In today’s business arena, email has become an indispensable, daily communication tool to all corporations. Sensitive corporate information and documents are now frequently transmitted via emails among employees and external parties. Such emails can be easily eavesdropped and modified along the network link, accessed directly on the mail server, and recovered from backup storage. Furthermore, confidential emails can be easily forwarded to unauthorized recipients causing unnecessary data leaks and embarrassment to the organization. The perfect solution to counteract such email vulnerabilities is SecureAge® SecureEmail, one of the core components of SecureAge® data security solution.

SecureAge® SecureEmail provides a powerful policy based security control by allowing intuitive labeling of sensitive email information and controlling how each labeled email should be treated when it is transmitted, stored, forwarded and replied to. Using a software configuration tool, an organization can define their preferred set of email classification labels like “Confidential”, “Secret”, “Protected”, etc. Such labels are clearly highlighted in different colors and added to the email body in plain text, html text and rich text format. Consequently, printed email will bear the same labeled text. These labels could also be added to email subject line to allow for convenient viewing in email list view, and added to email MIME header so that Mail Server (MTA) could apply additional policy control on such emails.

Similar to traditional secure email products, SecureAge® SecureEmail also supports email signing and encryption based on the latest S/MIME version 3.1 standard, thereby ensuring the email authenticity and privacy. However, most enterprise users are not technically savvy enough to decide correctly on which types of emails should be signed or encrypted. With SecureEmail, this problem is resolved by integrating the digital signing and encryption operations with the policy governing labeled emails. The users only need to decide how they should label an email and leave the requirements on digital signing and encryption to the policy rule engine. For instance, policy could be defined with rules like all “confidential” email must be signed and encrypted, while “protected” email must be signed but could be either encrypted or plain. With such policy in place, users will not be able to accidentally send out a plain “confidential” email.

SecureAge® SecureEmail works seamlessly with most email platforms like Lotus Notes, Microsoft Outlook, Outlook Web Access, Sun Messaging server, Outlook Express, Netscape Messenger, etc. Apart from SecureAge® SecureEmail, SecureAge® client also comes with another core component, SecureAge® SecureWebmail. SecureAge® client provides organizations with the flexibility of securing either the email or webmail system or both, depending on their needs. Such flexibility in SecureAge® client will help organizations to reduce their investment cost significantly.

SecureAge® SecureEmail enables secure email transmission with any recipient, anytime and anywhere without the hassles of upgrading or modifying the current email infrastructure. It also ensures the privacy and integrity of emails without any user’s involvement. Its ready platform makes integration and deployment into your existing infrastructure and processes with ease.

SecureEmail Policy Control

Traditionally, sensitive paper documents are protected by labeling them with easy to understand and highlighted classifications like Confidential, Secret, etc. SecureAge® SecureEmail makes use of the same methodology in labeling sensitive enterprise emails, and does not require users to learn an entirely different methodology in handling sensitive digital communication.

The enterprise administrator is given a software configuration tool to define email labels that are relevant and familiar to employees within the enterprise. Such labels are then given different color codes to make them prominent when the emails are read on the computer monitor or printed out as hardcopies.

An important aspect of placing a security label on an email is to define what the recipients can and can not do with such labeled email after they have received it. The configuration tool allows a comprehensive set of security policies to be defined for all labeled emails. Specifically, the following security associations can be easily created:

• What should be the email security of different labeled emails? E.g., the policy can mandate that a Secret email must always be signed and encrypted, but a Confidential email must be encrypted but with optional digital signature.
  
• What are the policies related to replying or forwarding a labeled email? E.g., a Confidential email could be upgraded to Secret email when forwarding or replying, but a Secret email could not be downgraded to Confidential or unlabeled email.
• What should be the encryption algorithms used for differently labeled emails? E.g., a Confidential email could make use of triple-DES or AES, but a Top Secret email must make use of a proprietary algorithm privately developed.

The email labels selected by users are securely embedded into signed or encrypted emails so that they could not be tampered with. The same labels are also inserted into the email body as plain text, as well as color coded HTML text or Rich Text for easy viewing on screen and paper printouts. One could also configure the policy to have the email labels appeared on email subject line and its MIME header so that email server or Mail Transfer Agent (MTA) could apply further policy control to these labeled emails. For example, a MTA may be configured to block emails that are labeled as Secret from being pushed to unprotected PDA devices.

SecureEmail Cryptographic Security Support

A significant strength of the SecureAge® SecureEmail solution lies in its advanced Email cryptographic security support. It uses S/MIME (Secure/Multipurpose Internet Mail Extensions) standards to provide a consistent way to send and receive email messages and attachments securely. S/MIME provides cryptographic security services for email applications that do not require any human intervention. It has the capability to encrypt and decrypt email to ensure authentication, message integrity, non-repudiation and data confidentiality. In addition to supporting the most updated standard based on the S/MIME version 3.1 (IETF RFC 3851), SecureAge® SecureEmail supports the following list of advanced security features that are not commonly available in other commercial secure email products.

Most Advanced Cryptographic Algorithm Support in the Market

SecureAge® SecureEmail supports unlimited key length public key digital signature and encryption algorithms. These include RSA, DSA and ECDSA. Typical usage of 1024-bit is no longer considered sufficient for high security emails. With SecureAge® SecureEmail, one could migrate to higher strength RSA (e.g. 2048-bit) or the more efficient Elliptic Curve public key system.

In terms of hash functions used for digital signature operations, SecureEmail supports the commonly used SHA-1 and MD5. But the users could choose the stronger SHA-256, SHA-384 and SHA-512 to mitigate against the increased vulnerability of MD5 and SHA-1.

For symmetric key algorithm, SecureAge® SecureEmail makes use of the default 256-bit AES algorithm. It also provides support for weaker algorithms like triple-DES and RC2 for backward compatibility purpose.

Smart Card and USB Token Support

By leveraging on the SecureAge® PKI middleware platform, SecureEmail automatically supports key storage on a wide variety of smart cards and USB tokens from different chip vendors. It also supports the storage of user’s key on on-board TPM chip that is now commonly available on business PC and laptop.

Other than acting as a 2nd factor authenticator, one unique security strength of smart card and USB token is their similarity to a bank ATM or debit card. The smart card / token will be locked permanently after a limited number of authentication failures performed by an attacker. Hence, there is no danger to a user even if his machine and smart card / token are both stolen.

Efficient Security

SecureAge® SecureEmail supports the S/MIME email compression format standard (IETF RFC 3274). This can significantly reduce the size of standard secure email message and attachment (like word document, excel worksheet and text file) by as much as 5 times when compared to an uncompressed email.

Flexible Key Management

As a standard PKI security practice, encryption keys are renewed every one to two years. Once the encryption keys are renewed, the user can no longer decrypt the past emails with the new key. But with SecureAge® SecureEmail, users can now have a peace of mind without worrying about the inability to retrieve old emails. It enables access to unlimited key history and automatically selects the correct key for users to decrypt any past email of their choice.

SecureAge® SecureEmail also supports both single-key and dual-key usages. The user may make use of a single private and public key pair for signing and encrypting their emails. For some organizations, different key-pairs are issued to each user; one for the signature operation and the other for the encryption operation. This is particular useful when centralized key escrow process is put in place to ensure encryption key could be recovered when needed but signature key are not duplicated so as to ensure non-repudiation.

Migration Tool To Re-encrypt Old Emails with New Encryption Key

In every organization, people come and go. Some employees may also be shifted to different sub-organizations and are given a new set of digital certificates. Hence, there is a need to ‘migrate’ old secure emails to make them accessible by different users or different keys.

SecureAge® SecureEmail comes with a convenient migration tool for different email platforms. It enables the users to migrate emails encrypted by their old keys to the new keys. After the migration, the emails in the email server and the archive folders will be encrypted with the new keys and the old key will no longer be needed. The same tool also allows the users to encrypt confidential emails that were received in plain so that one can be assured that all their emails are protected even when the email storage device is lost or compromised.

Automatic Retrieval of Recipients’ Digital Certificates

Whenever you send an encrypted email to your designated recipients, SecureAge® SecureEmail will automatically perform a directory lookup of your recipients’ certificates using a LDAP (Lightweight Directory Access Protocol) repository or Microsoft Active Directory. After locating your recipients’ certificates, it will automatically import these certificates to your personal certificate store.

SecureAge® SecureEmail also comes with the capability of automatically expanding your email groups. For example, you want to send an encrypted email to a few recipients listed in a group email address. SecureAge® SecureEmail will automatically identify the encryption keys of each and every recipient. The email will then be encrypted using their respective keys to ensure that they are the only recipients privy to the email content.

Support Certificate Revocation Checking & OCSP

By using SecureAge® SecureEmail, your email security is guaranteed by its comprehensive Certificate Revocation List (CRL) checking and automatic updating capability. It will automatically check the validity of all digital certificates used in any secure email operation. The Certificate Revocation List (CRL) of each certificate is automatically updated to ensure their validity. If any certificate is found to be invalid or expired or brand new, it will automatically retrieve the new certificate and replace the old one.

SecureAge® SecureEmail also provides online certificate validity checking via Online Certificate Status Protocol (OCSP). It is an ideal option for organizations that require timely revocation information. Digital certificates are considered as valid only after OCSP responder provides a positive response to the status request issued by OCSP client.

Support Email Header Integrity Protection

SecureAge® SecureEmail ensures email integrity by securely encrypting and signing not only your email content but also your email header. It will check and verify the integrity of the encrypted email header by matching it with the email header appears in the inbox mail folder view. It will then alert the recipient if any discrepancies are found.

Support User Defined Encryption Algorithms

SecureAge® SecureEmail supports user defined encryption algorithms. To further boost the security strength of their corporate email system, government regulators or organizations can choose to incorporate their own proprietary encryption algorithms into SecureAge® SecureEmail, together with or without the standard encryption algorithms.

Help Achieve Regulatory Compliance

SecureAge® SecureEmail is able to help your organization to fulfill regulatory compliances like California Privacy Bill (SB 1386), Sarbanes-Oxley Act of 2002 (SOX), Health Information Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act of 1999 (GLBA). It helps to meet the requirement under HIPAA and GLBA by encrypting email messages and attachments to protect the confidentiality of information, whether during transmission over the Internet or stored in the desktop / laptop / email server. It also helps your organization to comply to the legislations of SOX with its authentication and encryption capabilities.

SecureAge® SecureWebmail

Apart from securing email, SecureAge® client also supports S/MIME security for web mail access to Enterprise email system based on Exchange, Lotus Domino and Sun Messaging Server. Optional support for public webmail system like Hotmail and Yahoo Mail are also available.

Technical Features Summary

• Support embedding of email labels in plain, HTML and rich text body.
• Support auto-insertion of email label on email subject line.
• Support insertion of email label on email MIME header.
• Provide policy configuration wizard to create organization-specific policy rules.
• Provide centralized server to manage secure email policy and audit log of email operations.
• Support RSA, DSA and ECDSA for public key encryption and signing operations.
• Support AES, triple-DES, RC2 for symmetric key encryption.
• Support MD2, MD5, SHA-1, SHA 224/256/384/512 for hash functions.
• Support PKCS #1, #5, #7, #8, #9, #10, #11, #12 standards.
• Interoperable with other commercial S/MIME compliance solutions.
• Support S/MIME email compression
• Support key migration for secure emails and key history management.
• Support auto-retrieval of recipient certificates via LDAP and AD.
• Support 3rd party PKI / CA certificates plus CRL & OCSP certificate validity checking.
• Full support for X.509 v3 and PKIX compliance extensions digital certificate format.
• Support key and certificate import / export via PKCS #12, DER and PEM formats.
• Support smart card and USB token via PKCS #11.
• Support .pem, .der, .cer, .crt, .p12, .pfx, .p7m, .p7s and .p7z file formats.
• Support user account and certificate mapping.
• User-friendly GUI customization via email templates.
• COM APIs and DLL to provide integrated PKI support for external applications.