One of the factors holding back e-business has been the difficulty in communicating securely over the Internet, and questions over the legal admissibility of such electronic communications. Communicating securely for business purposes demands the traditional three communications-security requirements of confidentiality, integrity and authenticity. Confidentiality can be achieved by modern encryption techniques to ensure privacy and immunity from eavesdroppers. Authenticity means that the message must be of undisputable origin, and this necessarily also implies non-repudiation. Integrity ensures that the message has not been changed in transit.

Public-key cryptography is the means to achieve this level of communications security and has been used for many years to secure financial transactions that are conducted electronically. Banks and financial traders have been prepared to pay high prices for security features such as non-repudiation, without which they would be unable to trade electronically. But commercial implementations of this technology in an easy-to-use product that is affordable for general-purpose communications have taken a long time to arrive.

5GM-Mail OpenGateway is designed to solve this communications security problem at a price that businesses can afford. Additionally, it provides proof of delivery and message archiving, which are prerequisites of legal admissibility. Proof of delivery includes date and time stamping. 5GM-Mail OpenGateway also complies with BS PD 5000:1999 A code of good practice for electronic documents and e-commerce transactions as legally admissible evidence, published by the British Standards Institution.

Confidentiality and archiving are provided independently of whether the company you are communicating with uses 5GM's products but, to provide proof of delivery and guarantee integrity of content and authentication of the sender, 5GM's software must be used by both parties. The strongest levels of encryption are not available unless 5GM's products are used at both ends of the transaction, but confidentiality is still good because standard S/MIME version 3 is used. To encourage the adoption of secure messaging by your business partners, there is a free-of-charge Lite version of 5GM-Mail OpenGateway that permits reception of secure messages, but does not allow sending. If your customers or suppliers use the Lite version, you gain all the advantages of 5GM-Mail OpenGateway (proof of delivery, content negotiation, archiving, confidentiality, integrity and authentication) for messages sent to them.

Installation is straightforward, and the install wizard will lead you through installing the Java virtual machine, which is necessary for running the 5GM software, if it is not already installed on the server. Security of the 5GM-Mail OpenGateway server itself is good, with the option to store essential keys and pass-phrases on a floppy disk, which must then be in the server's floppy drive before the 5GM-Mail OpenGateway service can be started.

5GM-Mail OpenGateway is not itself an email server, but acts as a secure SMTP relay, which encrypts, authenticates and archives messages. There is support for all levels of authentication, from self-signed certificates to strong authentication using tokens, such as SecureID from RSA Services. Also supported are most commercial public key infrastructure (PKI) certificates. For example, you can use a temporary self-signed certificate for the 5GM-Mail OpenGateway, but it is advisable to obtain these from an outside reputable certification agency.

The bulk messages are encrypted using a choice of Blowfish, triple-DES, RC2, IDEA or AES. Your own preferred encryption algorithm may be used via a suitable API. Message integrity is handled by a security scheme called G5/SMIME-V3-DSS, which uses the full S/MIME version 3 standard to guarantee security. Message authentication is based on DSA, which is part of the digital signature standard (DSS). DSA uses SHA-1 to generate the message digest (checksum), which is then encoded to create a message signature. The public key required to decode the message signature and verify its integrity is contained within an X.509 certificate. In this way, X.509 certificates that are signed by a certification authority (CA) may be used to authenticate the message as part of a full PKI solution.

Besides encrypting the messages, 5GM-Mail OpenGateway provides file-format negotiation to ensure that any attachments are acceptable to the recipient. This content negotiation is carried out transparently and will, if necessary, involve translating the file into a format that is acceptable to the recipient. Clearly, this file-format negotiation is important for proof-of-delivery purposes, as you may need to prove that you delivered a document in a form that was readable by the recipient.

System requirements for the 5GM-Mail OpenGateway are Windows NT 4.0 (SP5 or later) or Windows 2000. The workstation version of these operating systems may be used for small-scale implementations but, for larger installations, the server version is recommended to increase the number of concurrent TCP/IP connections available to transfer mail. Minimum recommended hardware is a Pentium processor with 64Mb RAM, and 50Mb free disk space. The 5GM-Mail OpenGateway does not have to run on a dedicated machine, and can run on the same hardware as an email server. Any multi-threaded version of the Sun Java run time environment could support 5GM-Mail OpenGateway, and 5GM is in the process of qualifying its code to run on other platforms.

5GM-Mail OpenGateway works with any mail server that supports SMTP, but there is a special version for Microsoft Exchange, called simply 5GM-Mail, which integrates more tightly with Exchange. There is virtually no limit to the number of mail servers that can be served concurrently, subject only to message throughput considerations. Standard email clients may be used, as 5GM-Mail OpenGateway does not require modification to the email workstation.

There are other ways of achieving what 5GM's software does, but mostly these involve using third-party organisations as secure message gateways. 5GM-Mail OpenGateway has been designed to enable companies that wish to communicate securely for e-business to do so without involving any third parties. It is easy to implement, and is based on internationally accepted standards that ensure the legal admissibility of its message transactions and records. Its only weakness is the fact that messages are not fully secured between the company's email server and its own client machines. This is likely to be of concern only where mobile employees or teleworkers are concerned and will be addressed by a future piece of client security software, which 5GM is working on. Communications between two different companies' email servers are, however, fully secured and this is what is important for legal purposes - not whether the employee reads or sends a message, but whether it is transferred securely between corporate email servers.
   

SC On-Line
SC Magazine
www.scmagazine.com