerMainframe computerMainframes are powerful computers used primarily by corporate and governmental organizations for critical applications, bulk data processing such as census, industry and consumer statistics, enterprise resource planning, and financial transaction processing.The term originally referred to the...
users are able to exchange messages. - 1982: Standard for (D)ARPA internet text messages (RFC822) is adopted: different email systems can communicate with each other.
- 1983: Development of the Internet ProtocolInternet ProtocolThe Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
- 1991: Phil ZimmermannPhil ZimmermannPhilip R. "Phil" Zimmermann Jr. is the creator of Pretty Good Privacy , the most widely used email encryption software in the world. He is also known for his work in VoIP encryption protocols, notably ZRTP and Zfone....
creates PGP in 1991, a first generation for secure mail communication. - 1999: Launch of browser based internet banking at UBS AGUBS AGUBS AG is a Swiss global financial services company headquartered in Basel and Zürich, Switzerland, which provides investment banking, asset management, and wealth management services for private, corporate, and institutional clients worldwide, as well as retail clients in Switzerland...
(Union Bank of Switzerland) with the advent of strong cryptography in industry standard browsers. - 2001: GoogleGoogleGoogle Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
indexes more than 1 Billion internet pages: highly complex information can be found easily - 2002: Introduction of strong authenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
in internet banking (UBS Switzerland) to prevent identity fraud. - 2005: More than 1 Billion internet users: most people in industrial countries can be reached via the internet
See also
- E-mail privacyE-mail privacyThe protection of email from unauthorized access and inspection is known as electronic privacy. In countries with a constitutional guarantee of the secrecy of correspondence, email is equated with letters and thus legally protected from all forms of eavesdropping.In the United States, privacy of...
- Secure E-mail
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- Email authentication
- EmailEmailElectronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
- Secure communicationSecure communicationWhen two entities are communicating and do not want a third party to listen in, they need to communicate in a way not susceptible to eavesdropping or interception. This is known as communicating in a secure manner or secure communication...
- Transport Layer SecurityTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
- CryptographyCryptographyCryptography is the practice and study of techniques for secure communication in the presence of third parties...
- Electronic signatureElectronic signatureAn electronic signature, or e-signature, is any electronic means that indicates either that a person adopts the contents of an electronic message, or more broadly that the person who claims to have written a message is the one who wrote it . By comparison, a signature is a stylized script...
- Certified e-mailCertified e-mailCertified email is an email whitelisting technique by which an internet service provider allows someone to bypass spam filters when sending email messages to its subscribers, in return for paying a fee to the certifying service. A sender can then be sure that his messages have reached their...