Field of the Invention

The present invention relates to methods and devices for secure communication of electronic messages. Specifically, the present invention relates to methods and devices for secure communication of an electronic message from a sender via a communication network to a plurality of recipients.

Background of the Invention

With the advent of asymmetric cryptography and the concept of public key infrastructures, it was generally believed that a technical basis to provide services in the field of secure electronic mail (e-mail) was found. Notably with the publication of PGP (Pretty Good Privacy) in the early 1990s and S/MIME (Secure Multipurpose Internet Mail Extensions) standards, the challenge was believed to be solved. Nevertheless, the usage of end-to-end encryption for secure messaging is still marginal now, i.e. 20 years later, and lacks several important functions.

Secure platform solutions propose to insert a mediator to handle the security aspects of message delivery. Such aspects include, but are not limited to, authentication of involved parties, authorization to access and reveal content, non-repudiation of the sent and received message, security protocol conversion between the many fragmented security technologies used by senders and recipients, as well as the integrity of the message.

Given the nature of such scenarios, it may be vital that the secure platform does not gain access to the content of messages in case of an attack. Therefore, there should be at least one operation mode of secure platforms where the revealed content should be volatile and only present during the moment when it is accessed by a legitimate user.

EP1478143B 1 describes a method and a device for secure transmission of an electronic message from a sender to a recipient. The message is transmitted from the sender to an encryption system which in turn encrypts the message and embeds the message in a second, transportation message (e.g. an HTML file). After transmitting the transportation message to the recipient, the recipient operates an activation element which is embedded in the transportation message. The operation of the activation element initiates a back-transmission of the encrypted message to the encryption system, the decryption of the message by the encryption system and the transmission of the decrypted message from the encryption system to the recipient. Hence, the encryption system performs all encryption/decryption operations and organizes secure transmission of the message from the sender to the recipient without storing the message at the encryption system.

EP1 536601 Bl describes a method for secure end-to-end encryption for electronic mails (e- mails) sent from a sender to a recipient. The sender requests from an encryption system a certificate corresponding to the recipient, and the encryption system returns to the sender a first proforma certificate which corresponds to the recipient. The proforma certificate is only used between the sender and the encryption system. The sender encrypts an e-mail with the proforma certificate and sends an e-mail, which is forwarded through the encryption system, to the recipient. Finally, the encryption system decrypts the e-mail using a private key corresponding to the certificate and makes the content of the e-mail available to the recipient. Optionally, the encryption system performs various security tasks, such as virus and offensive content detection. Summary of the Invention

It is an object of this invention to provide a method and a system for securely communicating an electronic message from a sender via a communication network to a plurality of recipients. In particular, it is an object of this invention to provide a method and system which make it possible to require a plurality of recipients to agree before the content of the electronic message is revealed.

According to the present invention, these objects are achieved through the features of the independent claims. In addition, further advantageous embodiments follow from the dependent claims and the description.

According to the present invention, the above mentioned objects are particularly achieved in that for securely communicating an electronic message from a sender via a communication network to a plurality of recipients, a cryptor unit receives the electronic message from a sender. A plurality of partial keys and one corresponding master key are generated, e.g. at the cryptor unit, and the cryptor unit encrypts the electronic message using the master key. The partial keys are transmitted to the recipients, e.g. from the cryptor unit, such that each recipient receives one of the partial keys. Subsequently, the cryptor unit receives the partial keys returned from the recipients, decrypts the electronic message using a master key computed from the partial keys received from the recipients, and transmits the electronic message to the recipients. Thus, the electronic message is only decrypted and transmitted to the recipients, if all or a well-defined quorum of recipients expresses their consent by returning the partial keys to the cryptor unit.

In one embodiment, the cryptor unit irretrievably deletes the master key before the partial keys are transmitted to the recipients and irretrievably deletes the partial keys immediately after the partial keys are transmitted to the recipients. Thus, if the cryptor unit is attacked by a third party, the electronic message can only be decrypted during a short time interval, and after deleting the master key and the partial keys at the cryptor unit, the third party cannot decrypt the electronic message without the partial keys of the recipients.

In one embodiment, the cryptor unit generates the plurality of partial keys and the corresponding master key in such a way, that a defined minimum number of partial keys is required for computing the master key based on the partial keys. Thus, the invention makes it possible to define a minimum number of recipients which have to agree before the electronic message is decrypted. Said minimum number of recipients is less than or equal to the total number of recipients.

In one embodiment, the cryptor unit computes the plurality of partial keys based on the generated master key.

In a further embodiment, the cryptor unit computes the plurality of partial keys by obfuscating one or more partial keys derived from the master key.

In another embodiment, the cryptor unit computes the master key based on the generated partial keys before the electronic message is encrypted.

In one embodiment, the cryptor unit further generates an additional key for the cryptor unit, which is required, in addition to the partial keys transmitted to and returned from the recipients, to compute the master key. Thus, an authentication of the cryptor unit is required for decrypting the electronic message.

In one embodiment, the cryptor unit further obfuscates and stores the additional key for the cryptor unit, and de-obfuscates the additional key before computing the master key. In one embodiment, an accessor unit receives the electronic message from the sender, forwards the electronic message to the cryptor unit, receives the partial keys from the cryptor unit, and transmits the partial keys to the recipients. At a later point in time, the accessor unit receives the partial keys from the recipients and forwards the partial keys to the cryptor unit, receives from the recipients a selection which electronic message has to be decrypted, transmits to the cryptor unit a request to decrypt an electronic message based on the selection, receives a decrypted electronic message from the cryptor unit, and transmits the decrypted electronic message to the recipients.

In one embodiment, the accessor unit further obfuscates the partial keys received from the cryptor unit and transmits the partial keys to the recipients. At a later point in time, the accessor unit de-obfuscates the obfuscated partial keys received from the recipients and transmits the partial keys to the cryptor unit.

In one embodiment, the cryptor unit further generates an additional key for the accessor unit, which is required, in addition to the partial keys transmitted to and received from the recipients, to compute the master key.

In one embodiment, the additional key for the accessor unit is transmitted from the cryptor unit to the accessor unit, obfuscated by the accessor unit, stored at the accessor unit, de- obfuscated by the accessor unit and transmitted from the accessor unit to the cryptor unit.

In one embodiment, the cryptor unit is located in a demilitarized zone (DMZ) of the sender's mail domain, the accessor unit is located outside of the DMZ of the sender's mail domain, meta-information about the electronic message is transmitted from the cryptor unit to the accessor unit, and the meta-information is forwarded by the accessor unit to the recipients. In addition to a method and a computer system for securely communicating an electronic message from a sender via a communication network to a plurality of recipients, the present- invention also relates to a computer program product comprising computer program code, preferably computer program products comprising a tangible computer-readable medium having stored thereon the computer program code. The computer program code directs one or more processors of a computer system, such that the computer system receives the electronic message transmitted by the sender, generates a plurality of keys and one corresponding master key, encrypts the electronic message using the master key, transmits the partial keys to the recipients such that each recipient receives one of the partial keys, receives the partial keys returned from the recipients, decrypts the encrypted electronic message using the master key computed from the partial keys received from the recipients, and transmits the electronic message to the recipients.

Brief Description of the Drawings

The present invention will be explained in more detail, by way of example, with reference to the drawings in which:

Figures 1 and 5 show block diagrams illustrating schematically exemplary systems for securely communicating an electronic message from a sender via a communication network to a plurality of recipients.

Figures 2 and 6 show flow diagrams illustrating examples of a sequence of steps for a send process, i.e. a process which includes transmitting an electronic message to a cryptor unit and encrypting the electronic message at the cryptor unit.

Figure 3 shows a flow diagram illustrating an example of a sequence of steps for a synchro ^¬ nous receive process, i.e. a process which includes transmitting an electronic message from a cryptor unit via an accessor unit to a plurality of recipients, while the recipients are logged in at the accessor unit.

Figure 4 shows a flow diagram illustrating an example of a sequence of steps for an asynchronous receive process, i.e. a process which includes transmitting an electronic message from a cryptor unit via an accessor unit to a plurality of recipients while the recipients are not logged in at the accessor unit.

Detailed Description of the Preferred Embodiments

In Figure 1 , reference numeral 1 refers to a system for securely communicating an electronic message from a sender 2 via a communication network 7 to a plurality of recipients 3, 3'. The system comprises a computer system 1 00 including one or more operable computers and an accessor unit 4 with a cryptor unit 5. The recipients 3, 3' are connected with the sender 2 and the accessor unit 4, e.g. via a communication network 7 or via direct communication links.

Electronic messages include but are not limited to e.g. e-mail (electronic mail), or other forms of electronic messages exchanged e.g. via SMS (Short Message Services), IMS (Instant Messaging Services) or Social Networks.

The communication network 7 comprises a fixed communication network and/or a mobile radio communication network. Preferably, the communication network 7 comprises the Internet.

The sender 2 is the submitter of the electronic message and the recipients 3, 3' are the addressees of the electronic message. Both the sender 2 and the recipients 3, 3' are communication entities, e.g. network subscribers or software agents, which operate communication terminals. The electronic message is preferably transmitted (resp. received) by the sender 2 (resp. recipients 3, 3') via a communication terminal. A communication terminal includes one or more processors. The communication terminal is, for example, a fixed or mobile personal computer, a smart phone, a cellular phone, or a personal digital assistant (PDA) for data communication. For example, the communication terminal is a mobile phone or a mobile computer connected to a WLAN (Wireless Local Area Network), or equipped with other communication modules for mobile communication, compliant to standards such as GSM (Global System for Mobile Communication) or UMTS (Universal Mobile Telecommunication System).

The accessor unit 4 includes one or more operational computers with one or more processors, an accessor storage 41 and a message storage 6. Moreover, a cryptor unit 5 with a cryptor storage 51 is co-located at the accessor unit 5. Optionally, the cryptor unit 5 also includes one or more operational computers with one or more processors.

The functions of the cryptor unit 5 and the accessor unit 4 may be implemented as independent software processes on a single hardware platform. Alternatively, the functions of the cryptor unit 5 and the accessor unit 4 are implemented as independent hardware units. Preferably, the functions of the cryptor unit 5 and the accessor unit 4 are implemented by programmed software modules comprising computer program code for directing one or more computers to perform functions as described later in more detail. The computer program code is stored on a tangible computer-readable medium which is connected fixed or removably in the respective computer. One skilled in art will understand, however, that in alternative embodiments the functions of the cryptor unit 5 and the accessor unit 4 may be implemented fully or at least partly by way of hardware components.

The accessor storage 41 , the cryptor storage 51 and the message storage 6 include conventional memory systems or storage devices for efficient storage of data, including e.g. data base systems. The accessor storage 41 can be solely accessed by accessor unit 4 for read and write operations. The cryptor storage 51 can be solely accessed by the cryptor unit 5 for read and write operations. The message storage can be accessed from both the cryptor unit 5 and the accessor unit 4. Optionally, there are further shared memories and data buffers for communication between the cryptor unit 5 and the accessor unit 4.

In the following paragraphs, described with reference to Figures 2, 3, 4, and 6 are possible sequences of steps performed by the accessor unit 4, the cryptor unit 5, the sender 2, and the recipients 3, 3'.

In Figure 2, the sender 2 specifies the content of an electronic message in step SI . Optionally, the following encryption parameters are specified by the sender 2 and are embedded in the electronic message: a) a list of n recipients 3, 3' to which the electronic message is transmitted, and/or b) a minimum number k (quorum) of recipients 3, 3' which are required to return their partial keys for decrypting the content of the electronic message, and/or c) a list of mandatory recipients 3, 3', i.e., recipients 3, 3' which are required to return their partial key for decrypting the electronic message, and/or d) a time window, defined by a start time and an end time, during which recipients 3, 3' are required to return their partial keys for decrypting the electronic message, and/or

e) a list of persons to which the decrypted electronic message is transmitted.

The latter encryption parameters a) - e) are optionally embedded in the electronic message, e.g. with subject line tags or XML (Extensible Markup Language) files comprising according labeling/steering meta-information.

In step S2, the electronic message is securely transmitted via the communication network 7 to the accessor unit 4. For example, the electronic message is transmitted via SMTP (Simple Mail Transfer Protocol) using the TLS (Transport layer security) protocol or any other secure mechanism.

As illustrated in Figure 2, the steps S3 to S8 are performed by the cryptor unit 5. In step S3, the cryptor unit 5 detects that the electronic message must be quorum encrypted, e.g., by receiving the encryption parameters a)- e) embedded in the electronic message. Alternatively, encryption parameters or an encryption policy is stored at the accessor unit 4 or at the cryptor unit 5.

In step S4, the cryptor unit 5 generates a master key. Preferably, the cryptor unit 5 generates a symmetric master key for encrypting and decrypting the electronic message. The master key has a high entropy to prevent successful brute force attacks on the encrypted electronic message. An example for the master key is an AES (Advanced Encryption Standard) key of at least 1 28 bits length. In step S5, the cryptor unit 5 encrypts the content of the electronic message with the master key, using e.g. AES encryption.

Next, in step S6, the cryptor unit 5 computes (n+2) partial keys from the master key. One partial key is generated for each of the n recipients 3, 3' of the electronic message. Moreover, the cryptor unit 5 computes from the master key one additional partial key for authenticating the cryptor unit 5 and one additional partial key for authenticating the accessor unit 4. Henceforth, the latter partial keys will be denoted cryptor key and accessor key, respectively. For computing the (n+2) partial keys, e.g., Shamir's Algorithm (Shamir, Adi 1 979 " How to share a secret" . Communications of the ACM 22 ( 1 1 ): 61 2-61 3) is used. Alternatively, other methods for secret sharing are applied for computing the partial keys. As will be explained later in more detail, k partial keys from the computed (n+2) partial keys are required to recompute the master key in step SI 9 of Figure 3. In other words, with the knowledge of any k partial keys, i.e. partial keys from the recipients, the cryptor key and/or the accessor key, it is possible to decrypt the encrypted electronic message. To increase the level of security, it is necessary to guarantee that the cryptor key, the accessor key and k of the n partial keys of the recipients are required for decrypting the electronic message. Hence, in step S6, an alternative procedure for generating the (n+2) partial keys is applied: For the example of a symmetric master key according to the AES standard, a so- called platform key of the same length (i.e. with the same number of bits) as the master key is randomly generated. A so-called recipients key is computed by performing a bitwise XO operation with the master key and the randomly generated platform key.

On the one hand, by repeating this procedure, the platform key is split into the cryptor key and the accessor key. For this purpose, the cryptor key is randomly generated with the same length as the platform key, and the accessor key is computed from the cryptor key and the platform key by performing an XOR operation.

On the other hand, the recipients key is split into n partial keys for the recipients 3, 3' by, e.g. computing the partial keys according to Shamir's Algorithm.

Immediately after computing the cryptor key and the accessor key, the platform key is irretrievably deleted from the cryptor unit 5 in step S6. Analogously, the recipients key is irretrievably deleted from the cryptor unit 5 after the n partial keys for the recipients 3, 3' are computed in step S6.

As will be explained with respect to step SI 9 of Figure 3, the master key is computed from the cryptor key, the accessor key and k of n partial keys from the recipients 3, 3'. Due to the reversibility of the XOR function, the platform key is re-computed by performing an XOR operation of the cryptor key and the accessor key. The recipients key is recomputed from the partial keys returned from the recipients. Finally, the master key is re-computed by performing an XOR operation of the platform key and the recipients key. This approach has the advantage that provided that the cryptor unit 5, the accessor unit 4 or certain recipients 3, 3' are hijacked, access to the content of the electronic message is prevented. In particular, decrypting the electronic message without the cryptor key or without the accessor key becomes impossible with the described method.

For the case of mandatory recipients 3, 3' as specified by the encryption parameters, additional partial keys are generated for each mandatory recipient 3, 3', For this purpose, the described procedure for generating the cryptor key and the accessor key is applied. The computed partial keys for the mandatory recipients 3, 3' are required, in addition to the cryptor key, the accessor key, and a quorum of the partial keys from the recipients 3, 3', to decrypt the electronic message.

In step S7, the master key is irretrievably deleted from the cryptor unit 5. Furthermore, the cryptor unit 5 obfuscates the cryptor key and stores the obfuscated cryptor key at cryptor storage 51. For obfuscating the cryptor key, a variety of obfuscation/encryption techniques may be applied. One purpose of the obfuscation/encryption is that the obfuscated key cannot by used by a possible attacker to decrypt the electronic message. A more detailed discussion on how to obfuscate partial keys will be provided with respect to step SI 0.

In step S8, the cryptor unit 5 stores the encrypted electronic message and the partial keys at the message storage 6.

In step S9, the accessor unit 4 receives the accessor key from the cryptor unit 5 via e.g. a shared buffer, obfuscates the accessor key and stores the accessor key at the accessor storage 41.

In step SI 0, the accessor unit 5 obfuscates the partial keys stored at the message storage 6. For example, the accessor unit 5 uses AES encryption to compute one obfuscated partial key for each recipient 3, 3' from the partial key for the respective recipient 3, 3' stored at the message storage 6 and from the accessor key stored at the accessor storage 41. This mechanism ensures confidentiality of the partial key. As one alternative, each partial key is obfuscated by computing an AES encryption from the partial key and a random number which is only known at the accessor unit 5 and unknown outside the accessor unit 5. Similar methods can be applied at the accessor unit 4 to obfuscate the accessor key and at the cryptor unit 5 to obfuscate the cryptor key.

Another purpose of obfuscating the partial keys is preventing possible attackers from gaining knowledge about the relationship between recipients 3, 3'. It is important that the partial keys transmitted and received from the accessor unit 4 do not reveal the privacy of the recipients 3, 3' or the number of the recipients 3, 3'.

If there is only one partial key required to decrypt the electronic message, i.e. the partial key is the master key, each recipient 3, 3' can cause the decryption of the electronic message. In this special case, in one embodiment of the present invention, only one partial key (namely the master key) is transmitted to the recipients 3, 3'. For example, the partial keys are obfuscated as follows: The accessor unit 4 computes hash values from a concatenation of the accessor key (or some other secret data unknown outside the accessor unit 4) with data, which is specific for the respective recipient 3, 3'. Said data includes, but is not limited to the name, the address, or the telephone number of the recipient 3, 3'. The obfuscated partial keys for the n recipient 3 _; 3' are then computed by performing XO operations of the partial key and the hash value computed with data specific for the respective recipient 3, 3'. To de-obfuscate this partial key in a later step, the hash value must be once again calculated at the accessor unit 4 and de-combined using the XOR operation.

In step SI 1 , the accessor unit 4 securely transmits each of the obfuscated partial keys stored at the message storage 6 to one recipient. The partial keys are e.g. sent by e-mail via the communication network 7 to the respective recipient 3, 3'. For example, the e-mail is transmitted via SMTP (Simple Mail Transfer Protocol) using the TLS (Transport layer security) protocol. Alternatively, the obfuscated partial key is delivered from the accessor unit 4 to the recipients 3, 3' by a trusted person, or is sent by conventional, registered mail.

In step SI 2, the partial keys are irreversibly deleted from the message storage 6.

Figure 3 shows a flow diagram illustrating an example of a sequence of steps for a synchronous receive process, i.e. a process which includes transmitting an electronic message from the cryptor unit 5 via the accessor unit 4 to a plurality of recipients 3, 3', while the recipients 3, 3' are logged in at the accessor unit 4.

In step SI 3, a recipient 3, 3' establishes a secured connection to the accessor unit 4 and authenticates himself (log-in). The recipient 3, 3' selects the electronic message to decrypt from a plurality of electronic messages stored at the accessor unit 4. For this purpose, suitable meta-information about the available electronic messages is provided by the accessor unit 4.

In step SI 4, the recipient 3, 3' uploads its partial key, which is still obfuscated, to the accessor unit 4. Next, in step SI 5, the accessor unit 4 recovers the partial key of the recipient 3, 3' by applying a de-obfuscation technique. In an analogous manner, in step SI 6, the accessor unit 4 recovers the accessor key which is stored at the accessor storage 41 by applying a de- obfuscation technique.

In step SI 7, the accessor unit 4 requests the cryptor unit 5 to decrypt the selected electronic message. For this purpose, both the partial key of the recipient 3, 3' and the accessor key are transferred from the accessor unit 4 to the cryptor unit 5, e.g. via the message storage 6. Alternatively, the accessor unit 4 counts the number of received partial keys and only re- quests the decryption of the electronic message in case the number of received partial keys is sufficient. The number of received partial keys is sufficient if, e.g., the mandatory recipients 3, 3' specified in the encryption parameters have transmitted their partial keys to the accessor unit 4. Alternatively or additionally, the number of received partial keys is sufficient if, e.g., a defined minimum number of partial keys has been transmitted from the recipients 3, 3' to the accessor unit 4.

In step SI 8, the cryptor unit 5 recovers the cryptor key which is stored at the cryptor storage 51 by applying a de-obfuscation technique.

In step SI 9, the cryptor unit 5 attempts to re-compute the master key. As described with respect to step S6 in Figure 2, the cryptor unit 5 attempts to compute the master key from the cryptor key, the accessor key and the partial keys from the recipients 3, 3'. If the number of received partial keys is sufficient, e.g. the number of received a partial keys is equal to or exceeds a defined minimum number of partial keys, the cryptor unit 5 re-computes the master key.

In step S20, the cryptor unit 5 decrypts the electronic message with the re-computed master key using e.g. AES decryption. Optionally, before decrypting the electronic message, the cryptor unit 5 checks whether the partial keys have been transmitted e.g. within a time interval defined by the start time and the end time as specified by the encryption parameters. In case of a violation of said time interval, the cryptor unit 5 does not decrypt the electronic message. If, however, the electronic message is decrypted, it is transferred from the cryptor unit 5 to the accessor unit 4 in step S21 .

In step S22, the accessor unit 4 securely forwards the electronic message to all the recipients 3, 3' via HTTPS (Hypertext Transfer Protocol Secure), SMTP using the TLS protocol or any other secure mechanism. Alternatively, the electronic message is forwarded only to those recipients 3, 3' who transmitted their partial keys to the accessor unit 4, or only to the list of persons, to which the electronic message has to be transmitted as specified by the encryption parameters. The latter list of persons comprises e.g. the sender 2, which is informed about the successful decryption of the electronic message.

If the number of received partial keys is not sufficient and the master key could not be recomputed, the recipient 3, 3' which is logged in at the accessor unit 4 is informed in step S22 by the accessor unit 4 that the electronic message could not be decrypted, Optionally, the recipient 3, 3' is informed which of the remaining recipients 3, 3' did not transmit their partial keys.

In another embodiment, illustrated in Figure 4, the recipient 3, 3' is not logged in at the accessor unit 4 for transmitting its partial key or receiving the electronic message. This so- called asynchronous receive process is applied in scenarios, where e.g. the sender 2 does not know how to reach some or all of the recipients 3, 3' or where the recipients 3, 3' cannot log into the accessor unit 4. Optionally, the asynchronous receive process is applied in scenarios, where the recipients 3, 3' prefer to receive the decrypted electronic message by other means than used for the asynchronous receive process. The recipient 3, 3' transmits its partial key to the accessor unit 4 and receives the electronic message after the entire process has been executed.

In step S23, the recipient 3, 3' signs the obfuscated partial key. By signing the obfuscated partial key, the recipient 3, 3' guarantees the authenticity and integrity of the obfuscated partial key. Using e.g. an asymmetric cryptographic approach, where the recipient 3, 3' has a secret, private key and a public key of the recipient 3, 3' is known to the accessor unit 4, the recipient 3, 3' signs the obfuscated partial key with its private key. In step S24, the partial key is transmitted from the recipient 3, 3' to the accessor unit 4. In step S25, before recovering the partial key of the recipient 3, 3' by applying a de- obfuscation technique, the accessor unit 4 verifies the signature of the partial key, e.g. by applying the public key of the recipient 3, 3'.

The following steps S26 to S31 correspond to the steps SI 6 to S21 of the synchronous receive process depicted in Figure 3.

In step S32, the cryptor unit 5 encrypts the electronic message for secure transmission of the electronic message to each of the recipients 3, 3'. For instance, the cryptor unit 5 encrypts the electronic message with the public key of the respective recipient 3, 3'. Alternatively, if a separate reply key has been transmitted by the recipient 3, 3' to the accessor unit 5, the cryptor unit 5 encrypts the electronic message with the separate reply key. The electronic message is passed from the cryptor unit 5 to the accessor unit 4.

In step S33, the accessor unit 4 transmits the electronic message via the communication network 7 to the recipients 3, 3', who will be able to decrypt the electronic message e.g. with their private keys. Alternatively, in step S33, the recipient 3, 3' logs in to the accessor unit 4 via a secure transport protocol such as POP3S. Once logged in to the accessor unit 4, the electronic message is transmitted to the recipient 3, 3'.

Optionally, each recipient 3, 3' decides whether he logs in at the accessor unit 4, i.e. whether the recipient 3, 3' prefers to receive the decrypted electronic message using the asynchronous receive process (as illustrated in Figure 3) or using the synchronous receive process (as illustrated in Figure 4).

In Figure 5, an alternative embodiment is illustrated wherein the cryptor unit 5 and the accessor unit 4 are physically separated. The cryptor unit 5 and the message storage 6, which is external to the cryptor unit 5, reside in a demilitarized zone (DMZ), which includes e.g. the e-mail domain of the sender 2. The DMZ further includes the communication network 1 0 and is protected from the communication network 7 by the firewall 9. Figure 5 illustrates an exemplary scenario with geographical requirements on the storage and handling of electronic messages, as required by some jurisdictions. For example, the communication network 10 (and the cryptor unit 5) is located in a different jurisdiction than the communication network 7 (and the accessor unit 4). The cryptor unit 5 therefore resides in the DMZ. Figure 6 illustrates a sequence of steps, which is exemplary for the scenario depicted in Figure 5.

In step S34 in Figure 6, the electronic message is generated as described in step SI . Instead of sending the electronic message to the accessor unit 4, the sender 2 sends the electronic message directly to the cryptor unit 5 in step S35.

The following steps S36 to S41 correspond to steps S3 to S8 in Figure 2. In step S42, the cryptor unit 5 authenticates at the accessor unit 5 and establishes a secure connection e.g. via secure SOAP (Simple Object Access Protocol). The cryptor unit 5 transmits the accessor key, the partial keys for the recipients 3, 3' and meta-information about the electronic message to the accessor unit 4. Subsequently, the partial keys for the recipients 3, 3' and the accessor key are irreversibly deleted from the message storage 6 and the cryptor system 5 in step S42.

In step S43, the accessor unit 4 obfuscates the partial keys for the recipients 3, 3' and the accessor key. Moreover, the accessor unit 4 stores the accessor key at the accessor storage 41.

In step S44, the accessor unit 4 securely transmits the partial keys to the recipients 3, 3'. In step S45, the partial keys for the recipients 3, 3' are irretrievably removed from the accessor unit 4. The synchronous receive process for the scenario in Figure 5 corresponds to the synchronous receive process illustrated in Figure 3. The main difference is that the message storage 6 is not accessed by the accessor unit 4 for the scenario in Figure 5. Instead, the accessor unit 4 requests the electronic message from the cryptor unit 5, which will then access the message storage 6. For this purpose, after successful authentication, the accessor unit 4 establishes a secure connection via e.g. secure SOAP with the cryptor unit 5 in the DMZ. The accessor unit 5 then provides a reference to the electronic message together with the required partial keys and the accessor key to the cryptor unit 5. In case a sufficient number of partial keys are provided to the cryptor unit 5, the decrypted electronic message is forwarded by the accessor unit 4 to the recipients 3, 3'. Once the electronic message was forwarded by the accessor unit 4, it is completely erased from the accessor unit 4.

In an alternative embodiment, the accessor unit 4, instead of forwarding the decrypted electronic message, only mediates a direct secure connection from the cryptor unit 5 to the recipient 3, 3'. The decrypted electronic message is then delivered to the recipient 3, 3' via this direct secure connection. In this way, the content of the electronic message is never revealed in plaintext to the accessor unit 4 or any other system outside of the DMZ.

The asynchronous receive process for the scenario in Figure 5 corresponds to the asynchronous receive process illustrated in Figure 4. The main difference is that the cryptor unit 5 accesses the electronic message stored at the message storage 6. The cryptor unit 5, after decrypting the electronic message using the re-computed master key, encrypts the electronic message for secure transport to the recipient 3, 3'. For encryption e.g. the public key of the recipient 3, 3' is used. The accessor unit 4 forwards the electronic message to the recipient 3, 3'. However, the content of the electronic message is never revealed to the accessor unit 4. The described system and method can be applied, e.g. in the revelation of a last will after somebody, e.g. the sender, deceased. Similar scenarios can be imagined in many fields, e.g. disclosure of stock market relevant news, secret military information, etc.

It should be noted that, in the description, the sequence of steps has been presented in a specific order, one skilled in the art will understand, however, that the order of at least some of the steps could be altered, without deviating from the scope of the invention.