Establish Cryptography Key Management System On-PremiseTo manage the encryption keys locally and independently.

1. Encryption Key and Cryptography Key management System Introduction

It has been more twenty years since the standard of S/MIME for email signing and encryption has been introduced to the public in 1999. But, no one found the solution of simplifying the deployment of S/MIME, so that S/MIME encryption has not been applied universally. The most important reason of why S/MIME encryption cannot be popularized is the difficulties of the key management. Users have to manage the key manually in the whole S/MIME using process, started from generating the private key in computer, applying the email certificate from a CA, installing and configuring the certificate into different email clients in different devices. In addition, they need to exchange the public keys manually with the recipients before communicating with them. The whole process is PAIN work and error-prone, it is not easy for non-IT users to set up every step of the entire process correctly. Therefore, we think as long as the difficulties on using S/MIME be overcome, the S/MIME encryption will be applied universally.

In order to ensure that users can decrypt and read the encrypted email in MeSign APP at anytime, anywhere and on any device without the time-consuming process to import the certificates manually, MeSign R&D team has studied a number of cloud key management service (KMS) provided by international leading cloud service providers and finally decided to implement the cloud key management solution for MeSign users. We innovatively splitting the one traditional email certificate into two certificates, a signing certificate and an encrypting certificate. The encrypting certificate key is generated and hosted securely in the cloud key management system, call MeSign Cryptographic Key Management System (MCKMS or MKMS), and users can automatically obtain the encrypting certificate key from the cloud by MeSign APP to decrypt the encrypted email automatically after completing the email control validation, which avoid the labor-intensive process of importing certificate by automating the process of email encryption and email decryption. Due to the signing certificate has the user's identity information on it, the user's signing behavior has legal effect. For this reason, we designed the signing certificate to be generated and stored on the local device only. This is why the serial number of the user’s signing certificates on the different devices are different.

The email certificate is split into two certificates with different key management methods according to the different usage on email signing and email encryption, which greatly simplifies the application of S/MIME encryption and inherits the signing characteristics of S/MIME, such as non-counterfeiting, non-camouflage and non-repudiation. Therefore, plus the email certification application automation and public key exchange automation, this solution completely simplifies and automate the usage of S/MIME encryption and make it truly be used seamlessly with zero threshold. Users do not need to be trained on how to manage certificates. With MeSign APP, users can send encrypted emails as simple as sending the clear-text emails.

That is to say, the reason why MeSign APP can completely automate email encryption is that we found the way to overcome the key management difficulties by providing the private key management service to our users, so that they can decrypt encrypted email anytime, anywhere and on any device. And we also built a public key management system, so that MeSign APP can automatically obtain the public key of the recipient when the user writes the mail, completely realize the automatic transmission of encrypted mail, without the need for the user to exchange the public key in advance separately.

2. MeSign Enterprise Key Management System Introduction

As a public service system, MeSign Key Management System provides users with key management services free of charge, and realizes non-sensing full-automatic encryption of emails. This is a key escrow service. The user's encryption key is escrowed on MeSign Cryptography Infrastructure. However, some organizations have relatively high requirements on their encryption key management and control, so that they could purchase the MeSign Enterprise Key Management System (EKMS) and deploy it on the organization's intranet to realize the independent management for the email encryption keys of the employees’.

Users who wish to deploy their own enterprise key management system must purchase the KM Customized Service at the same time. This service is charged annually based on the number of email addresses used by employees with encryption keys, it includes customized MeSign APP redirection access to the Enterprise KM, only from the Enterprise KM obtains encryption keys, automatically configures encrypting certificates and signing certificates for employees. Users also need to choose to use the Free Edition service or choose the charged service Starter Edition, Pro Edition according to their business needs, and automatically configure signing certificates and encrypting certificates of different identity validation levels and trusted levels for users. That is to say, the difference from the four edition of the service is that the user’s encryption key is obtained from the Enterprise KM, not from the MeSign KM for public in the cloud. Therefore, in addition to the standard edition service, user also need to purchase the KM Customized Service.

The organization can purchase the MeSign Enterprise Key Management System as hardware or software, every email address that uses the MeSign APP to implement email encryption services requires one key or multi-key (use a new one at every three-year). At the same time, for the high security and liability of the key management, we strongly recommend users to purchase at least two key management systems and configure the two system as dual hot backup to ensure providing the reliable services for employees to obtain their keys.

3. How to deploy the MeSign Enterprise Key Management System

The user only needs to deploy the key management device (hardware) or key management system (software) in the Intranet, then log in to the MeSign account to set the Intranet IP address of the key management system and validate the email address domain ownership. After that, when employee set up their email account on MeSign APP, the MeSign APP will retrieve the IP address of the enterprise key management system according to the domain name of the email address, and then it can connect to the right key management system to obtain the encryption key instead of connecting to the MeSign Key Management System. Once the private key of the encrypting certificate is successfully obtained, the encrypting certificate and the signing certificate can be obtained from the MeSign default CA system, and then employees can use the email encryption function normally. Employees who work remotely must be able to connect to the key management system via VPN. Please note, the enterprise key management system cannot access to the Internet, and it is only limit accessed by the employees’ computers and mobile devices which were connected to the organization’s intranet, so that it can ensure the security of the KM system and the Keys. The schematic diagram of enterprise KM deployment is shown below in the left.

As show in the above diagram right, if the organization Intranet do not connect to the Internet, then the employee cannot have the signing certificate and the encrypting certificate issued by MeSign CA, and also cannot visit MeSign Public Key Database (CDB). In this scenario, the organization need to buy the MeSign Enterprise CA System (ECAS), used for issuing the signing certificate and encrypting certificate for employees and can also be used by MeSign APP for retrieving the public keys of other users’ encrypting certificates for sending encrypted emails.

The Enterprise CA System on premises, which support the following functions to meet the basic CA service standards. We recommended to deploy a dual CA system to provide users with certificate issuance services and certificate public key retrieving services reliably without interruption.

1. (1) Auto-generating the self-signed root CA certificate.
2. (2) Auto-generating the intermediate root certificate used for issuing email signing certificates and encrypting certificates.
3. (3) Customized certificate template to define the employee’s certificate subject information of the Organization Employee Certificate or Employee Email Certificate
4. (4) Providing public key retrieving service for MeSign APP sending encrypted emails.
5. (5) Providing certificate revocation service and Certificate Revocation List distribution service.

The following picture shows a screenshot of the MeSign EKMS management interface. After purchasing EKMS, users need to log in to their MeSign account to apply for EKMS deployment, set the IP address of the EKMS deployment on the Intranet, wait for the installation and deployment the Enterprise KM, and then activate the EKMS. The users that have retrieved encrypting key from MeSign public KMS will retrieve the encrypting key from Enterprise KM again, instead of using the encryption key originally obtained from the MeSign public KMS, but the old key will remain in the MeSign APP to decrypt the previously encrypted email. New MeSign APP users will retrieve the encrypting key from the Enterprise KM directly.

Welcome to purchase MeSign Enterprise Key Management System to realize localized self-supervision and self-management of the keys. This encryption key can be used not only for email encryption services, but also for document encryption services to ensure the security of confidential documents. Intranet users are also welcomed to purchase the MeSign Enterprise CA System to meet the basic certificate requirements for full encryption of Intranet email.