Home>Solutions>Email Digital Signature and Encryption Automation Solution

Email Digital Signature and Encryption Automation SolutionTo completely solve the security problem of the confidential information in the email.

1. The current email security issues

From the birth of the first email marked with the @ symbol in 1971, email, which has a history of 49 years, is the first and most widely used application of the Internet. According to statistics, there are 3.7 billion email accounts worldwide. The number of sent emails is up to 269 billion every day (of course, many are SPAM). In other words: email is a must for work and life.

An technical expert from Apple wrote in an email security discussion group that ‘Email as a tool for the betterment of humankind has proven so effective as to be arguably invaluable; improving the security, privacy, and safety of using email is a very worthwhile goal.’ This sentence is very good, there are two key points: first, it is highly affirmed the contribution of email to improve human life, and this communication method is highly efficient; second, it is pointed out that the security of email needs to be improved and enhanced. So, how to improve and enhance the security of email, MeSign Technology gives a perfect answer.

Let's take a look at the email sending mechanism and to analyze why the security of email needs to be improved. Email exchanges a large amount of personal and business confidential information every day, but the most of emails are transmitted to the mail server in cleartext and stored in the mail server in cleartext. As shown in the picture below, this is a big hidden security problem of the cloud big data!

This big data security problem is mainly due to the cleartext transmission mechanism used in the design of email. Although some improvements have been made later, as shown in the following figure, SSL certificates are deployed on the mail server to implement SMTP transmission encryption, but this is only ensure that the user's email transit from email client to mail servers is encrypted, but the email is still stored in cleartext when it reaches the mail server. After the sender’s mail server receiving the email to be sent, the mail server will contact the receiver’s mail server to receive the email. If the receiver’s mail server hasn’t deployed an SSL certificate, the email can only be sent from the sender's mail server to the receiver's mail server in cleartext. In addition, a copy of email in cleartext is stored in the receiver's mail server, and the receiver is also downloaded the email in cleartext from the mail server to his/her email client. Therefore, if the mail service provider tells its users that the email has adopted TLS/SSL encryption, it can only comfort the user temporarily. In fact, the email cannot be controlled by the mail service provider when the emails leave the mail server.

Actually, someone has tried to solve these security problems. In 1995, RSA and other companies proposed the S/MIME (Security/Multipurpose Internet Mail Extensions) protocol V1 version, which improved the functions on email security. In 1998 and 1999, they successively published and submitted V2/V3 version to the IETF to form a series of RFC international standards. As shown in the figure below, the standard of S/MIME is to use a digital certificate to encrypt the message, which is to use the receiver's public key to encrypt the cleartext message into a ciphertext message, and the ciphertext message is sent from the sender's mail server to the receiver mail server, after receiving the ciphertext message, the receiver decrypts it with his own private key to get the cleartext of the email. This end-to-end encryption process enables the secure and encrypted transmission of email even if the mail server does not use SSL/TLS encryption, because the email itself is ciphertext. Of course, we strongly recommend deploying SSL certificates on mail servers to ensure the security of the email account password.

25 years have passed since the S/MIME email signing and encryption standard was released. Commonly used email client software, such as Microsoft Outlook, Mozilla Thunderbird, and Apple iMail, they are all fully supports S/MIME standards to implement email signature and encryption, but why hasn’t the technology of S/MIME encryption been popularized? It is because no one in this industry has found the solution to make using the S/MIME encryption simple and easy. And one of the most important reasons is that the encryption key management is too complicated. Not only do users need to apply for an email certificate from a CA, they also need to install the email certificate in various email client software on various devices, and they all must be configured and used correctly. After completing the certificate configuration, users still have to exchange the public keys before sending the encrypted emails. Therefore, it is definitely a thing that most users can't accomplish.

The UK National Cyber Security Centre website wrote ‘Although it is possible to encrypt individual emails using protocols like PGP or S/MIME, this requires the sender and recipient to have the necessary trust infrastructure in place. This is not likely to be possible for all the parties you communicate with.”“You should only use message-based encryption like PGP or S/MIME occasionally for transfer of sensitive information as it’s inefficient and provides a poor user experience.’ In short, what they want to express is that although S/MIME encryption technology is good technology for email encryption, but it is impossible for everyone to use it and it is impossible to make it easy to use!

2. MeSign Solutions

MeSign Technology established the R&D team as early as 2015 to research on how to make S/MIME encryption easy to be used. In order to ensure that the users can send encrypted emails as easy as they send cleartext emails, MeSign believes that we must solve the issues of the difficulties of the cryptography key management. After researching the cloud key management service (KMS) provided by many leading cloud service providers, MeSign R&D team decided to adopt the cloud key management model to solve the difficulties of the encryption key management and to achieve the key distribution on demand.

MeSign solution is to split the one email certificate into two certificates (one signing certificate and one encrypting certificate). The encrypting certificate private key is generated, securely encrypted and hosted in MeSign Cryptography Infrastructure (MCI). After the user has been validated the email account, the encrypting certificate key can be auto-retrieved from the cloud MCI and used for decrypting the emails automatically, so that the user does not need to applying for the certificate and importing the certificate manually, which perfectly realize the email encryption and decryption automatically. And when the user sends encrypted email, the MeSign App will auto-retrieve the recipient's encrypting certificate public key from MeSign CerDB to achieve the automatic sending encrypted email, so that the user does not need to exchange the public key in advance, which truly realizes the end-to-end zero-touch automatic email encryption and decryption. The signing certificate has the user's identity information, so the user's signing behavior has legal effect. Therefore, the signing certificate key is generated on user’s local device and securely stores the key on the local device only. This is why the serial numbers of the user’s signing certificates from the different devices are different.

MeSign Technology splits a traditional email certificate into two certificates and adopts different key management methods according to the two different key usage of signature and encryption, which perfectly solves the ease of use of the S/MIME email encryption service. At the same time, it inherits the characteristics of non-counterfeiting, non-forgery and non-repudiation of S/MIME email signatures, which makes S/MIME email encryption technology truly seamless and can be used without any cryptography and computer knowledge. Click to send encrypted email automatically like sending normal cleartext email, and automatically decrypt the encrypted email like reading normal cleartext email.

MeSign Technology has finally overcome all the difficulties of email encryption taking for more than 4 years. We have built a secure and reliable encryption infrastructure, and we share these facilities with all MeSign users worldwide, so that everyone can implement S/MIME email encryption and digital signature, to meet various compliance requirements without investing on these expensive facilities.

As shown on the below figure, MeSign Cryptographic Infrastructure consists of seven service systems: MeSign Certificate Authority (MCA), MeSign Cryptographic Key Management System (MKM), MeSign Encrypting Certificate Public Key Database (CerDB), MeSign Certificate Revocation Status System (MCRS), MeSign Identity Validation System (MVS), MeSign Timestamp Service System (MTS), MeSign e-Signing Service System (MSSS). These service systems in cloud work together with MeSign App (email client APP) to constitute the "Cloud" and the "Client" collaboration system to provide the secure and reliable email encryption service and e-document signature service automatically for worldwide users. In other words, MeSign App is not a traditional independent email client software or an e-signature tool software, it is a user-oriented service agent which not only let users handle their own data locally to protect privacy, but also let users utilize the powerful cloud service for automatic email encryption, automatic document e-signing and automatic Contract E-signature.

In other words, the reason why MeSign App can fully automate the end-to-end email encryption is that MeSign completely solve the cumbersome key management issues. It makes users can obtain encryption keys for decrypting emails anytime, anywhere on any device and also make user’s device to obtain the recipient's public key for encrypting the email automatically. Combined with several supporting systems, completely solve the above-mentioned "inefficient" and "poor user experience" problems, and "make it affordable", "easy to use", and make the "impossible" into “possible”!

The Cryptographic Infrastructure built by MeSign Technology has completely make the S/MIME email encryption simple and easy, so that users can use MeSign App to send encrypting emails or signing emails easily. MeSign App has already been implemented successfully in 171 countries and regions around the world. MeSign Technology makes every email has a digital trusted identity, to avoid email fraud completely and makes every email be encrypted using certificate, to avoid email leak completely.

In order to meet the high security level requirements of the government agencies, financial agencies and large enterprises on managing their certificate key independently, MeSign Technology provide a solution for these kinds of users to deploy an enterprise key management system. Users only need to purchase the MeSign Enterprise Key Management System (EKMS), and connect the Enterprise KM to the Intranet. All the computers and mobile devices must connect to the Enterprise KM, which facilitates the devices to retrieve the private key of the encrypting certificate. After obtaining the encrypting certificate successfully, users can start to use the email encryption function provided by MeSign App normally. The enterprise KM system cannot access the Internet, and it is limited to employee computers and mobile devices to access within the intranet to ensure the security of the key management system. For users who cannot connect to the Internet, they only need to purchase the MeSign Enterprise CA System and deploy it on the Intranet to provide users with email certificates and encryption public key retrieving services.

3. Superiority Analysis

The core products of MeSign for email encryption and signature are MeSign App (encrypted email client) and the email encryption and signature service provided by MeSign Cryptography Infrastructure, completely implementing email encryption and digital signature fully automatic. It has the following eight special advantages:

  1. (1) Certificate application automation
    MeSign's R&D team has CA gene. MeSign App has realized the automation of the application and configuration of the email certificates, enabling users to send encrypted emails as easy as they send cleartext emails. MeSign completely solved the “poor user experience” of S/MIME encryption.
  2. (2) Automatic and efficient encryption
    MeSign has established multiple back-end supporting infrastructure systems, such as Public Key Database, CA system and Key Management System. Therefore, users don’t need to exchange the public key in advance manually, which completely solved the “inefficiency” of email encryption and decryption.
  3. (3) Trust cryptographic infrastructure
    The “MeSign Cryptographic Infrastructures” provides email encryption related services freely to all email users around the world by cloud service. It makes the “not likely to be possible for all the parties” possible “to have the necessary trust infrastructure” to be used for free. Not only users can MeSign App for free, but also the auto-configured V1 signing certificate and encrypting certificate are all free. MeSign Technology makes S/MIME encryption “possible for all the parties” and make “impossible” to be “possible”.
  4. (4) Open cryptographic infrastructures for win-win
    The trust infrastructure built by MeSign is not only open for MeSign App user to use for free, it also opens some services to other email client to use for free. We hope and encourage other email clients can adopt the S/MIME standards to realize automatic email encryption, to make contributions to popularize the end-to-end email encryption together.
  5. (5) Share cryptographic infrastructure
    Not only that, the trust infrastructure also opens to the government agencies, public service agencies, financial agencies and large enterprises to retrieve the public keys of the encrypting certificate of all email users for free. This greatly facilitates the government affair systems and management systems to send encrypted emails to users to replace sending cleartext emails to users, to ensure the confidential information sent from these important management systems are secure.
  6. (6) World-first email timestamping service
    MeSign Technology use our patent pending technology in the world to make every sent email have a timestamp, to ensure the sent time of the email is trusted, rather than the untrusted time from the users’ computers or users’ email servers. This technology is very suitable for the application scenario similar to a traditional letter stamped with a postmark to prove the time when the letter was delivered.
  7. (7) World-first SM2 encryption
    MeSign Technology exclusively implements the SM2/SM3/SM4 cryptography algorithm in accordance with relevant international standards to achieve S/MIME email encryption and signature. Worldwide users are free to choose to use RSA or SM2 algorithms to implement email signature and encryption. MeSign Technology has contributed Chinese wisdom and provided Chinese solutions for global Internet user in email encryption.
  8. (8) Email malware checking
    MeSign App also integrates the cloud malware checking function provided by 360 Security Brain, which can effectively automatically check the emails attachment to identify whether it is malicious files and check the URLs in the email content as well to identify whether the external links in emails are malicious URLs. MeSign App only post the attachment file HASH to cloud for fast checking, not upload the attachment file to protect privacy. This solution effectively protects users from malicious attachments and malicious URL attacks. This service is a value-added service for MeSign App users for free.

4. Value-added Services

MeSign Technology not only provides the email encryption and basic email signature services for global users for free, but also continuously innovatively provides users with various optional charged value-added services to meet different requirement for email security. Users are welcome to choose these services.

(1) Email Signature Service Pro Edition

The MeSign free service includes free use of MeSign App, the free auto-configured V1 email signing certificate and the encrypting certificate that only validates the control of the user's email address. However, the subject of the certificate only displays the email address, and there is no personal and organizational identity information on it. This is the email digital signature service basic edition.

If the users want the email recipients to be sure of their authentic identity, they can purchase the Email Signature Service Pro edition. The Pro edition must finish the identity validation, individual users can purchase the Personal Pro Edition service and submit the V2 Individual Validation proof documents. After passing the validation, the V2 email signing certificate will be automatically configured for free without the limitation of the number of personal email address. The subject of the certificate shows the personal full name, the province/state, the city and the country where the user is located, which facilitate to show identity information of the email to the recipients, to enhance the recipient's trust, and prevents the email identity from being forged.

For organization users, you can purchase the Business Pro Edition service and submit the V3 Organization Validation proof documents, after passing the validation, every employee’s email will be auto-configured a V3 email signing certificate for free, and there is no limitation on the number of the employee. The subject of the certificate shows the name of the organization, the province/state, city, and country where the organization is registered. It is very helpful for the employees to send a signed email with trusted identity to the recipients to enhance the trust, avoiding email identity impersonation.

After completing the V3 organization validation, organization users can also purchase V4 organization employee validation services for their employees, this is one time charged fee that do not charge annually. After the employees pass the identity validation, the employees’ email will be auto-configured a V4 email signing certificate for free. The subject of the certificate shows the employee name, job title, the name of the organization, and the province/state, the city and the country where the organization is registered. It is very helpful for the employees to send a signed email with more trusted identity information like full name with job title to the recipients, to enhance the trust in recipients and easy for email communication, and to avoid email identity impersonation.

(2) Publicly Trusted Vp Email Certificate

The default free auto-installed email certificates in MeSign App is trusted by MeSign App only. If users use this certificate to send signed emails to users who use other email client software, other email client will display "There is a problem with this signature, the digital signature is invalid", or other similar warning. If users care about this warning, users can apply for a charged publicly trusted email certificate - Vp Email Certificate. The MeSign App will use this certificate to digitally sign the email by default, then other email client will normally display the signature information of the signer's certificate and display "This digital signature is trusted".

MeSign Technology innovatively realize the dual-signature solution in email digital signature, has automatically combined the publicly trusted email certificate signature and MeSign trusted email signature perfectly. The same signed email can be displayed the digital signature information correctly by other email client such as Outlook and Thunderbird, and MeSign App will display the MeSign validated identity information, so that the recipient can easily identify the sender’s trusted identity and completely solve the problem of email fraud.

Users can apply the Vp Email Certificate directly in the MeSign App or apply it on the MeSign website. Once the payment is completed successfully, the publicly trusted Vp Email Certificate will be automatically installed in the MeSign App, automatically configured as default signing certificate for email digital signature. In addition, users can manually export this certificate, import and use this certificate in other email client for email encryption and signature (For Outlook user, no need to export and import that the certificate is auto-configured for use).

5. Summary

In summary, MeSign Technology has spent many years on the technical breakthroughs, and we have completely make the fully automatic email encryption possible, so that global Internet users can encrypt every email, enable every email has an identity and enable the sent time of the email trusted automatically. MeSign Technology makes email encryption and digital signature as a default option, to protect the private information of every email.

MeSign Technology make the ‘old’ email to be reborn and rejuvenated. The cleartext email (“Postcard”) will be encrypted into the ciphertext email completely. Today, people are paying more and more attention to the privacy protection, and for the people who predict the email will be history will be surprised to find that instead of becoming history, the end-to-end encryption continues and innovates to a new chapter in the history. Encrypted email is the most secure and efficient way for work communications, not one of.