Solved: Query on encryption

tharunraj22 · ‎09-14-2011

Hi,

We are using the encrption on Ironport with CRES. The recepient cannot open the mail until he registers to the service onliine. So my wuery is that where is this mails being stored? Will the encrypted mails deliver to the recepients mail server or is it saving on the local ironport device?

Is the only information which is stored by Cisco is the key ? Is it using SSL or any other protocols for encrytion? or is cisco have a copy of mails with them?

Any help on the above doubts will be highly appriciated.

Regards,

Tharun

Andreas Mueller · ‎09-15-2011

Hello Tharun,

CRES acts as a keyserver only, so whenever a message is encrypted on an ESA it will generate a new message on the ESA using the key that is stored on the CRES server for encryption. So the only part of communication between ESA and CRES server is to retreive the key via a secure connection, same between browser and CRES server when the recipient opens the secure envelope. No part of the message is stored on the server, it's all in the secure envelope only.

Hope that helps,

Andreas

View solution in original post

brmatthe · ‎09-15-2011

The encrypted email is always sent to the destination, whether the recipient is registered or not (the ESA doesn't even know whether the recipient is registered or not), so it will be sitting in the recipient's MTA/Inbox (that's assuming the recipient MTA can be reached, in the rare instance it can't be, the ESA will queue the message for retry, but at that point it's encrypted and CRES has the key, not the ESA).

When a recipient opens the envelope, the envelope communicates with CRES over HTTPS. If CRES determines the user hasn't registered, it informs the envelope and the user is prompted to register then activate.

View solution in original post

Andreas Mueller · ‎09-15-2011

Hello Tharun,

CRES acts as a keyserver only, so whenever a message is encrypted on an ESA it will generate a new message on the ESA using the key that is stored on the CRES server for encryption. So the only part of communication between ESA and CRES server is to retreive the key via a secure connection, same between browser and CRES server when the recipient opens the secure envelope. No part of the message is stored on the server, it's all in the secure envelope only.

Hope that helps,

Andreas

tharunraj22 · ‎09-15-2011

Hi Andreas,

Thanks for the explanation.

Can you please explain the flow of the message? Ultimatelel where will be the message stored? will it be delivered to the Detination host or Ironport will keep the message within itself? how will the mail which got encrypted flow though the device and internet?

Regards,

Tharun

brmatthe · ‎09-15-2011

The encrypted email is always sent to the destination, whether the recipient is registered or not (the ESA doesn't even know whether the recipient is registered or not), so it will be sitting in the recipient's MTA/Inbox (that's assuming the recipient MTA can be reached, in the rare instance it can't be, the ESA will queue the message for retry, but at that point it's encrypted and CRES has the key, not the ESA).

When a recipient opens the envelope, the envelope communicates with CRES over HTTPS. If CRES determines the user hasn't registered, it informs the envelope and the user is prompted to register then activate.

johnsmith1000 · ‎05-25-2013

Sorry for being late in joining this thread, but I'm a new user of CRES and thought sharing the following point may be useful for others. In my note below, when I refer to "external user" I mean a user who IS NOT a member of the organization which has subscribed to CRES service and has access to IronPort Secure Email Appliance which uses CRES key server to encrypote and send messages.

I agree with everything said above regarding the role of CRES for only managing the keys and not having visibility to the payload of the secure message. But there is one additional and critical fact that should be noted.

If and when an "external user" who is the recipient of the secure email needs to reply to the original sender with a secure response, the situation is different. In a normal case, the recipient needs to log into CRES portal and "SEND" a secure reply using the CRES portal. In fact this recipient can log into his/her CRES portal account at any time and SEND a secure message to anyone (i.e. it does not have to be a Reply to an inbound message). The point to keep in mind is that the payload of "this message" which is sent via CRES portal is visiblt to CRES service.

Therefore if you (as the organization that is using CRES to send secure messages to your partners outside the organization) expect that your recipients may require to reply back to you with secure and sensitive content (or initiate sending you secure messages anytime after their initial registration with CRES), you need to advise them that their mesage payload while is secure during the transfer, it is nevertheless visible to CRES service which they are composing the message.

Now as a side note, with BCE plugin for CRES (such as BCE native app for iPhone), it appears that any user who is activated for sending secure messages can indeed encrypt the messages on their local device with no need to using the CRES portal. At first, my impression was that BCE for external users (i.e. those outside the organization) could only receive and read secure email (i.e. decrypt) on their device (with no SEND option). But it appears that any user (internal or external) could be activated via the singed XML activation file and therefore encrypt and decrypt messages on the device. Perhaps someone from Cisco can clarify if this is the proper use of BCE for external users.