Electronic messages, such as email messages, transmitted between a sender and a recipient include information that can be intercepted by third parties. Generally, email messages transmitted and received using simple mail transfer protocol (SMTP) are not secure and face threats from both network intruders and legitimate communicating parties. Various attributes of messages are vulnerable to falsification, interception, and/or modification. Security concerns may arise in a variety of electronic messaging applications, including email and electronic transactions such as online credit card processing.
For example, email message senders may commit return-address forgery and timestamp falsification. Similarly, email message recipients may deceitfully deny receipt of messages. Additionally, network intruders may modify messages to manipulate communications, while network eavesdroppers may passively leech messages to gather confidential information. The information that can be gathered from a compromised message includes items such as the identities of the sender and recipient(s), the actual content of the message, the date the message was sent and any other attributes encoded in the message.
Furthermore, servers used to store and transport email messages can pose threats to message security. Messages can remain in server backup archives long after their intended lifetime has elapsed, only to reemerge at inopportune times. Consequently, after a message has been sent via SMTP and is in transit, in storage on an intermediate SMTP mail server or unopened on the final recipient's machine, the message may be read at will by anyone with access to the message data. Anyone from corporate spies to the email server backup operator may have access to the message data.
When an email transmission is initiated with SMTP, the sender first specifies a reverse path through which delivery of error notifications and replies will be directed by issuing a MAIL FROM command. This information may be falsified, but is typically not falsified so that error notifications may be properly received. When valid information is submitted in this field, however, the identity of the sender is accessible to anyone who intercepts the SMTP traffic related to the delivery of the message. This information may be safely obscured with SMTP, but at the expense of undelivered error notifications.
The next step in transmission requires the sender to specify each recipient with a RCPT TO command. The information should be accurate so that the intended recipient will receive the message. Accordingly, this information generally cannot be obscured by a system based upon SMTP. Therefore, third parties may have ready access to the list of recipients associated with a message.
To complete the final step for transmission, the sender issues the DATA command and sends the actual message data. Additional date and time information may be added to the message. If this data is not securely encrypted, additional information may be revealed to an intruder, possibly including the message content itself.
In addition to security concerns, the sender lacks message control. In particular, the sender tends to have little or no control over a message that has been transmitted once the message has left the sender's machine. Current email systems have achieved the goal of efficiency at the expense of message control services. Messages that are accidentally sent to unintended recipients are dutifully delivered by current transport mechanisms, leaving the sender no recourse to stop delivery. If a sender initially designated a message recipient who she later wants to have no access to a previously sent message, she would have no reasonable means of preventing access to the message.
One of the most serious and obvious breaches of email privacy made possible by flaws inherent in common implementations of SMTP is related to mass-mailings and “spam.” With current systems based on the SMTP addressing scheme, in which every message recipient is assigned a unique email address, the only information required to send a message to a user is the email address of the user.
Many of the security vulnerabilities and shortcomings have been addressed to some degree by conventional email security solutions. However, popular formats for encoding information useful to email systems, such as multipurpose internet mail extensions (MIME), may reveal information without giving the uninformed user any indication of that vulnerability.
For example, the popular pretty good privacy (PGP) and secure/MIME (S/MIME) protocols can secure and protect the contents of a message using public key cryptography. However, an eavesdropper may still be able to determine information including the identities of the communicating parties by intercepting conventional cleartext SMTP headers and commands, the most revealing of which cannot be readily obscured using conventional email encryption programs.
Some conventional email security solutions address both message confidentiality and support sender message control. However, these systems normally fulfill their requirements using proprietary software controls, rather than peer-reviewed, open cryptographic controls, while often sacrificing message-flow confidentiality. Still other systems exist that propose to entirely supplant SMTP and its related protocols. Such systems have little chance of wide acceptance even though they may achieve superior security performance.