Secure e-mail services system and methods implementing inversion of security control

US 20080098237A1
Filed: 10/20/2006
Published: 04/24/2008
Est. Priority Date: 10/20/2006
Status: Abandoned Application

First Claim

Patent Images

1. A secure e-mail service, executable on a designated computer system having a defined association with a recipient e-mail server, implementing inverted security control over recipient content as persistently stored within a repository maintained on behalf of a recipient by said recipient e-mail server, said recipient content being provided in association with a message transmitted over a communications network from a sender computer system unassociated with said designated computer system directed to said recipient, said recipient content being accessible by said recipient from said repository, said secure e-mail service comprising:

a) a policy engine responsive to an e-mail message received from a communications network, said policy engine being operative to evaluate said e-mail message and provide for selection of a corresponding encryption key;

b) a content processing engine, coupled to said policy engine, operative to encrypt a portion of said e-mail message, the encryption of said portion of said e-mail message performed to permit subsequent decryption of said portion using said corresponding encryption key; and

c) an interface, coupled to said content processing engine, operative to provide said e-mail message, including said portion as encrypted, to said repository.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure e-mail service, executable on a recipient e-mail server or associated computer system, implements inverted security control over recipient content stored by the recipient e-mail server. Recipient content is received in conjunction with e-mail messages transmitted directed to recipients from sender computer systems unassociated with the secure e-mail service. The secure e-mail service includes a policy engine that operates on e-mail messages, as received from a communications network, to evaluate metadata features of the message and select a corresponding encryption key. The service further includes a content processing engine that operates to encrypt a portion of the message in a manner that allows subsequent decryption of said portion using the selected encryption key. A service interface enables transfer of the e-mail message, including the portion as encrypted, to the recipient e-mail server, which supports access by the recipients.

Citations

31 Claims

1. A secure e-mail service, executable on a designated computer system having a defined association with a recipient e-mail server, implementing inverted security control over recipient content as persistently stored within a repository maintained on behalf of a recipient by said recipient e-mail server, said recipient content being provided in association with a message transmitted over a communications network from a sender computer system unassociated with said designated computer system directed to said recipient, said recipient content being accessible by said recipient from said repository, said secure e-mail service comprising:
- a) a policy engine responsive to an e-mail message received from a communications network, said policy engine being operative to evaluate said e-mail message and provide for selection of a corresponding encryption key;
  
  b) a content processing engine, coupled to said policy engine, operative to encrypt a portion of said e-mail message, the encryption of said portion of said e-mail message performed to permit subsequent decryption of said portion using said corresponding encryption key; and
  
  c) an interface, coupled to said content processing engine, operative to provide said e-mail message, including said portion as encrypted, to said repository.
- View Dependent Claims (2, 3, 4)
- - 2. The secure e-mail service of claim 1 wherein said policy engine is operative to provide for the selection of a set of corresponding encryption keys and wherein said content processing engine provides of the encryption of said portion that enables subsequent decryption of said portion using any of said set of corresponding encryption keys.
  - 3. The secure e-mail service of claim 2 wherein said policy engine is operative to recognize a set of metadata features present within said message, said policy engine including a rule-base of policies, said policy engine being operative to evaluate said set of metadata features against said rule-base to provide for selection of said set of corresponding encryption keys.
  - 4. The secure e-mail service of claim 3 wherein said metadata features include message data fields present within said message, wherein evaluation of said set of metadata features includes value-based evaluation of said message data fields against said rule-base.

5. A method of securing content electronically transmitted as part of a message passed between computer systems from a sender directed to a recipient, wherein the content is persistently stored for the benefit of the recipient subject to security constraints defined on behalf of the recipient, said method comprising the steps of:
- a) receiving an electronic message, including a content instance, directed to a first recipient user;
  
  b) parsing said electronic message to recognize a metadata feature associated with said content instance;
  
  c) encrypting said content subject to a constraint that an encryption key associated with a second recipient user identified by defined relation to said metadata feature will enable decryption of said content; and
  
  d) providing access to said message to said first and second recipient users.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The method of claim 5 wherein said first and second recipient users are the same recipient user.
  - 7. The method of claim 5 wherein said constraint provides for any of multiple encryption keys identified by defined relation to said metadata feature to enable decryption of said content.
  - 8. The method of claim 7 wherein said step of parsing recognizes first and second sets of metadata features, wherein said first recipient user is identified by defined relation to said first set of metadata features and said second recipient user is identified by defined relation to a second set of metadata features.
  - 9. The method of claim 8 wherein said multiple encryption keys include encryption keys identified with said first and second recipient users.
  - 10. The method of claim 5 wherein said step of parsing recognizes a plurality of metadata features, wherein said electronic message includes a subset of said plurality of metadata features, said method further comprising the step of resolving said subset against a rule-base to identify said encryption key.
  - 11. The method of claim 10 wherein said first and second recipient users are the same recipient user.
  - 12. The method of claim 10 wherein said step of resolving identifies a plurality of encryption keys and wherein said constraint provides for any of said plurality of encryption keys to enable decryption of said content.
  - 13. The method of claim 12 wherein said step of receiving provides for the removal of security measures applied to said message.

14. An e-mail security service, interoperable with an e-mail server, implementing inverted security control over e-mail content directed to said e-mail server, said e-mail security service comprising:
- a) a first interface coupleable to an e-mail transmission path between a sending computer system and said e-mail server, said first interface being operable to intercept an e-mail message directed to said e-mail server on behalf of at least one of said recipient users;
  
  b) a security service engine, coupled to said first interface, operative to evaluate said e-mail message to recognize a metadata feature of said e-mail message, said security service engine being further operable to select an encryption key dependent on a value of said metadata feature and selectively encrypt a portion of said e-mail message subject to decryption using said encryption key; and
  
  c) a second interface coupled to said security service engine and coupleable to said e-mail transmission path, said second interface being operable to transfer said e-mail message, as processed by said security service engine, to said e-mail server.
- View Dependent Claims (15, 16, 17, 18, 19, 28, 29, 30, 31)
- - 15. The e-mail security service of claim 14 wherein said security service engine is operative to recognize a plurality of metadata features of said e-mail message, wherein said security service engine includes a predefined set of policies, said security service engine being operative to evaluate said plurality of metadata features against said predefined set of policies to determine said encryption key.
  - 16. The e-mail security service of claim 15 wherein said security service engine, response to the evaluation of said plurality of metadata features, is operative to identify a plurality of encryption keys and to encrypt said portion of said e-mail message subject to decryption by any one of said plurality of encryption keys.
  - 17. The e-mail security service of claim 16 wherein said first and second interfaces are coupled between a mail transfer agent and a mail delivery agent.
  - 18. The e-mail security service of claim 16 wherein said first and second interfaces are coupled between first and second mail transfer agents.
  - 19. The e-mail security service of claim 16 wherein said first and second interfaces are coupled to predefined filter interfaces within a mail delivery agent.
  - 28. The method of claim 15 further comprising the step of processing the content of said electronic message to provide for the selective modification of the content of said electronic message, said processing step being performed between said steps of autonomously removing and autonomously applying.
  - 29. The method of claim 28 wherein said step of processing includes identifying the content of said electronic message as including spam.
  - 30. The method of claim 28 wherein said step of processing includes identifying the content of said electronic message as including a virus.
  - 31. The method of claim 28 wherein said step of processing includes conversion of the content of said electronic message.

20. An e-mail security service, interoperable with an e-mail server, implementing inverted security control over e-mail content directed to said e-mail server, said e-mail security service comprising:
- a) a first interface coupleable to an e-mail transmission path between a sending computer system and said e-mail server, said first interface being operable to intercept an e-mail message directed to said e-mail server on behalf of at least one of said recipient users;
  
  b) a security service engine, coupled to said first interface, operative to evaluate said e-mail message to recognize a metadata feature of said e-mail message, said security service engine being further operable to select an encryption key dependent on a value of said metadata feature and selectively encrypt a portion of said e-mail message subject to decryption using said encryption key; and
  
  c) a second interface coupled to said security service engine and coupleable to said e-mail transmission path, said second interface being operable to transfer said e-mail message, as processed by said security service engine, to said e-mail server.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The e-mail security service of claim 20 wherein said security service engine includes a set of policies, wherein said security service engine is operable to evaluate said set of policies relative to said metadata feature to define the selective encryption of said portion of said e-mail message.
  - 22. The e-mail security service of claim 21 wherein said security service engine is operable to selective encrypt said portion subject to decryption using a plurality of encryption keys determined from evaluation of said set of policies.
  - 23. The e-mail security service of claim 22 wherein said security service engine is further operable to autonomously decrypt said portion of said e-mail message to remove a source applied security control applied by said sending computer system.
  - 24. The e-mail security service of claim 23 wherein said security service engine is further operable to process said portion of said e-mail message and selectively modify said e-mail message.

25. A method, executed on a computer system, of establishing an inversion of security control over content received from senders and persistently held for the benefit of recipients, said method comprising the steps of:
- a) receiving, through a communications network, an electronic message originated by a sending user, wherein the content of said electronic message is secured by a source security control specified by said sending user;
  
  b) autonomously removing said source security control from said electronic message as received;
  
  c) autonomously applying a recipient security control to said electronic message to secure the content of said electronic message wherein selection of the applied said recipient security control is determined from a policy defined relative to a recipient and unspecified by said sending user; and
  
  d) storing said electronic message subject to said recipient security control subject to access by said recipient.
- View Dependent Claims (26, 27)
- - 26. The method of claim 25 wherein said electronic message includes a plurality of metadata fields and wherein said step of autonomously applying includes parsing a plurality of policy rules against said plurality of metadata fields to select said policy.
  - 27. The method of claim 26 wherein said policy provides for the selection of a plurality of recipient security controls to said electronic message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Duc N. Pham, Tien L. Nguyen, Trung T. Dung
Original Assignee
Duc N. Pham, Tien L. Nguyen, Trung T. Dung
Inventors
Pham, Duc N., Dung, Trung T., Nguyen, Tien L.

Application Number

US11/584,153
Publication Number

US 20080098237A1
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 63/0428   wherein the data content is...

H04L 63/105   Multiple levels of security

Secure e-mail services system and methods implementing inversion of security control

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Secure e-mail services system and methods implementing inversion of security control

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links