1. Patent Search
  2. Details

Automated Lightweight Database Access Protocol Secure/Multipurpose Internet Mail Extensions Key Server

20220407888 · 2022-12-22

    Inventors

    Cpc classification

    International classification

    Abstract

    A Secure/Multipurpose Internet Mail Extensions (S/MIME) key material publication system that converts cryptographic material extracted from digitally signed and validated S/MIME messages it receives into key material formats suitable for populating email address books. Publication of the address book contents both internal and external to an organization is done using the standard address book lightweight database access protocol (LDAP). The wide availability and coordination of such automated address books distributing key material across the Internet allows the large installed base of S/MIME email clients to immediately send secure encrypted email across organizational boundaries. The system serves the role of public key server thus removing a barrier to ubiquitous secure encrypted email by simplifying global key management.

    Claims

    1. A method for automatically collecting and distributing Secure/Multipurpose Internet Mail Extensions (S/MIME) key material needed for encrypted email exchange comprising: an email server for receiving S/MIME signed email messages from senders wishing to publish their key material; a program validating the signed email messages and extracting content and signature parts; the program dissecting signature part into constituent sender certificate, intermediate certificates, and content signature; storing the sender certificate in local database, indexed by sender email address, in form acceptable for Lightweight Database Access Protocol (LDAP) distribution; reassembling original signature constituents including content in form acceptable for LDAP distribution and storing result in local database indexed by sender email address; a LDAP server receiving requests for S/MIME key material from email clients; responding with key material for requested email address from local database if available.

    2. The method of claim 1, further comprising forwarding requests for key material not contained in the local database to other instances of the present invention as found through Domain Name System (DNS) lookup.

    3. The method of claim 2, further comprising periodic scanning for expired key material in local database and notifying senders associated with key material of status.

    4. The method of claim 3, further comprising limiting local database entries to those associated with senders from within the organization operating the service.

    5. The method of claim 3, where the system is operated as a public service without limitations on sender's organization.

    6. The method of claim 5, further comprising the inclusion of paid advertising material in status notifications.

    Description

    BRIEF DESCRIPTION OF DRAWINGS

    [0007] FIG. 1 shows a diagram of current S/MIME operation and additional elements of the present invention as part of an overall system.

    [0008] FIG. 2 shows a diagram of a preferred embodiment of the present invention as part of an overall system.

    [0009] FIG. 3 shows a diagram of an alternate preferred embodiment of the present invention as part of an overall system.

    PREFERRED EMBODIMENT

    [0010] Referring to FIG. 2. The preferred embodiment of the present invention implements the enhanced address book with a LDAP server (213,216) engineered to find and forward requests that cannot be satisfied using local databases (208,214) to the responsible LDAP server (215, 216 for cordlessliving.com). The local LDAP databases (208,214) are automatically populated with key material converted (206,227) from emails received from inside the organizations.

    [0011] kathie@cordlessliving.com sends (200) a single signed email to an email address associated with the present invention—Idapx@cordlessliving.com—via email client (201) which uses her private key (202-S) to create a S/MIME signature. S/MIME signatures contain not only a signature of the email content but also a chain of certificates that allow the receiver of such an email to verify the identity and key to a single trusted, usually public, certificate. These trusted certificates are preconfigured and maintained by the operating systems under which servers, clients, and other programs run. The format of the S/MIME signature is defined by PKCS7 [9]. The signed email is sent (203) to organization A's (226) email server (204) which forwards (205) it to a conversion program (206). This program cryptographically validates the email and extracts content and the PKCS7 signature. The conversion program then carefully dissects the signature and reassembles it with the email content to create LDAP compatible attributes for kathie@cordlessliving.com's certificate (containing public key 202-P)—“userCertificate” [10], and the more comprehensive “userSMIMECertificate” [11] containing content and chain of certificates used to validate key and identity to trusted root certificate. These are saved (207) in the database (208). userCertificate takes the binary version of the certificate identifying kathie@cordlessliving.com and her public key from the dissected PKCS7 signature while userSMIMECertificate takes a binary version of a PKCS7 signature reassembled from dissected components and combined with email contents that preserves the validity of the new PKCS7 structure.

    [0012] Now when bill@dc.org tries to send an encrypted email (209), his email client (210) uses its integrated LDAP client (211) to lookup (212) the public key for kathie@cordlessliving.com (202-P). Since this is not a user in organization B and therefore not found in the local database (214), the LDAP server (213) looks up and queries (215) the LDAP server for cordlessliving.com (216). This server searches (217) its local database (208) and finds the previously populated key material for kathie@cordlessliving.com and returns it (218) to organization B's LDAP server (213) for forwarding (219) to bill@dc.org's LDAP client (211) and email client (210). Email client (210) validates the key material (userSMIMECertificate and userCertificate) by following included certificate chains up to one matching a preconfigured trusted certificate in the email client or operating system. Finally email client (210) uses kathie@cordlessliving.com's public key (202-P) contained in the key material to encrypt the message for her (220). Email server (221) forwards (222) the message to the email server responsible for cordlessliving.com (204) where email client (201) picks up the message (223) and decrypts it with its private key (202-S) for display (224) to kathie@cordlessliving.com.

    [0013] The preferred embodiment keeps its database of key material up to date by regularly checking the expiration dates that are a native part of certificates stored in the databases (208,214) and notifying the owners of key material of impending expiration (and requesting another signed email to update same) and removing any associated key material that has expired. Each time a new signed email is received, after it has been validated, its converted contents are used to update the database.

    [0014] In the interest of privacy, the LDAP server of the preferred embodiment does not allow browsing or group lookup of email addresses. It only responds when there is an exact match. This limits the ability of an attacked to see a directory of staff.

    [0015] Referring to FIG. 3. In an alternate preferred embodiment, the present invention serves as a public address book (327) for all users and organizations with insufficient resources to maintain their own system. Anyone may configure their LDAP client (314,325) to query (315) this public server (316) at Idapx.ends2ends.com as well as publish their key material by sending signed email (305) to Idapx@ends2ends.com. In this instance the LDAP server (316) may choose to forward requests it receives (315) at Idapx.ends2ends.com for users not in its database (310) to responsible LDAP servers and relay responses or only respond (319) for users it has key material for. Emails sent to users indicating their key material expiry and validity include advertisements to derive revenue to support this public system. This embodiment results in what is called a public key server akin to those deployed by competing encrypted email system: Pretty Good Privacy (PGP) email. Though support for PGP is not built into the vast majority of deployed email clients, it can and is used globally with the help of public PGP key servers. The present invention has the advantages of simplified key publication (simply sending a signed email); and, by virtue of being based on S/MIME, automatic key material lookup built into majority of deployed email clients and keys that are validated to trusted sources.

    [0016] The preferred embodiment should not be considered to exclude the wider claims of the present invention which include address book protocols other than LDAP or secure email protocols other than S/MIME.

    REFERENCES

    [0017] [1] Secure/Multipurpose Internet Mail Extensions (S/MIME) Version Message Specification

    https://datatracker.ietf.org/doc/html/rfc8551

    [0018] [2] Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map

    https://datatracker.ietf.org/doc/html/rfc4510

    [0019] [3] There are now 1.2 billion Office users and 60 million Office 365 commercial customers

    https://www.windowscentral.com/there-are-now-1.2-billion-office-users-60-million-office-365-commercial-customers

    [0020] [4] SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)

    https://datatracker.ietf.org/doc/html/rfc7672

    [0021] [5] Public-key cryptography

    http://en.wikipedia.org/wiki/Public-key cryptography

    [0022] [6] Common email address books include Microsoft Global Address List (GAL)

    https://docs.micrisoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
    and Active Directory (uses LDAP to communicate)
    https://en.wikipedia.org/wiki/Active Directory

    [0023] [7] Example of public LDAP server with internally managed key material. E-MAIL CONFIGURATION FOR USAGE OF THE DFN PKI LDAP DIRECTORY SERVICE

    https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/e mail/pki/e mail Idap dfn pki?set language=en

    [0024] [8] Simple Mail Transfer Protocol

    https://datatracker.ietf.org/doc/html/rfc5321#section-5.1

    [0025] [9] PKCS #7: Cryptographic Message Syntax Version 1.5

    https://datatracker.ietf.org/doc/html/rfc2315

    Cryptographic Message Syntax (CMS)

    [0026] https://datatracker.ietf.org/doc/html/rfc5652

    [0027] [10] userCertificate format

    https://docs.microsoft.com/en-us/openspecs/windows protocols/ms-adls/d66d1662-Ob4f-44ab-a4c8-e788f3ae39cf

    [0028] [11] userSMIMECertificate format for Microsoft

    https://docs.microsoft.com/en-us/openspecs/windows protocols/ms-adls/ae06cc47-4276-9229-91e03573f6bc

    and for Microsoft Exchange Address Book Object Protocol

    [0029] https://docs.microsoft.com/en-us/openspecs/exchange server protocols/ms-oxoabk/2653a83f-ace5-4543-8908-d6557e2f6ed6