The MyMail Secure Email Solution (cont'd)

Chapter 3: Technical Analysis

This section describes in technical detail how MyMail´s SES uses its technologies in combination with other open source technologies to safely and securely transmit and store email messages.

The Technologies in Action

DynamicKeyâ„¢ Encryption for Email Storage

MyMail´s SES patent pending technology ensures every email message stored on its servers is uniquely encrypted using dynamically generated keys that can only be accessed using the recipient’s credentials.

MyMail´s SES Secure Socket Layer Email Transmission

The MyMail SES Secure Email solution requires that all communication (https:WebMail, POP3, and SMTP services) with MyMail´s SES Secure Email servers occurs over a Secure Socket Layer (SSL) connection. SSL uses a combination of asymmetric and symmetric key encryption standards. When one connects to a server using the SSL, in general the following things happen:

1. The server uses its private key to prove to users that it is in fact the server that they are trying to connect to. This lets users know that they are not connecting to a middleman who is intercepting their communications.
2. The user’s email client or web browser sends the server a public key.
3. The server generates a "secret key" and encrypts it using the public key it received and then sends it back to the user.
4. The user and the server then communicate using symmetric key encryption via this shared secret key. (Note: Symmetric key encryption is faster and more secure than asymmetric key encryption).

The two benefits of SSL are verification of connection to the proper server and verification of server security. When one gets any warning messages when connecting to a server using SSL, one should think twice about ignoring them. While the service provider may have a small technical problem that is causing the warning, these warnings can also indicate that secure communications are being intercepted or compromised. These warnings usually indicate one of the following:

1. The server's SSL "certificate" (i.e. public/private key pair) has expired.
2. Some of the information in the certificate doesn't match the information expected -- i.e. the certificate was issued for a different server name than the one the user is trying to connect to. (One could be inadvertently connecting to the wrong server.)
3. The certificate was issued by an untrusted agency.

SSL certificates are (generally) issued by third party agencies such as Thawte.com or VeriSign. These 3rd party companies do a background check on companies and individuals that request certificates, and only issue certificates if the companies or individual have a right to them. The certificate includes the name of the company, the name of the issuing company, and the name of the server to which it is issued. When one connects to an SSL server one can verify this embedded information and the fact that it was issued by a third party company that is trusted. If the certificate is valid then a user can have a high degree of confidence that the server they are connecting to is the server they want to reach.

By using SSL for Webmail, POP3, IMAP, and SMTP one is ensured that communications between their personal computer and their email server is encrypted. Hence each user’s email message, username, and password will be securely hidden from eavesdroppers. MyMail´s SES also uses SSL to protect inter-mail server communications so that email messages remain secure once they leave a MyMail´s SES SMTP secure mail server and head to their final destinations. Using MyMail´s SES not only protects your username and password from detection it also protects your email messages to those using MyMail´s SES or an SSL enabled mail server.

From an end-user perspective, SSL is very easy to use and is practically transparent. For those end-users using an email client such as Microsoft Outlook, Mozilla Thunderbird, or Apple Mail, it takes only a few mouse clicks in addition to the normal mail server names and port address configuration. For those using web-mail it is transparent. For those recipients who do not have an SSL compliant service or server, please visit www.MyMail.com.

Transmission Architecture

MyMail´s SES secures transmission of electronic information through its secure architecture shown in Figure 1.

Users connect to a MyMail´s SES server either by using a web browser capable of HTTPS and their local internet service provider (ISP) or through an SSL compliant POP3 email client such as Microsoft Outlook. After a user is authenticated on the Email Data Host (EDH), a Secure Socket Layer (SSL) is opened between the EDH and the user’s web browser or email client. Specifically, the EDH assigns a dedicated port to the web browser or email client and all information through this port is encrypted. Security certificates on the EDH must be up to date and valid for SSL to open between the EDH and user’s system.

If a user does not have an SSL compliant web browser or POP3 email client, then no SSL connection between EDH and the user’s system is made. Failed SSL requests cause the EDH to return an error to the user. This error instructs the user to switch to an SSL compliant web browser or email client before attempting to make another connection. Server to server connections between EDH and Paired Key Store (PKS) and between Key Signing Authority (KSA) and PKS are accomplished through Secure Shell (SSH®) on dedicated ports. All information on these dedicated ports is encrypted by SSH®. MyMail´s SES’s secure architecture meets the definition of secure . User-to-user connections are encrypted point-to-point with SSL and server-to-server connections are encrypted through SSH®. One advantage of this secure architecture is that encryption is transparent to all users of a MyMail´s SES.

MyMail´s SES Dynamic Encryption Method

MyMail´s SES uses a dynamic encryption algorithm, shown in Figure 2, which provides a unique solution for integrity and security of electronic information. Upon creation of a user account, public and private keys are generated and stored on the PKS. When a user sends an email message, their public key is retrieved from the PKS and a Dynamic Row Secret (DRS) is generated using a hardware gamma decay apparatus. Gamma decay is a truly random process in nature which ensures each DRS is unique. The public key and DRS are encrypted via OpenSSL and stored on the EDH. Electronic mail data is compressed, shredded into four blocks, and encrypted with the DRS using the Advanced Encryption Standard (AES).

The National Institute of Standards and Technology states there are approximately 1038, 1057, and 1077 possible keys for 128-bit, 192-bit, and 256-bit AES keys respectively. MyMail´s SES uses 256-bit AES encryption; therefore, the initial number of keys is approximately 1077 per DRS. It would take a machine trying 1 key per second 1069 years to recover a single 256-bit AES key if the same DRS is used to encrypt all email messages on the EDH. To put this time in perspective, scientists set the upper limit for the age of the universe at 1010 years. Dynamic row secrets are only used once, 256-bit AES encryption is used, and encrypted email data is shredded on the EDH.

Access to the information stored on the EDH is very controlled and restricted. That is, authenticated users can access the information in human readable form through an HTTPS secure web browser or a POP3S secure mail client, whereas system administrators can only see raw encrypted data if they have the correct credentials. Hence, the robustness of the MyMail SES prevents others – including system administrators – from viewing human readable forms of email messages of others.

MyMail´s SES Secure Data Storage Model

MyMail´s SES’s secure data storage on the EDH is different from data storage on the PKS. On the EDH, encrypted data is stored in a database format by default. A file system format for data storage is available to the administrator if desired. The encrypted DRS serves as the fingerprint/signature for a particular email message. Mail header information needed to send the encrypted MyMail´s SES message through the internet is not encrypted. This information must remain in plain text in order for the encrypted DRS (fingerprint/signature) and email data (message body) to propagate through the internet. Email data for a particular message is shredded into four 256-bit AES encrypted blocks and then base 64 encoded in the database. These 4 blocks are tied to the base 64 encoded DRS and plain text mail header information. On the PKS, public keys are stored in a database format. Public keys for each MyMail´s SES user are encrypted in the database along with the user's authentication data. This data format allows the EDH to retrieve a user's public key to be encrypted with the DRS obtained from the KSA. Encrypted key and data storage meet the definition of secure.

MyMail´s SES Audit Controls

Any person that either controls or has access to one or more pieces of the architecture or algorithm is subject to audit control. This control is necessary to meet and document the definition of secure. An administrator must be able to determine what has been done, when it happened, how it happened, and potentially who penetrated or intercepted one or more pieces of the architecture or algorithm. For example, if someone purges a MyMail´s SES user’s encrypted email, which email was purged, when the email was purged, and who purged the email are critical pieces of information for audit control to function properly.

MyMail´s SES uses several audit controls on the EDH to meet the definition of secure. MyMail´s SES audit controls depend on the type of administrator: webmaster or provider. Through the MyMail SES webmaster interface, the webmaster has access to site configuration, user account management, security and operations, package control, and statistical reports. Figure 3 shows a sample of audit control tools available to the MyMail SES webmaster. Security and operation of the EDH includes white listing (API Access), black listing (Ban IP Address), relay and spam prevention (Reject incoming address), and chronological mail purging (Purge mails). The webmaster has access to statistical reports for usage and click through (Banner statistics) besides graphical and charted data on mail volume, user sign up activity, and mail size.

MyMail SES provider interface, shown in Figure 4, gives the provider audit control over data compression and storage format, domains, remote email access (POP3 server), database management, and statistical reports. Compressing HTTPS data increases the amount of data sent to the user’s web browser through an SSL connection. Encrypted email data storage on the EDH increases storage capacity and security. The provider also has the option of whether to store data in a database format or in a regular file system format. Email domains can be added, removed, and edited by the provider. Quotas can be set on a per domain basis through the provider interface or on per user basis through the webmaster interface. Remote email access may be configured, disabled, or enabled on a per domain basis. At system installation time, MySQL database management tools can be installed to enable secure email data storage backup and restore services. The provider has access to statistical reports for domain usage with graphical and charted reports on user sign up activity and mail volume.

No user accounts for the webmaster or provider exist on the EDH. Therefore, neither the webmaster nor the provider can change audit control information. This information can only be changed by a MyMail´s SES system administrator. Audit control information available to the EDH system administrator includes user activity, web server activity, SSH activity, mail server activity, database activity, and operating system messages. Audit control information available to the PKS/KSA system administrator includes administrator activity, SSH activity, database activity, and operating system messages. Audit control logs are rotated and backed up automatically by the operating system. All of these audit controls can be used to meet and document as required by the definition of secure.

MyMail´s SES Measured Security Benchmark Results

Note the results in this section are taken from the Independent Security Audit Report done by Angelo State University, 2601 W. Avenue N, San Angelo, Texas 76909; http://www.angelo.edu

The strengths of MyMail´s SES may be summarized as:

• Secure user authentication
• Secure point-to-point transmission of electronic data
• Robust and secure dynamic encryption algorithm
• Secure key management and data storage
• Secure audit controls

The benchmarking process used by Angelo State University included a cryptanalysis of encrypted email data, an email feature comparison and an end user ease-of-use analysis.

The cryptanalysis included frequency analysis, length of alphabet, variance, index of coincidence, probable key length, and disorder of encrypted email data. A standard email message was used as the benchmark. The results of the cryptanalysis are summarized in Table 1. Length of cipher alphabet is the number of unique characters in the encrypted message body. The variance of the encrypted message body is a measure of its statistical dispersion, indicating how far an encrypted character is from the expected plain text value. Index of coincidence is the probability that two characters selected from an encrypted message body are identical. If plain text is used to calculate index of coincidence, the result would be 0.0656. If random, but uniformly distributed, plain text is used to calculate index of coincidence, the result is 0.038. Smaller values of index of coincidence indicate random, but non-uniformly distributed text. Index of coincidence is inversely related to probable key length. Small index of coincidence implies a large probable key length. Disorder is a statistical measure of information contained in the encrypted message body. Information is inversely proportional to probability. Therefore; the larger the disorder in the encrypted message body is, the smaller the probability of identifying information. The data in Table 1 states that the MyMail SES dynamic encryption algorithm produces a larger variance and larger disorder with a larger index of coincidence and hence shorter probable key length. Our cryptanalysis of the MyMail SES dynamic encryption algorithm meets the definition of secure.

Besides cryptanalysis, an email feature comparison of MyMail´s SES was conducted to assess point-to-point encryption, key management, amount of encrypted message body text available to an attacker, and potential of user identity theft (see Table 2).

MyMail´s SES is encrypted point-to-point using SSL compliant web browsers and POP3S connections for remote email access using a third-party email client such as Microsoft’s Outlook. MyMail´s SES’s encryption keys are dynamic in that each key is only used once per message per user. This type of key management is one of the best approximations of the one-time pad key. One-time pad keys are only used once and in theory provide the highest level of information security".

MyMail´s SES's default mail box quota and file attachment limit indicate a potential attacker does not have access to large amounts of encrypted message data. User identity theft is minimized with MyMail´s SES because user authentication is achieved through an email address internal to the EDH. An external email address such as jonsmith@myoffice.com can be pulled into the EDH by a provider administrator. Authenticating users internally prevents unauthorized persons from using MyMail´s SES.

 

Go to Chapter 3: Technical Analysis

Return to top of page

Go to Chapter 4: Architectural Implementation