Email is a must for life and work, but email is a "postcard", which is transmitted in cleartext, which is very insecure and must be encrypted. At present, to realize email encryption, you need to use email client software that supports S/MIME certificate encryption, such as Outlook and Thunderbird, and you must apply and buy email certificate from a CA. After you get the email certificate, you need to configure it in the mail client. Send a signed email to the recipient to exchange the public key. After both parties have an email certificate and successfully exchange the public key, the two parties can send encrypted email.
This email encryption process is very cumbersome and very complicated, this makes a very good email encryption technology-S/MIME has not been popularized and applied, which directly led to the first important application of the Internet-email is still transmitted in cleartext for 50 years after it was invented! The second important application of the Internet-http, is also a cleartext transmission at the beginning, but now it has basically completed the upgrade of https encrypted transmission!
Our in-depth analysis of the difficulty of email encryption lies in the management of the encryption key. Even if the user is struggling to get the email certificate and configure the certificate on the email client, it can be used, but if it is used on other devices, it will take time and effort to import and configure the certificate again. After the certificate expires, there is a need to apply for the certificate again and re-import the new certificate. The most uncomfortable thing is that if the old certificate is not saved due to some reasons such as changing the computer, the encrypted email will never be decrypted. Some users report that this is very painful, and it is better to not encrypt it. This is also one of the reasons why S/MIME email encryption cannot be widely used. The key management problem must be solved to allow users to implement email encryption without burden.
MeSign Technology established the R&D team as early as 2015 to research on how to make S/MIME encryption easy to be used. In order to ensure that the users can send encrypted emails as easy as they send cleartext emails, MeSign believes that we must solve the issues of the difficulties of the cryptography key management. After researching the cloud key management service (KMS) provided by many leading cloud service providers, MeSign R&D team decided to adopt the cloud key management model to solve the difficulties of the encryption key management and to achieve the key distribution on demand.
MeSign solution is to split the one email certificate into two certificates (one signing certificate and one encrypting certificate). The encrypting certificate private key is generated, securely encrypted and hosted in MeSign Cryptography Infrastructure (MCI). After the user has been validated the email account, the encrypting certificate key can be auto-retrieved from the cloud MCI and used for decrypting the emails automatically, so that the user does not need to applying for the certificate and importing the certificate manually, which perfectly realize the email encryption and decryption automatically. And when the user sends encrypted email, the MeSign APP will auto-retrieve the recipient's encrypting certificate public key from MeSign CerDB to achieve the automatic sending encrypted email, so that the user does not need to exchange the public key in advance, which truly realizes the end-to-end zero-touch automatic email encryption and decryption. The signing certificate has the user's identity information, so the user's signing behavior has legal effect. Therefore, the signing certificate key is generated on user’s local device and securely stores the key on the local device only. This is why the serial numbers of the user’s signing certificates from the different devices are different.
MeSign Technology splits a traditional email certificate into two certificates and adopts different key management methods according to the two different key usage of signature and encryption, which perfectly solves the ease of use of the S/MIME email encryption service. At the same time, it inherits the characteristics of non-counterfeiting, non-forgery and non-repudiation of S/MIME email signatures, which makes S/MIME email encryption technology truly seamless and can be used without any cryptography and computer knowledge. Click to send encrypted email automatically like sending normal cleartext email, and automatically decrypt the encrypted email like reading normal cleartext email.
In order to guarantee that users can have the best user-experience with MeSign APP when they log into their email account to decrypt all emails on any devices automatically, MeSign decided to adopt the cloud key management system solution for encryption key management after researching and taking references from the global leading cloud key management system service providers. The private key of the encrypting certificate is auto-generated in the cloud key management system and then distribute it to user on demand.
The private key of the encrypting certificate is generated from a FIPS 140-2 Level 3 certified HSM, which exceeds the requirements from the WebTrust Standard, in which only FIPS 140-2 level 2 is required. And the private key is divided into two parts, encrypted and stored in two different key management servers. User must log into the email account in MeSign App and pass the validation of email control, then the user can obtain the key pairs bound with this email address and storing securely on the user’s devices.
MeSign Key Management System (MKM) is one of the most important components of MeSign Cryptography Infrastructure, it has adopted several security measures to ensure the security of the private key of the encrypting certificate. These measures have passed through the white-box security audit by a third-party code security testing company and passed the WebTrust audit as well to make sure the user’s private key protection is guarantee.
MeSign provides 4 different levels of security measures to protect the users’ private key of the encrypting certificate, meeting the demands from different users on the different levels of security requirements on their private key.
The above three levels of protection measures are based on using MeSign Key Management System in the cloud to generate and store the private key. If user has the highly secure and controllable requirements for the encrypting certificate private key (such as government agencies, financial institutions, and large enterprises), then user can buy the MeSign Enterprise Key Management System (Enterprise KM), which is a plug-and-play system deployed on-premise. All staff’s computers or mobile devices only can get the encrypting certificate private key by connecting to their in-house EKM, thereby realizing the self-management of the encrypting keys and satisfying the relevant security control requirements.
Due to the signing certificate contains the identity information and its digital signature has the legal effect equivalent to the handwritten signature, MeSign does not generate and save users’ Signing Certificate private key in cloud server. The private key is generated and securely stored in user's device and will not upload to the cloud. Each time the user uses the MeSign App on a new device, the system will issue a new signing certificate to the user on the new device. The signing certificates on two devices are two different certificates. Of course, the identity information in the certificates is same.
In addition to the locally generated private key, the signing certificate also uses the same three different levels of security protection for the private key of the encrypting certificate to meet the security requirements of different users. Once the user has set a certificate protection password, both the signing certificate and the encrypting certificate use the same password, which does not need to be set separately.
In summary, to properly handle the contradiction between private key security and ease of use, MeSign adopts cloud key management system service model, and separates the encrypting certificate and the signing certificate into two independent certificates. In order to facilitate the user to decrypt the encrypted email on different devices, all encrypting certificates auto-configured by MeSign App by default on all devices are same, which is generated and stored in the cloud server when the user used the MeSign APP for the first time. If your organization has an on-premise enterprise key management system, the employees default encrypting certificate private keys will be retrieved from EKMS and securely stored on the on-premise EKMS only. MeSign do not backup this encrypting certificate private key to the cloud server.
The encrypting key and encrypting certificate period are 3 years, once the encryption certificate expires, a new encryption key and encryption certificate will be automatically generated, and the old encryption certificate will also be saved and distributed for use to decrypt previously encrypted email with this certificate, but it is not visible in the certificate management menu of MeSign App. This perfectly solves the user's headache of managing expired email certificates.
And the signing certificate is generated at user’s device and stored only on their local devices, so different devices will have different signing certificates. Although the signing certificates from different devices are not same, the identity information on them are the same, and all can be used for email digital signature.
The auto-configured signing certificate of the Free Edition is valid for one year. After expiration, a new keypair is generated on the local device and a new signature certificate is automatically configured. The old signing certificate will no longer be used and will no longer be displayed in the certificate management menu in MeSign App. For the signing certificate of the paid Pro Edition service, the user can choose the validity period of 1-3 years. After the expiration, the user needs to renew and regenerate and automatically configure a new signing certificate containing trusted identity information. If the user does not renew the paid service, it will be automatically downgraded to Free Edition and auto-configuration the Free Edition signing certificate.
MeSign Technology draws on the advantages of key management services provided by cloud service providers, and provides users with flexible and affordable key management services so that users can easily use email encryption services without caring about the existence of encryption keys. It has the following major advantages: