Email Encryption and Digital Signature Automation SolutionAuto-configure email certificate, one-click for end-to-end encryption

1. The current email security issues

From the birth of the first email marked with the @ symbol in 1971, email, which has a history of 50 years at year 2021, is the first and most widely used application of the Internet. According to statistics, there are 3.7 billion email accounts worldwide. The number of sent emails is up to 269 billion every day (of course, many are SPAM). In other words: email is a must for work and life.

An technical expert from Apple wrote in an email security discussion group that ‘Email as a tool for the betterment of humankind has proven so effective as to be arguably invaluable; improving the security, privacy, and safety of using email is a very worthwhile goal.’ This sentence is very good, there are two key points: first, it is highly affirmed the contribution of email to improve human life, and this communication method is highly efficient; second, it is pointed out that the security of email needs to be improved and enhanced. So, how to improve and enhance the security of email, MeSign Technology gives a perfect answer.

Let's take a look at the email sending mechanism and to analyze why the security of email needs to be improved. Email exchanges a large amount of personal and business confidential information every day, but the most of emails are transmitted to the mail server in cleartext and stored in the mail server in cleartext. As shown in the picture below, this is a big hidden security problem of the cloud big data!

This big data security problem is mainly due to the cleartext transmission mechanism used in the design of email. Although some improvements have been made later, as shown in the following figure, SSL certificates are deployed on the mail server to implement SMTP transmission encryption, but this is only ensure that the user's email transit from email client to mail servers is encrypted, but the email is still stored in cleartext when it reaches the mail server. After the sender’s mail server receiving the email to be sent, the mail server will contact the receiver’s mail server to receive the email. If the receiver’s mail server hasn’t deployed an SSL certificate, the email can only be sent from the sender's mail server to the receiver's mail server in cleartext. In addition, a copy of email in cleartext is stored in the receiver's mail server, and the receiver is also downloaded the email in cleartext from the mail server to his/her email client. Therefore, if the mail service provider tells its users that the email has adopted TLS/SSL encryption, it can only comfort the user temporarily. In fact, the email cannot be controlled by the mail service provider when the emails leave the mail server.

Actually, someone has tried to solve these security problems. In 1995, RSA and other companies proposed the S/MIME (Security/Multipurpose Internet Mail Extensions) protocol V1 version, which improved the functions on email security. In 1998 and 1999, they successively published and submitted V2/V3 version to the IETF to form a series of RFC international standards. As shown in the figure below, the standard of S/MIME is to use a digital certificate to encrypt the message, which is to use the receiver's public key to encrypt the cleartext message into a ciphertext message, and the ciphertext message is sent from the sender's mail server to the receiver mail server, after receiving the ciphertext message, the receiver decrypts it with his own private key to get the cleartext of the email. This end-to-end encryption process enables the secure and encrypted transmission of email even if the mail server does not use SSL/TLS encryption, because the email itself is ciphertext. Of course, we strongly recommend deploying SSL certificates on mail servers to ensure the security of the email account password.

25 years have passed since the S/MIME email signing and encryption standard was released. Commonly used email client software, such as Microsoft Outlook, Mozilla Thunderbird, and Apple iMail, they are all fully supports S/MIME standards to implement email signature and encryption, but why hasn’t the technology of S/MIME encryption been popularized? It is because no one in this industry has found the solution to make using the S/MIME encryption simple and easy. And one of the most important reasons is that the encryption key management is too complicated. Not only do users need to apply for an email certificate from a CA, they also need to install the email certificate in various email client software on various devices, and they all must be configured and used correctly. After completing the certificate configuration, users still have to exchange the public keys before sending the encrypted emails. Therefore, it is definitely a thing that most users can't accomplish.

The UK National Cyber Security Centre website wrote ‘Although it is possible to encrypt individual emails using protocols like PGP or S/MIME, this requires the sender and recipient to have the necessary trust infrastructure in place. This is not likely to be possible for all the parties you communicate with.”“You should only use message-based encryption like PGP or S/MIME occasionally for transfer of sensitive information as it’s inefficient and provides a poor user experience.’ In short, what they want to express is that although S/MIME encryption technology is good technology for email encryption, but it is impossible for everyone to use it and it is impossible to make it easy to use!

2. MeSign Solutions

MeSign Technology established the R&D team as early as 2015 to research on how to make S/MIME encryption easy to be used. In order to ensure that the users can send encrypted emails as easy as they send cleartext emails, MeSign believes that we must solve the issues of the difficulties of the cryptography key management. After researching the cloud key management service (KMS) provided by many leading cloud service providers, MeSign R&D team decided to adopt the cloud key management model to solve the difficulties of the encryption key management and to achieve the key distribution on demand.

MeSign solution is to split the one email certificate into two certificates (one signing certificate and one encrypting certificate). The encrypting certificate private key is generated, securely encrypted and hosted in MeSign Cryptography Infrastructure (MCI). After the user has been validated the email account, the encrypting certificate key can be auto-retrieved from the cloud MCI and used for decrypting the emails automatically, so that the user does not need to applying for the certificate and importing the certificate manually, which perfectly realize the email encryption and decryption automatically. And when the user sends encrypted email, the MeSign APP will auto-retrieve the recipient's encrypting certificate public key from MeSign CerDB to achieve the automatic sending encrypted email, so that the user does not need to exchange the public key in advance, which truly realizes the end-to-end zero-touch automatic email encryption and decryption. The signing certificate has the user's identity information, so the user's signing behavior has legal effect. Therefore, the signing certificate key is generated on user’s local device and securely stores the key on the local device only. This is why the serial numbers of the user’s signing certificates from the different devices are different.

MeSign Technology splits a traditional email certificate into two certificates and adopts different key management methods according to the two different key usage of signature and encryption, which perfectly solves the ease of use of the S/MIME email encryption service. At the same time, it inherits the characteristics of non-counterfeiting, non-forgery and non-repudiation of S/MIME email signatures, which makes S/MIME email encryption technology truly seamless and can be used without any cryptography and computer knowledge. Click to send encrypted email automatically like sending normal cleartext email, and automatically decrypt the encrypted email like reading normal cleartext email.

MeSign Technology has finally overcome all the difficulties of email encryption taking for more than 4 years. We have built a secure and reliable encryption infrastructure, and we share these facilities with all MeSign users worldwide, so that everyone can implement S/MIME email encryption and digital signature, to meet various compliance requirements without investing on these expensive facilities.

As shown on the below figure, MeSign Cryptographic Infrastructure consists of seven service systems: MeSign Certificate Authority (MCA), MeSign Cryptographic Key Management System (MKM), MeSign Public Key Exchange System (PKE), MeSign Certificate Revocation Status System (MCR), MeSign Identity Validation System (MVS), MeSign Timestamp Service System (MTS), MeSign Digital Signature Service System (DSS). These service systems in cloud work together with MeSign APP (email client APP) to constitute the "Cloud" and the "Client" collaboration system to provide the secure and reliable email encryption and digital signature service automatically for worldwide users. In other words, MeSign APP is not a traditional independent email client software or an e-signature tool software, it is a user-oriented service agent which not only let users handle their own data locally to protect privacy, but also let users utilize the powerful cloud service for automatic email encryption and digital signature.

In other words, the reason why MeSign APP can fully automate the end-to-end email encryption is that MeSign completely solve the cumbersome key management issues. It makes users can obtain encryption keys for decrypting emails anytime, anywhere on any device and also make user’s device to obtain the recipient's public key for encrypting the email automatically. Combined with several supporting systems, completely solve the above-mentioned "inefficient" and "poor user experience" problems, and "make it affordable", "easy to use", and make the "impossible" into “possible”!

The Cryptographic Infrastructure built by MeSign Technology has completely make the S/MIME email encryption simple and easy, so that users can use MeSign APP to send encrypting emails or signing emails easily. MeSign APP has already been implemented successfully in 163 countries and regions around the world. MeSign Technology makes every email has a digital trusted identity, to avoid email fraud completely and makes every email be encrypted using certificate, to avoid email leak completely.

In order to meet the high security level requirements of the government agencies, financial agencies and large enterprises on managing their encrypting key independently, MeSign Technology provide a solution for these kinds of users to deploy an enterprise key management system. Users only need to purchase the MeSign Enterprise Key Management System (EKMS), and connect the Enterprise KM to the Intranet. All the computers and mobile devices must connect to the Enterprise KM, which facilitates the devices to retrieve the private key of the encrypting certificate. After obtaining the encrypting certificate successfully, users can start to use the email encryption function provided by MeSign APP normally. The enterprise KM system cannot access the Internet, and it is limited to employee computers and mobile devices to access within the intranet to ensure the security of the key management system. For users who cannot connect to the Internet, they only need to purchase the MeSign Enterprise CA System and deploy it on the Intranet to provide users with email certificates and encryption public key exchange service.

3. Superiority Analysis

The core products of MeSign for email encryption and digital signature are MeSign APP (encrypted email client) and the email encryption and digital signature service provided by MeSign Cryptography Infrastructure, completely implementing email encryption and digital signature fully automatic. It has the following eight special advantages:

1. (1) Certificate application automation
   MeSign's R&D team has CA gene. MeSign APP has realized the automation of the application and configuration of the email certificates, enabling users to send encrypted emails as easy as they send cleartext emails. MeSign completely solved the “poor user experience” of S/MIME encryption.
2. (2) Automatic and efficient encryption
   MeSign has established multiple back-end supporting infrastructure systems, such as Public Key Database, CA system and Key Management System. Therefore, users don’t need to exchange the public key in advance manually, which completely solved the “inefficiency” of email encryption and decryption.
3. (3) Trust cryptographic infrastructure
   The “MeSign Cryptographic Infrastructures” provides email encryption related services freely to all email users around the world by cloud service. It makes the “not likely to be possible for all the parties” possible “to have the necessary trust infrastructure” to be used for free. Not only users can MeSign APP for free, but also the auto-configured signing certificate and encrypting certificate are all free. MeSign Technology makes S/MIME encryption “possible for all the parties” and make “impossible” to be “possible”.
4. (4) Open cryptographic infrastructures for win-win
   The trust infrastructure built by MeSign is not only open for MeSign APP user to use for free, it also opens some services to other email client to use for free. We hope and encourage other email clients can adopt the S/MIME standards to realize automatic email encryption, to make contributions to popularize the end-to-end email encryption together.
5. (5) Share cryptographic infrastructure
   The trust infrastructure also opens to the government agencies, public service agencies, financial agencies and large enterprises to retrieve the public keys of the encrypting certificate of all email users for free. This greatly facilitates the government affair systems and management systems to send encrypted emails to users to replace sending cleartext emails to users, to ensure the confidential information sent from these important management systems are secure.
6. (6) World-first email timestamping service
   MeSign Technology use our patent pending technology in the world to make every sent email have a timestamp, to ensure the sent time of the email is trusted, rather than the untrusted time from the users’ computers or users’ email servers. This technology is very suitable for the application scenario similar to a traditional letter stamped with a postmark to prove the time when the letter was delivered.
7. (7) Email malware checking
   MeSign APP also integrates the cloud malware checking function provided by 360 Security Brain, which can effectively automatically check the emails attachment to identify whether it is malicious files and check the URLs in the email content as well to identify whether the external links in emails are malicious URLs. MeSign APP only post the attachment file HASH to cloud for fast checking, not upload the attachment file to protect privacy. This solution effectively protects users from malicious attachments and malicious URL attacks. This service is a value-added service for MeSign APP users for free.
8. (8) World-first SM2 encryption
   MeSign Technology exclusively implements the SM2/SM3/SM4 cryptography algorithm in accordance with relevant international standards to achieve S/MIME email encryption and signature. Worldwide users are free to choose to use RSA or SM2 algorithms to implement email signature and encryption. MeSign Technology has contributed Chinese wisdom and provided Chinese solutions for global Internet user in email encryption.

4. Value-added Services

MeSign Technology not only provides users with free basic email encryption and digital signature services-Free Edition, but also continuously innovates to provide users with optional paid value-added services – Starter Edition and Pro Edition, to meet the different application needs of users, users are welcome to choose.

(1) Starter Edition

The encrypting certificate and signing certificate are auto-configured by MeSign APP in Free Edition is MeSign trusted, while the Starter Edition is a charged service that MeSign APP automatically configures the publicly trusted Vp Email Certificate for users, so that the signed email sent by the MeSign APP can be validated normally as trusted digital signature by other email clients that display "the digital signature is trusted". The Starter Edition service realizes fully automatic publicly trusted email digital signature and encryption. It is still only validating the email control. After the user buy and pay it, the publicly trusted Vp Email Certificate is automatically configured for use in MeSign APP. The user does not need to bother to apply for an email certificate, configure, use, import and export, backup, etc., all is automatically completed by MeSign APP, so that users do not need to care about the email certificate, just write the email directly in MeSign APP to send encrypted email like sending a normal cleartext email.

(2) Pro Edition

The Pro Edition is also a charged service, identity validation is added to the Starter Edition. After individual user completes personal identity validation, MeSign APP automatically configures a Personal Identity Certificate trusted by MeSign containing personal identity information and a publicly trusted Vp Email Certificate. By default, MeSign APP uses the Personal Identity Certificates and Vp Email Certificate to achieve email dual signature and encryption, MeSign APP displays personal name and "Identity Validated and Publicly Trusted" for the signed email, while other email clients display "The digital signature is trusted", thereby achieving digital signature publicly trusted and user identity trusted.

After the organization user completes the organization identity validation, MeSign APP automatically configures the Organization Email Certificate containing the organization name for every employee (unlimited number of employees), or automatically configures the Organization Employee Certificate containing the organization name and employee name for the employees who have completed the employee identity validation and configures publicly trusted Vp Email Certificate. By default, MeSign APP uses the Organization Employee Certificate or the Organization Email Certificate and Vp Email Certificate to realize email dual signature and encryption, thereby achieving digital signature publicly trusted and user identity trusted.

5. Summary

In summary, MeSign Technology has spent many years on the technical breakthroughs, and we have completely make the fully automatic email encryption possible, so that global Internet users can encrypt every email, enable every email has an identity and enable the sent time of the email trusted automatically. MeSign Technology makes email encryption and digital signature as a default option, to protect the private information of every email.

MeSign Technology make the ‘old’ email to be reborn and rejuvenated. The cleartext email (“Postcard”) will be encrypted into the ciphertext email completely. Today, people are paying more and more attention to the privacy protection, and for the people who predict the email will be history will be surprised to find that instead of becoming history, the end-to-end encryption continues and innovates to a new chapter in the history. Encrypted email is the most secure and efficient way for work communications, not one of.