MeSign Forum

SMF - Just Installed!

How does MeSince ensure the security of the private keys?
Read 1130 times
* October 23, 2019, 07:13:55 AM

After our users correctly set their email account, MeSince will install for each account an encryption certificate and a signing certificate. How do we make sure the security of the private keys of both certificates?

Encrypting Certificate

The encrypting certificate private key is generated from a FIPS 140-2 Level 3 certified HSM, which exceeds the requirements from the WebTrust Standard, in which only FIPS 140-2 level 2 is required. And the private key is divided into two parts, encrypted and stored in two different key management servers.

In addition, the user must log into email account and receive the email validation code from CA system, then CA system issue the certificate and download the private key and public key to the MeSince APP, and store it on the user device securely.

MeSince Key Management System (KM) has adopted several security measures to ensure the security of the encrypting certificate private key, these measures are passed through the third-party code security testing company's white-box security audit and passed the WebTrust audit, to make sure the user’s private key are secure.

The security of MeSince encrypting certificate private key has four different protection levels to meet different needs of different users:

The default protection level: This is dependent on the email account password authentication (a successful login to the mailbox), then CA system generate private and issue the encrypting certificate (without a separate certificate protection password). If the user email account password is secure, the user certificate private key is also secure. This basic protection measure is to facilitate the use of the user's certificate. The user only needs to set up the email account as well as other mail client software and then user can send the encrypted email. There is no need to care about how the certificate is applied and installed, and no need to remember an additional password.

The enhanced protection level: In order to enhance the private key security, we recommend every user log in MeSince website to set the private key protection password (set a password that is different from the email account password), so that MeSince not only needs to verify the email account when issuing the certificate, at the same time, it also needs to verify the certificate protection password set by the user, which doubles the protection of private key security and encrypted email security.
The advantage is that even if the email account password is stolen or hacked, the thief cannot get the encrypting certificate because the thief does not know the certificate protection password, thus ensuring that the encrypted email will not be stolen; the disadvantage is that the user not only needs to remember the email account password, but also need to remember the certificate protection password, remember one more password. If you need to export the certificate, you need to verify this password. Please note: If your email is already used to bind other service system accounts, it is highly recommended that you use this Enhanced Protection Level and set a certificate protection password.

The advanced protection level: At present, the private key of the MeSince certificate in MeSince APP is a soft certificate. For users with higher security requirement, we plan to use the USB Key (USB Token), Bluetooth Key, or SIM Card Key to protect the private key security in the future.

In-house KM protection level:The above three level is for users that use MeSince default KM system to generate and store the private key, if your organization has the highly secure and controllable requirement for the encrypting certificate private key (such as government agencies, financial institutions, and large enterprises), then you can buy MeSince In-house Key Management System (KM), which is a plug-and-play, that deployed in organization intranet, all staff’s computers and mobile devices must connect to in-house KM device to get the encrypting certificate private key, thereby realizing the self-management of the encrypting key and satisfying the relevant security control requirements. Please refer to the relevant solution

Signing Certificate & Identity Certificate

Because the signing certificate contains the identity information and its digital signature has the legal effect equivalent to the handwritten signature, MeSince does not generate and save the Signing Certificate/Identity Certificate private key in cloud server. The private key is generated and securely stored in user's device. Each time the user uses MeSince on a new device, the system will issue a new signing certificate to the user. The signing certificates on the two devices are two different certificates. Of course, the identity information in the certificates is the same.
 In addition to the local generated private key, the signing certificate also uses the same three different levels of security protection for the private key as the Encrypting certificate to meet the security requirements of different users. Once the user has set a certificate protection password, both the identity certificate and the encrypting certificate use this password, which does not need to be set separately.

To summarize: In order to properly handle the contradiction between private key security and ease of use, MeSince adopts the dual certificate model and separates the encrypting certificate and the signing certificate into two independent certificates. In order to facilitate the user to decrypt the encrypted email on different devices, the default encrypting certificate in all MeSince clients is the same certificate, and it is generated and stored in the cloud server when using MeSince for the first time. If your organization has deployed an In-house Key Management device, your default Encrypting Certificate private key is stored and backed in your organization’s Key Management device. MeSince do not backup this Encrypting Certificate private key to the cloud server. And the signing certificate is generated at user device and stored only on their local device, so different devices will different signing certificates.
« Last Edit: October 23, 2019, 07:30:05 AM by v-billy »