This invention relates to secure data transmission systems, and more particularly to a method and system for delivering encrypted data from a gateway server in a network or the cloud based on a predetermined preference.
Email remains one of the most widely deployed communication applications on the Internet. Securing messages between a sender and a recipient can be performed in a multitude of ways.
Public Key Infrastructure or PKI cryptography is a well know technique for securing email and other digital information or data between two sources or parties, i.e. a sender and a recipient. PKI utilizes public/private key pairs for encryption and decryption. The security of PKI cryptography is based on a party's private key(s) being kept secret or confidential. In the context of the present description, a private key and public key (i.e. certificate) pair is referred to as a credential.
In addition to PKI, there are a multitude of ways in which data and/or communication channels can be secured between a sender and a recipient for providing secured email messages and data.
However, it will be appreciated that different enterprises will have different regulatory requirements in terms of acceptable security standards. In addition, business requirements or issues, such as, ease of use, deployment considerations and configurations, scalability, and/or cost, can also be overriding factors.
Accordingly, there remains a need for improvement in the art.
The present invention is directed to a method, computer program product and system for determining a delivery mechanism for delivering encrypted data to a recipient, wherein the delivery mechanism is based on a predetermined preference.
According to another embodiment, the present invention comprises a computer-implemented method for providing an email message to an intended recipient according to a predetermined preference definition, the computer-implemented method comprises: receiving the email message at a gateway server; configuring the gateway server according to the predetermined preference definition, wherein the predetermined preference definition comprises a plurality of secure delivery mechanisms including one or more of direct private key encryption delivery, transport layer security delivery, domain encryption delivery, direct encrypted delivery and message pickup center delivery; selecting a delivery mechanism based on the predetermined preference definition for delivering the email message from the gateway server to the intended recipient; encrypting the email message according to the selected delivery mechanism; and delivering the encrypted email message to the intended recipient.
According to another embodiment, the present invention comprises a computer program product for providing an email message to an intended recipient according to a predetermined delivery preference definition, the computer program product comprises: a computer readable storage media configured for storing instructions executable by a processor, the executable instructions comprising instructions for receiving the email message at a gateway server; configuring the gateway server according to the predetermined delivery preference definition, wherein the predetermined preference definition comprises a plurality of secure delivery mechanisms including one or more of direct private key encryption delivery, transport layer security delivery, domain encryption delivery, direct encrypted delivery and message pickup center delivery; selecting a delivery mechanism based on the predetermined preference definition for delivering the email message from the gateway server to the intended recipient; encrypting the email message according to the selected delivery mechanism; and delivering the encrypted email message to the intended recipient.
According to an embodiment, the present invention comprises a system for providing an email message to an intended recipient according to a predetermined preference definition, the system comprises: an email exchange server including an encryption component configured to encrypt the email message; an email gateway server operatively coupled to the email exchange server and including a component configured to receive the encrypted email message; the email gateway server being operatively coupled to one or more email domains; and the email gateway server including a delivery preference component, the delivery preference component being configured to deliver the encrypted email message to one of the one or more email domains according to a delivery mechanism based on a delivery preference definition.
Other aspects and features of the present invention will become apparent to those ordinarily skilled in the art upon review of the following exemplary embodiments of the invention in conjunction with the accompanying figures.
Reference will now be made to the accompanying drawings, which show by way of example, embodiments according to the present invention, and in which:
Like reference numerals indicate like elements or components in the drawings.
Reference is made to
The system 100 comprises an encryption and encrypted message platform indicated generally by reference 110, a message pickup center 120, and a plurality of email domains indicated generally by reference 130. According to an exemplary implementation, the email domains 130 comprise a first secured enterprise domain 132, a second secured enterprise domain 134, an external domain with TLS 136, and an external domain 138.
According to an embodiment and in the context of the present description, the encryption and encrypted message platform 110 comprises an encrypted message exchange (EMX) server (or servers) indicated generally by reference 112 and an encrypted mail gateway (EMG) server (or servers) indicated generally by reference 114. According to an exemplary implementation, the EMX server 112 and the EMG server 114 are linked via one or more secure communication channels or protocols indicated generally by reference 116, e.g. SMTP (TLS optional) and/or sMIME, configured through a network, e.g. LAN, WAN, VPN, the Internet (i.e. the “cloud”). The EMX server 112 is configured to provide the message pickup center 120 with access to secure communication (and related services). The EMG server 114 is configured as a gateway server for the plurality of domains (i.e. recipients) 130 of the secure communications. According to an exemplary implementation, the EMX server 112 and the EMG server 114 are based on the encrypted message platform available from Echoworx Corporation of Toronto, Canada. The EMX server 112 comprises a secure web-based portal that is configurable to allow disparate organizations to share confidential information within a secure environment.
The EMG server 114 is configured to run and function as an encrypted email gateway server 114. The particular implementation details for providing this functionality will be within the understanding of one skilled in the art. According to another aspect, the EMG server 114 is configured to perform or execute the sender preference functions according to the embodiments of the present invention. The sender preference functions comprise one or more processes and may implemented in software (or other computer executable code stored and/or executed from a computer or machine readable media) and/or hardware or programmable logic components, to perform or execute the sender preference functions according to embodiments of the present invention, as described in more detail below. According to an exemplary implementation, the EMG server 114 is configured with one or more processors, memory and non-volatile storage for the storing and executing the computer programs, software and/or computer code or logic associated with the sender preference functions and providing the functionality as described in more detail below. In
According to an exemplary embodiment, the sender preference mechanism comprises two main processes: a definition process and an execution process.
In accordance with an embodiment, the definition process is configured for an enterprise email system. The enterprise email system is configured to manage a plurality of email domains 130 (for example, as depicted in
According to an embodiment, the delivery mechanisms configurable for the sender preference function comprise:
(1) Direct Private Key Encryption Delivery
(2) Transport Layer Security (TLS) Delivery
(3) Domain Encryption Delivery
(4) Direct Encrypted Delivery
(5) Message Pickup Center Delivery
According to another aspect, the sender preference function is configured to arrange the delivery mechanisms in a default order, for example, as listed above.
According to an exemplary implementation, direct private key encryption delivery comprises the following delivery mechanisms:
According to an exemplary implementation, transport layer security (TLS) delivery comprises the following delivery mechanisms:
(1) Direct
(2) Opportunistic TLS
According to an exemplary implementation, domain encryption delivery comprises the following delivery mechanisms:
(1) X.509 Certificate
(2) PGP Certificate
According to an exemplary implementation, direct encrypted delivery comprises the following delivery mechanisms:
(1) Imported X.509 Certificate
(2) Imported PGP Certificate
(3) X.509 Certificate Directory Lookup
(4) PGP Certificate Directory Lookup
(5) Echoworx X.509 Certificate Echoworx Security Cloud (ESC) Trust Service (TS) Lookup of Secure Mail user credential
(6) Echoworx X.509 Certificate Echoworx Security Cloud (ESC) Trust Service (TS) of Secure Reader user credential
(7) IBE/Certificate-less user credential
According to an exemplary implementation, message pickup center delivery comprises the following delivery mechanisms:
(1) Echoworx X.509 Certificate Echoworx Security Cloud (ESC) Trust Service (TS) Lookup of EMX user credential
In known manner, the encrypted email gateway server 114 is configured with computer software or code and/or hardware or programmable logic and/or a combination of software and hardware configured to perform and execute the encryption functions and operations to provide the functionality as noted above.
Reference is next made to
Reference is made to
storage 144 in the email gateway server 114), and the particular implementation details will be within the understanding of one skilled in the art.
As shown in
The operation of the system 100 is further illustrated and described in the context of the following two examples:
Example 1: a sender sam@abc.com tries to send an email through the encrypted mail gateway server (EMG) 114 (
Example 2: a sender Sandy, sandy@bmo.com, intends to send an email message through the encrypted mail gateway server (EMG). The sender's enterprise, i.e. “bmo.com” has the following sender preference definition, or an enterprise policy: (1) TLS delivery for domains under the same enterprise (i.e. if the primary SMTP has TLS enabled, the EMG delivers messages using TLS channel encryption); and (2) encrypted mail delivery for any domains utilizing: (a) if an X.509 certificate is available for the recipient domain, then encrypt email using certificate and deliver; (b) if a PGP certificate is available for the recipient, then encrypt email with PGP certificate and deliver to the recipient; (c) if an X.509 certificate is available for the recipient, then encrypt email using certificate and deliver; or (d) if X.509 certificate is found under a Trust Service lookup, then encrypt email using the certificate and deliver. In one scenario, Sandy, sandy@bmo.com, sends an email message to Richard, richard@bmo2.com (another email domain under the same BMO), and based on the sender preference policy, the encrypted mail gateway server (EMG) is configured to attempt a TLS delivery. If successful the message is delivered from the EMG to the recipient, Richard, through TLS channel encryption. If, however, the primary server for the bmo2.com domain (e.g. the primary SMTP server) does not support TLS, the EMG is configured to attempt utilizing a certificate according to delivery methods for encrypted mail delivery for any domains (i.e. method (2)). The EMG will look for an available certificate to encrypt the message for Richard, and if found, the EMG encrypts the message using the certificate and delivers the encrypted message to Richard. If a certificate cannot be found, the email message is bounced back to the sender (e.g. Sandy) as a non-deliverable message. It will be appreciated that the message bounce back will occur even if the EMG is configured for message portal delivery because the sender preference enterprise policy does not include message portal delivery.
It will be appreciated that according to the embodiments described above the delivery mechanism(s) is selected based on the delivery preference definition for the sender domains and enterprises.
According to an embodiment, the functions, logic processing, databases, and encryption/decryption (and/or digital signing, and/or verification of signing) processes performed in the operation of the system and the associated processes and/or applications as described above may be implemented in computer software comprising one or more computer programs, objects, functions, routines, modules and/or software processes. It will be appreciated by one skilled in that the various functions, logic processing, databases, and/or the encryption/decryption processes/operations (and other operations and functions) set forth may also be realized in suitable hardware, programmable hardware or logic arrays, firmware/software stored in memory or other computer readable media and configured for one or more processing or computing devices or processors operating under stored program control, and/or firmware/software logic blocks, objects, modules or components or in combination thereof. The particular implementation details will be within the understanding of one skilled in the art.
The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. The embodiments described and disclosed are to be considered in all aspects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.