Secure message delivery using a trust broker

US 8,732,452 B2
Filed: 06/23/2008
Issued: 05/20/2014
Est. Priority Date: 06/23/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securely sending an email message from a first organization to a second organization over an unsecured network, the method comprising:

receiving, by an email server of the first organization, an email message from a client computer of a sender associated with the first organization;

identifying, by the email server of the first organization, an email server of a second organization associated with a recipient of the email message;

sending, by the email server of the first organization, a request to a federation server configured to act as a trust broker between the first organization and the second organization, wherein the request identifies the email server of the first organization and requests a token for securely sending the email message to the email server of the second organization;

receiving, by the email server of the first organization, a response to the request from the federation server, the response including a symmetric key and an encrypted token that contains the symmetric key, wherein the encrypted token can only be opened by the email server of the second organization with a private key of the second organization; and

using, by the email server of the first organization, the symmetric key and the encrypted token received from the federation server to secure and send the email message to the email server of the second organization over the unsecured network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender'"'"'s email server with a secure token for encrypting the message to provide secure delivery over the unsecured network.

Citations

20 Claims

1. A computer-implemented method for securely sending an email message from a first organization to a second organization over an unsecured network, the method comprising:
- receiving, by an email server of the first organization, an email message from a client computer of a sender associated with the first organization;
  
  identifying, by the email server of the first organization, an email server of a second organization associated with a recipient of the email message;
  
  sending, by the email server of the first organization, a request to a federation server configured to act as a trust broker between the first organization and the second organization, wherein the request identifies the email server of the first organization and requests a token for securely sending the email message to the email server of the second organization;
  
  receiving, by the email server of the first organization, a response to the request from the federation server, the response including a symmetric key and an encrypted token that contains the symmetric key, wherein the encrypted token can only be opened by the email server of the second organization with a private key of the second organization; and
  
  using, by the email server of the first organization, the symmetric key and the encrypted token received from the federation server to secure and send the email message to the email server of the second organization over the unsecured network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein:
    - the email server of the first organization secures the email message by encrypting the email message with the symmetric key, andthe email server of the second organization is configured to obtain the symmetric key from the encrypted token and decrypt the email message using the symmetric key.
  - 3. The computer-implemented method of claim 1, wherein:
    - the email server of the first organization secures the email message by encrypting the email message with a separate encryption key and encrypting the separate encryption key with the symmetric key, andthe email server of the second organization is configured to obtain the symmetric key from the encrypted token, decrypt the separate encryption key using the symmetric key, and decrypt the email message using the separate encryption key.
  - 4. The computer-implemented method of claim 1, wherein the email server of the first organization identifies the email server of the second organization by reading protocol information of the email message.
  - 5. The computer-implemented method of claim 1, wherein the email server of the first organization identifies the email server of the second organization by accessing a message property of the email message.
  - 6. The computer-implemented method of claim 1, further comprising:
    - sending, by the email server of the first organization, a request to the federation server for each domain identified in the email message when the email message is addressed to multiple recipients at different domains.
  - 7. The computer-implemented method of claim 1, wherein the request identifies the email server of the first organization using identity information that matches identity information previously provided by the first organization to the federation server.
  - 8. The computer-implemented method of claim 1, wherein the request further identifies a purpose for which the token is requested.
  - 9. The computer-implemented method of claim 1, wherein the encrypted token is encrypted using a public key associated with a domain of the second organization.
  - 10. The computer-implemented method of claim 1, wherein the symmetric key is a proof of possession key.
  - 11. The computer-implemented method of claim 1, wherein the email server of the first organization adds security information to the email message as a Multipurpose Internet Mail Extensions (MIME) part.
  - 12. The computer-implemented method of claim 1, wherein the email server of the first organization adds control flags to the email message that specify processing performed on the email message.

13. A computer-readable storage device that does not consist of a signal, the computer-readable storage device storing computer-executable instructions that, when executed, cause a computer system to perform a method comprising:
- receiving an email message from a client computer of a sender associated with a first organization;
  
  identifying an email server of a second organization associated with a recipient of the email message;
  
  sending a request to a federation server configured to act as a trust broker between the first organization and the second organization, wherein the request identifies the computer system and requests a token for securely sending the email message to the email server of the second organization;
  
  receiving a response to the request from the federation sever, the response including a symmetric key and an encrypted token that contains the symmetric key, wherein the encrypted token can only be opened by the email server of the second organization with a private key of the second organization; and
  
  using the symmetric key and the encrypted token received from the federation server to secure and send the email message to the email server of the second organization over an unsecured network.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable storage device of claim 13, wherein the request identifies the computer system using identity information that matches identity information previously provided by the first organization to the federation server.
  - 15. The computer-readable storage device of claim 13, wherein the encrypted token further contains a verification of the computer system signed by the federation server.
  - 16. The computer-readable storage device of claim 13, wherein the request further identifies a purpose for which the token is requested.
  - 17. The computer-readable storage device of claim 13, wherein the encrypted token is encrypted using a public key associated with a domain of the second organization.
  - 18. The computer-readable storage device of claim 13, further storing at least one of:
    - computer-executable instructions for securing the email message by encrypting the email message with the symmetric key, orcomputer-executable instructions for securing the email message by encrypting the email message with a separate encryption key and encrypting the separate encryption key with the symmetric key.

19. A computer system comprising:
- a processor configured to execute computer-executable instructions; and
  
  memory storing computer-executable instructions that, when executed by the processor, cause the computer system to perform a method comprising;
  
  receiving an email message from a client computer of a sender associated with a first organization;
  
  identifying an email server of a second organization associated with a recipient of the email message;
  
  sending a request to a federation server configured to act as a trust broker between the first organization and the second organization, wherein the request identifies the computer system and requests a token for securely sending the email message to the email server of the second organization;
  
  receiving a response to the request from the federation sever, the response including a symmetric key and an encrypted token that contains the symmetric key, wherein the encrypted token can only be opened by the email server of the second organization with a private key of the second organization; and
  
  using the symmetric key and the encrypted token received from the federation server to secure and send the email message to the email server of the second organization over an unsecured network.
- View Dependent Claims (20)
- - 20. The computer system of claim 19, wherein the memory further stores at least one of:
    - computer-executable instructions for securing the email message by encrypting the email message with the symmetric key, orcomputer-executable instructions for securing the email message by encrypting the email message with a separate encryption key and encrypting the separate encryption key with the symmetric key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Byrum, Frank, Mehta, Mayank, Jain, Chandresh, Conceicao, Ladislau, Kress, Brian, Gourevitch, Greg, Nelte, Michael, Barnes, Chris
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
KANAAN, SIMON P

Application Number

US12/143,856
Publication Number

US 20090319781A1
Time in Patent Office

2,157 Days
Field of Search

None
US Class Current

713/153
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

Secure message delivery using a trust broker

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure message delivery using a trust broker

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links