Home>solutions>MeSign Cryptography Key Management Introduction

MeSign Cryptography Key Management Introduction

1. The status and problems of email encryption

Email is a must for life and work, but email is a "postcard", which is transmitted in cleartext, which is very insecure and must be encrypted. At present, to realize email encryption, you need to use email client software that supports S/MIME certificate encryption, such as Outlook and Thunderbird, and you must apply and buy email certificate from a CA. After you get the email certificate, you need to configure it in the mail client. Send a signed email to the recipient to exchange the public key. After both parties have an email certificate and successfully exchange the public key, the two parties can send encrypted email.

This email encryption process is very cumbersome and very complicated, this makes a very good email encryption technology-S/MIME has not been popularized and applied, which directly led to the first important application of the Internet-email is still transmitted in cleartext for 50 years after it was invented! The second important application of the Internet-http, is also a cleartext transmission at the beginning, but now it has basically completed the upgrade of https encrypted transmission!

Our in-depth analysis of the difficulty of email encryption lies in the management of the encryption key. Even if the user is struggling to get the email certificate and configure the certificate on the email client, it can be used, but if it is used on other devices, it will take time and effort to import and configure the certificate again. After the certificate expires, there is a need to apply for the certificate again and re-import the new certificate. The most uncomfortable thing is that if the old certificate is not saved due to some reasons such as changing the computer, the encrypted email will never be decrypted. Some users report that this is very painful, and it is better to not encrypt it. This is also one of the reasons why S/MIME email encryption cannot be widely used. The key management problem must be solved to allow users to implement email encryption without burden.

2. MeSign cryptography key management solution

MeSign Technology established the R&D team as early as 2015 to research on how to make S/MIME encryption easy to be used. In order to ensure that the users can send encrypted emails as easy as they send cleartext emails, MeSign believes that we must solve the issues of the difficulties of the cryptography key management. After researching the cloud key management service (KMS) provided by many leading cloud service providers, MeSign R&D team decided to adopt the cloud key management model to solve the difficulties of the encryption key management and to achieve the key distribution on demand.

MeSign solution is to split the one email certificate into two certificates (one signing certificate and one encrypting certificate). The encrypting certificate private key is generated, securely encrypted and hosted in MeSign Cryptography Infrastructure (MCI). After the user has been validated the email account, the encrypting certificate key can be auto-retrieved from the cloud MCI and used for decrypting the emails automatically, so that the user does not need to applying for the certificate and importing the certificate manually, which perfectly realize the email encryption and decryption automatically. And when the user sends encrypted email, the MeSign APP will auto-retrieve the recipient's encrypting certificate public key from MeSign CerDB to achieve the automatic sending encrypted email, so that the user does not need to exchange the public key in advance, which truly realizes the end-to-end zero-touch automatic email encryption and decryption. The signing certificate has the user's identity information, so the user's signing behavior has legal effect. Therefore, the signing certificate key is generated on user’s local device and securely stores the key on the local device only. This is why the serial numbers of the user’s signing certificates from the different devices are different.

MeSign Technology splits a traditional email certificate into two certificates and adopts different key management methods according to the two different key usage of signature and encryption, which perfectly solves the ease of use of the S/MIME email encryption service. At the same time, it inherits the characteristics of non-counterfeiting, non-forgery and non-repudiation of S/MIME email signatures, which makes S/MIME email encryption technology truly seamless and can be used without any cryptography and computer knowledge. Click to send encrypted email automatically like sending normal cleartext email, and automatically decrypt the encrypted email like reading normal cleartext email.

3. MeSign cryptography key Management introduction

3.1 The encrypting key management

In order to guarantee that users can have the best user-experience with MeSign APP when they log into their email account to decrypt all emails on any devices automatically, MeSign decided to adopt the cloud key management system solution for encryption key management after researching and taking references from the global leading cloud key management system service providers. The private key of the encrypting certificate is auto-generated in the cloud key management system and then distribute it to user on demand.

The private key of the encrypting certificate is generated from a FIPS 140-2 Level 3 certified HSM, which exceeds the requirements from the WebTrust Standard, in which only FIPS 140-2 level 2 is required. And the private key is divided into two parts, encrypted and stored in two different key management servers. User must log into the email account in MeSign App and pass the validation of email control, then the user can obtain the key pairs bound with this email address and storing securely on the user’s devices.

MeSign Key Management System (MKM) is one of the most important components of MeSign Cryptography Infrastructure, it has adopted several security measures to ensure the security of the private key of the encrypting certificate. These measures have passed through the white-box security audit by a third-party code security testing company and passed the WebTrust audit as well to make sure the user’s private key protection is guarantee.

MeSign provides 4 different levels of security measures to protect the users’ private key of the encrypting certificate, meeting the demands from different users on the different levels of security requirements on their private key.

  1. (1) The default protection
    This level is dependent on the email account password validation (a successful login by MeSign App), then MeSign App can retrieve the private key with encrypting certificate from MeSign cloud system and install it in the MeSign APP, user don’t need to setup a separate key protection password. That is to say, if user’s email account password is secure, then the private key of the encrypting certificate is secure. The main purpose of this basic protecting measures is to provide the most convenient way for users to manage their certificates. Users can start to encrypt the email when they finished setting up their email account in the MeSign APP like what they usually do in the other email clients. There is no need to care about how the certificate is applied and installed, and no need to remember an additional password for private key.
  2. (2) The enhanced protection
    In order to enhance the security of the private key, we strongly recommend every MeSign APP user log into MeSign account in MeSign website to set the private key protection password (set a password that is different from the email account password). Then MeSign App not only needs to validate the email account when retrieving private key and encryption certificate, but also needs to verify the key protection password set by the user, which doubles the protection of private key security and the encrypted email security. The advantage is that even if the email account password is stolen or hacked, the thief cannot get the encrypting certificate because the thief does not know the key protection password, thus ensuring that the encrypted email will not be decrypt illegally. The disadvantage is that the user not only needs to remember the email account password, but also needs to remember an extra password - the private key protection password. Please remember this password! Please note: If your email address is already used to bind other service system accounts, it is highly recommended that to use this enhanced protection, set and remember the key protection password.
  3. (3) The advanced protection
    At present, the private key of the email certificate in MeSign App is a soft certificate. We plan to support using USB Key (USB Token), Bluetooth Key, or SIM Card Key to store the private key for users who have higher security requirements in the future. Users are required to purchase the hardware products such as USB Key for storing the private key of the email certificate.
  4. (4) Deploy enterprise key management system on-premise

The above three levels of protection measures are based on using MeSign Key Management System in the cloud to generate and store the private key. If user has the highly secure and controllable requirements for the encrypting certificate private key (such as government agencies, financial institutions, and large enterprises), then user can buy the MeSign Enterprise Key Management System (Enterprise KM), which is a plug-and-play system deployed on-premise. All staff’s computers or mobile devices only can get the encrypting certificate private key by connecting to their in-house EKM, thereby realizing the self-management of the encrypting keys and satisfying the relevant security control requirements.

3.2 The signing key management

Due to the signing certificate contains the identity information and its digital signature has the legal effect equivalent to the handwritten signature, MeSign does not generate and save users’ Signing Certificate private key in cloud server. The private key is generated and securely stored in user's device and will not upload to the cloud. Each time the user uses the MeSign App on a new device, the system will issue a new signing certificate to the user on the new device. The signing certificates on two devices are two different certificates. Of course, the identity information in the certificates is same.

In addition to the locally generated private key, the signing certificate also uses the same three different levels of security protection for the private key of the encrypting certificate to meet the security requirements of different users. Once the user has set a certificate protection password, both the signing certificate and the encrypting certificate use the same password, which does not need to be set separately.

In summary, to properly handle the contradiction between private key security and ease of use, MeSign adopts cloud key management system service model, and separates the encrypting certificate and the signing certificate into two independent certificates. In order to facilitate the user to decrypt the encrypted email on different devices, all encrypting certificates auto-configured by MeSign App by default on all devices are same, which is generated and stored in the cloud server when the user used the MeSign APP for the first time. If your organization has an on-premise enterprise key management system, the employees default encrypting certificate private keys will be retrieved from EKMS and securely stored on the on-premise EKMS only. MeSign do not backup this encrypting certificate private key to the cloud server.

The encrypting key and encrypting certificate period are 3 years, once the encryption certificate expires, a new encryption key and encryption certificate will be automatically generated, and the old encryption certificate will also be saved and distributed for use to decrypt previously encrypted email with this certificate, but it is not visible in the certificate management menu of MeSign App. This perfectly solves the user's headache of managing expired email certificates.

And the signing certificate is generated at user’s device and stored only on their local devices, so different devices will have different signing certificates. Although the signing certificates from different devices are not same, the identity information on them are the same, and all can be used for email digital signature.

The auto-configured signing certificate of the Free Edition is valid for one year. After expiration, a new keypair is generated on the local device and a new signature certificate is automatically configured. The old signing certificate will no longer be used and will no longer be displayed in the certificate management menu in MeSign App. For the signing certificate of the paid Pro Edition service, the user can choose the validity period of 1-3 years. After the expiration, the user needs to renew and regenerate and automatically configure a new signing certificate containing trusted identity information. If the user does not renew the paid service, it will be automatically downgraded to Free Edition and auto-configuration the Free Edition signing certificate.

4. The advantages analysis of MeSign key management solution

MeSign Technology draws on the advantages of key management services provided by cloud service providers, and provides users with flexible and affordable key management services so that users can easily use email encryption services without caring about the existence of encryption keys. It has the following major advantages:

  1. (1) Obtain on demand and available at any time. Users no longer have to worry about managing the encrypting keys, and they don’t need to worry about losing the key and being unable to decrypt the encrypted emails. They can enjoy the email encryption service with confidence.
  2. (2) Free to use and popularize email encryption. Users all over the world can use the MeSign Free Edition service for free, use the MeSign cloud key management service for free, auto-get the encrypting certificate and signing certificate in MeSign App for free, and enjoy completely free automatic email encryption and digital signature services, which can effectively protect personal email privacy and business email secrets at zero cost, so that email encryption can be widely used, and greatly improve the happiness index of human Internet life.
  3. (3) Charged service, enjoy super value and super services. If the user purchases the MeSign Starter Edition service, in addition to automatically configuring the publicly trusted Vp Email Certificate customized and issued by the world-famous CA-Sectigo, they also enjoy the cloud key management service for this publicly trusted email certificate. The price of the same Sectigo email certificate (Personal S/MIME) is US$19.99/year, while the price of Amazon key management service is US$12.00/year. The sum of the two service is US$31.99, we only charge US$14.99/year, which is more than half the price. Absolute value! In addition to the automatic configuration of signing certificate with trusted identity, the paid Pro Edition service also automatically configures the publicly trusted Vp Email Certificate and enjoy the cloud key management service for this publicly trusted email certificate. It is absolutely value-for-money!
  4. (4) Cloud-client collaboration, solving the encryption headache. MeSign App automatically obtains the encrypting key required by the user to meet the user's local operation needs of encrypting emails locally first and then sending them. It can also utilize the powerful cloud encryption service system to provide integrated services to completely solve the email encryption difficulty of ease of use and allows users to send encrypted emails as easy as sending traditional cleartext emails. This is an innovative email encryption solution that was first realized in the world.