Ensuring the security of email communications is an eternal theme. Major security vendors are providing various solutions for email security, and these solutions are continuously ensuring the security of global email communications. According to a third-party analysis report, the biggest threat to global email security is fraudulent emails. The only solution to completely solve the problem of email fraud is email encryption. Email encryption solves the problem of email leakage, the problem of email content being tampered with, and the problem of email identity forgery, which completely solves the problem of fraudulent emails. Therefore, the core of email security is email encryption.
1. The three challenges in implementing email encryption
There are many technical solutions to achieve email encryption. Common email encryption technology is implemented by using cryptographic technology. Currently, there are two mature technologies: S/MIME and PGP/IBC. PGP/IBC only focuses on email encryption and ignores the trusted identity of the email sender, which only solves half of the problem. Therefore, ZoTrus Technology chooses S/MIME technology to implement email encryption. Common email clients support S/MIME email certificate encryption, and the international standards organization - CA/Browser Forum has also formulated the issuance standard of S/MIME email certificates. However, to achieve S/MIME email encryption, there are three major problems that must be solved.
-
Problem 1Manually applying for and using email certificates
To implement S/MIME email encryption, users must apply for an S/MIME email certificate from a CA, complete the email control validation and identity validation. After obtaining the certificate, it must be configured in the email client for implementation. In addition, the configuration methods of various email client software are different, which is very cumbersome. Email certificates need to be exported and imported back and forth between various devices and various email client software, to be configured for email encryption and digital signatures.
This process needs to be repeated at least every two years, because the current international standard only allows the issuance of email certificates for two years period. It is not difficult to understand why S/MIME technology has not been widely used to implement email encryption 30 years after its introduction. And because it is too difficult, a variety of other email encryption solutions have appeared on the market, trying to simplify the difficulty of email encryption and solve this problem as much as possible.
-
Problem 2Manually exchange public keys and manage recipient public key certificates in advance
After obtaining the email certificate with great effort, the usere wants to send an encrypted email to the recipient, he must exchange the encrypting certificate public key with the recipient. If the recipient does not have an email certificate, he must also apply for an email certificate from the CA and go through the pain of problem 1. After both parties have email certificates, they must send a digitally signed email to each other. After receiving the signed email, the sender's public key certificate must be saved before it can be used to send encrypted emails to the sender.
The process of exchanging and managing public key certificates is also very cumbersome, and once a certificate expires, it is necessary to exchange the public key certificates again and update the public key certificates of the recipients, which needs to be done at least once every two years. This is the second problem of email encryption.
-
Problem 3Manual management of encrypting certificate keys
After obtaining the email certificate with great effort, the user must export the certificate private key and keep it properly. Not only does it need to be imported into other devices or other email client software for use, but the certificate private key protection password must also be remembered. The correct certificate protection password must be entered the next time the certificate is imported. If the protection password is forgotten, the certificate cannot be used.
Since the certificate is valid for a maximum of two years, you need to manage multiple certificate keys in order to decrypt previously encrypted emails. Not only do you need to keep the certificate files (.pfx/.p12), but you also need to ensure that the protection password is not forgotten. This is also a very painful task, especially because it is very likely that you will forget the certificate protection password after a long time, resulting in the certificate being unable to be used to decrypt previously encrypted emails.
2. The two solutions of ZoTrus email encryption automation management completely solve the three problems of email encryption
The three problems of email encryption, namely certificate application, public key exchange and key management, have become the three major obstacles to the popularization of email encryption. To popularize email encryption, these three problems must be solved. The only correct solution is automatic certificate management, which has been successfully verified in the automatic management of SSL certificates.
ZoTrus Email Encryption Automation Management Solution is also a client-to-cloud integration solution. The client is ZT Browser or ZoTrus Email Encryption Gateway, and the client automatically connects to ZoTrus Cloud Cryptography Infrastructure to realize the automatic application, issuance, and deployment of email certificates. The ZoTrus ACME Service is responsible for providing certificate automation management service for ZT Browser and ZoTrus Email Encryption Gateway, the ZoTrus Cloud CA Service is responsible for issuing dual-algorithm email certificates for users, and ZoTrus Public Key Exchange System is responsible for providing encrypting certificate public key exchange service.
-
Solution 1
Use ZT BrowserZT Browser has a built-in email client. Users only need to set up their email accounts to log into their mailboxes to send encrypted emails. There is no need to apply for email certificates from CA, no need to exchange public keys with recipients, no need to manage private keys by themselves, to fully automated send and receive of encrypted emails with digital signatures. This is truly end-to-end email encryption, which ensures email security in transit and in the cloud. It does not depend on whether the email server supports TLS transmission encryption, and the email content is stored in the email server in ciphertext.
All users need to do is download and install ZT Browser, a completely free, clean, ad-free, high-performance browser based on Google Chromium, which supports the SM2 algorithm and SM2 SSL certificate to implement SM2 HTTPS encryption, and it also supports SM2 algorithm email certificate to implement SM2 email encryption. It also integrates a PDF reader, which can not only read PDF documents smoothly, but also uniquely verify the digital signature of documents in real time and display the trusted identity of the signer in the document signature bar.
After the user installs ZT Browser and enables the email encryption automation service, ZT Browser will automatically connect to the ZoTrus ACME Service to obtain the email certificate and automatically configure and use it. All of this is invisible to the user. The automatically configured email certificate will also be automatically configured to the Windows certificate store, automatically used in Outlook to automatically decrypt encrypted emails, and can also be used in Outlook to send encrypted emails. It is compatible with all email client software that supports the S/MIME standard.
-
Solution 2
Deploy a ZoTrus Email Encryption GatewayFor large and medium-sized enterprise customers who cannot install ZT Browser on a large scale and need to centrally manage employee’s encrypting keys, a ZoTrus Email Encryption Gateway can be selected. All employees do not need to install ZT Browser and can still use existing email client software. They only need to modify the IMAP/SMTP server to the URL of the ZoTrus Email Encryption Gateway to automatically implement email encryption and digital signatures.
The advantage of this solution is that employees do not need to change their usage habits or install ZT Browser. ZoTrus Email Encryption Gateway automatically connects to ZoTrus ACME Service to obtain employee OV/SV email certificates, automatically configures them for use, to automatically implement email encryption and digital signatures. The second advantage is that encrypting keys can be centrally managed, which is convenient for the leakage prevention and control of employee email content.
This solution can also ensure that emails are transmitted and stored in ciphertext in the cloud mail server. It is also end-to-end encrypted, and all employees do not need to make any changes. It is the preferred solution for automatic email encryption for large and medium-sized enterprises. The keys managed by its built-in enterprise key management system can also be used for document encryption and other data encryption applications.
Users can choose the appropriate solution according to their management needs. The comparison table of the main indicators of the two solutions is as follows.
Use ZT Browser
Deploy Mail Encryption Gateway
automatic management
central management automatically
zero installation for end users
3. The four supporting services of ZoTrus email encryption automation management provide value-added support for the two solutions
ZoTrus email encryption automation management solution perfectly solves the three problems of certificate application, public key exchange and key management, and realizes the seamless encryption of emails. In order to achieve this perfect goal, ZoTrus Technology provides four supporting value-added services for free.
-
Supporting Service 1Free 6 digital certificate automatically configured
With reference to the ACME standard and RFC 8823 proposal, 6 digital certificates are automatically configured for each email address free of charge, 3 certificates each for RSA and SM2 algorithm, including one MV email signing certificate, one MV email encrypting certificate and one MV email timestamping certificate.
These freely configured email certificates and email timestamping certificates are only trusted by ZT Browser. Users can choose paid services to automatically configure globally trusted RSA algorithm MV mail certificates and ZT Browser trusted IV/OV/SV email certificates.
-
Supporting Service 2Free private key management service
In order to effectively protect the security of user’s private keys, ZoTrus Technology does not adopt the cloud key management mode, but directly saves the user private key in the user's mailbox as an email, realizing automatic self-storage of private keys. When ZT Browser is reinstalled or logs into the mailbox on other devices, it will automatically obtain the issued email certificate with private key from the user's mailbox for email encryption and decryption. Users do not need to manually manage private keys and public certificates, nor do they need to remember key protection passwords.
-
Supporting Service 3Free public key exchange service
ZoTrus Public Key Exchange System not only saves the public keys of the email certificates of all ZT Browser users, but also automatically collects the public keys of all digitally signed emails received by ZT Browser users and ZoTrus Email Encryption Gateway, so that ZT Browser users can automatically send encrypted emails without exchanging public keys with non-ZT Browser users in advance. This is a completely free supporting service that completely solves the key exchange problem of email encryption.
-
Supporting Service 4Free email timestamping service
ZT Browser provides each email address with a free email timestamping certificate so that it can provide local email timestamping service, ensuring that the sending time of each email sent by the user from ZT Browser is trusted. The trusted time source of the email timestamping service comes from multiple trusted network time servers. This free supporting service is very suitable for all Internet applications that need to prove the email sending time.