3.D Envelope

D-Envelope

D-Envelope is used by users within the organization. D-Envelope makes it possible to safely send and receive messages confidentially to or from any e-mail address whatsoever. Its use does not require any software to be installed on the sender's or recipient's workstations. Receiver reads the message with a browser using an encrypted TLS connection.

The e-mail encryption solution offers different levels of protection from easy to use security level up to the Finnish national protection level ST IV. For end-users the use of the solution is so straightforward, that email encryption works even without installations to an email client, without registrations and additional passwords.

The application's different levels of protection can be compared to the corresponding regular mail methods in terms of protection. The "letter" protection level corresponds to a normal letter, securing the message traffic. The "registered letter" protection level corresponds to sending a registered letter, meaning that the message traffic is secured and it is possible to confirm the correct recipient with a PIN code sent to his/her mobile phone. The "handed over personally" protection level corresponds to handing over to the addressee in person so that the receiver is authenticated electronically based to recipients Social Security Number (SSN). The sender must define the recipient's SSN. When the recipient tries to open the secure message SSN based authentication is required. Secure Email compares the SSN provided by the authentication provider to SSN defined by the sender. If the SSN defined by the sender matches to authentication provider's provided SSN, the recipient can read the message.

Social Security Number based authentication requires additional authentication service provider. Secure Email works with the following protocols/providers:

BankID (Sweden and Norway)
Finnish Mobile ID
Finnish Trust Network (banking recognition with Signicat or Telia)
Generic OpenID Connect based SSN authentication
NemID
Suomi.fi

In addition D-Envelope can be used for sending security classified material (e.g. Finnish national protection level ST IV) when the receivers are previously identified.

Illustrating the example of D-Envelope usage

When a sender uses their normal e-mail system to send a message. Adding a '.s' at the end of the recipient's address (for example recipient@example.com.s) will activate the "Letter" level. Using the "registered letter" level is achieved by adding the recipients mobile phone number and '.s' at the end of the recipients e-mail address (for example recipient@example.com.040123456.s). The "handed over personally" level is used by adding the personal identification number and '.s' at the end of the recipients e-mail address (for example recipient@example.com.ddmmyyzxxxx.s). To use the "ST IV" level the sender adds identifier '.s4' at the end of the recipient's e-mail address (for example recipient@example.com.s4).

Instead of the actual message, the recipient receives a notification message that contains a link protected with the patented MessageLock™ technology. The actual message can be opened from the link with TLS protected browser connection. In addition, at the "registered letter" level the recipient is automatically provided a messagespecific PIN code as an SMS for opening the message. SMS messages are generated and sent from Secure Email server to the recipient's mobile phone through a SMS-gateway.

SMS pre-notification (default: off): SMS pre-notification can be used to inform the recipient of a new secure message by text message in Registered letter level.
Notification message as SMS message: Notification message of a new secure message can also be received by text message in "registered letter" level. Options are:
Email (default)
SMS
Email and SMS

When using the "handed over personally" level the receiver will be authenticated with bank credentials based on Social Security Number (BankID (Sweden and Norway), Finnish Mobile ID, Finnish Trust Network (banking recognition with Signicat or Telia), Generic OIDC based SSN authentication, NemID, Suomi.fi). Using the "ST IV" level the receiver will need to know the correct URL and pre-set password to open the message (for more details see the National Cyber Security Center Finland's guideline "Usage policy and limitations for protective level 4).

The message is stored on the server for a limited time. The message can be reopened using cookies or a messagespecific password or with the same authentication method as previously. It is also possible to reply using the secure channel directly to the sender's normal mailbox. In addition, the message may be forwarded to a third party in a secure format.

Authorized senders within organization (default: all): Allowed sender addresses can be listed, so that organization can define who has the access to the service. Unauthorized senders receive a notification informing them that they cannot send messages with D-Envelope. List of allowed senders can be updated from D-Center or synchronized from the organizations server (in real-time or scheduled for example once a day) using the LDAP/S protocol.
Limit number of recipients (default: off): The amount of recipients in a secure message can be limited.
Encryption rule based on address (default: off): Encryption rules can be controlled based on addresses. For example all e-mails coming from a specific sender address can be defined to be automatically encrypted. In this case, at least those emails must be routed to the Secure Email server
Instantly create an instance for protective level IV (default: off): Secure Email encryption solution is approved by NCSA FI as a solution for handling security classified material (protective level IV). It is possible to instantly create an instance that has the requirements of protective level IV configured. NOTE! This only applies to the instance settings. More definitions can be found in usage policy defined by NCSA FI.

Besides that, it is possible to force "registered letter" level for specific recipients. In this case both e-mail address and GSM-number should be paired up in the D-Envelope so that sender would not need to include the number to the e-mail message. So if the message is marked to be encrypted (.s) and the number for recipient's email is defined and domain is allowed to send encrypted mail, message is sent encrypted with SMS authentication.

Sensitivity header (default: off): All incoming e-mails sent through D-Envelope (reply and forward messages) can have a customized "Sensitivity" header (options are personal, private, companyconfidential or none).
E-mail bounce handling (default: delete attachment): If a sent message is bounced back by the mailerdaemon, the original message can be sent back encrypted and/or with attachment of the original message deleted.
Internal max size in reply (default: off): If the size of the incoming message is larger than the internal mail server allows, D-Envelope sends a notification message instead of the actual message so that it can be read using D-Envelope application.
Allowed MIME/attachment types in D-Envelope (default: off): Types of allowed (whitelist) or forbidden (blacklist) attachments in outgoing messages can be defined using MIME types and file extensions.
Allowed MIME/attachment types in reply (default: off): Types of allowed (whitelist) or forbidden (blacklist) attachments in reply messages can be defined using MIME types and file extensions.
Allowed message size for individual user in reply (default: off): The maximum message size that an individual address or domain is allowed to send can be defined.

Handling messages with D-Envelope

D-Envelope collects the needed information, encrypts the message, temporarily stores it on the server and creates a notification message. E-mails will always be stored on the server in encrypted form. Every e-mail message has a unique encryption key and identifier number that is stored to a database.

**File encryption: **The encryption uses the AES algorithm with a 256-bit encryption key. For key generation, a cryptographically strong random number generator is used.
Database information: The identifier is stored in a database along with other relevant information, such as message size, recipient(s) and session control information.
Storing encryption key (default: enabled): Storage of the unique encryption key can be disabled. In this case if the notification message disappears, the message cannot be opened anymore. If the encryption key is stored in the database, maintenance has the possibility to generate a new notification message with the link.
Storing time of messages: The storing time of messages is adjustable. Messages that haven't been opened are stored on server for a limited time (default: 60 days). Messages that have been opened, but not deleted are stored on the server for a limited time (default: 30 days).
Clean deleted messages from database (default: off): When a message is deleted also the message's reference information is deleted from database.
Clean old messages from database (default: off): When a message's reference information is older than configuration time (default: 1 year) it is deleted from database.

Notification message

Instead of sending the e-mail message traditionally, D-Envelope sends a notification message to the recipient that informs about the confidential message. The actual message will be held on the Secure Email server and can be read using the link in the notification message. The link opens a TLS encrypted connection and includes the message identifier and the encryption key in an encrypted format. The link is protected with the MessageLock™ technology, so access for reading encrypted e-mail messages is limited. Cookies or password will be required to reopen the message later (see chapter: Re-opening of message).

Example of D-Envelope's notification message

Content of notification message: The content of notification message is fully customizable. The message can be sent in Text or HTML format, or both (default). There can be a different notification message for messages sent in "Letter", "Registered letter" and "Handed over personally" level.
Special templates: Each sender and receiver e-mail address or domain can have their own personal notification message.
Message informs of included attachments (default: disabled): Notification message informs of included attachments if there is any.

In "Registered letter" level SMS authentication is used. SMS authentication offers an additional way of authenticating the receiver. In SMS authentication D-Envelope sends a PIN code as SMS message to the receiver while the link is opened for the first time. D-Envelope sends the SMS message to mobile phone through SMS gateway. In "Letter" level it is also possible to define an own password needed to open the message. "Letter" level messages (normal and password protected) can be automatically converted to require "Mail OTP". In case of Mail OTP one-time-pin (OTP) code is required when opening the message. The OTP will be sent into recipient's email after the link has been opened.

MessageLock™ technology: The notification message's link contains a message identifier number and encryption key in encrypted format. When the receiver opens the message, the following verifications are done:

o The validity of the link is verified. o The message identifier is matched against information in the database. o The IP address of the computer is not found on blacklists (i.e. exploited computers). o If the domain has been configured to restrict usage based on IP address, the recipient's IP address is verified to have access.

o The status of the message (deleted/locked/open) is verified. o Optionally, additional checks are performed (no / password / SMS authentication). SMS authentication supports having more than one phone number assigned to the message. This means that several phone numbers can be added to the end of the receiver's e-mail address and all listed mobile numbers are sent a unique PIN code. This functionality can be used in two mutually exclusive scenarios:

The opening of a confidential message must be witnessed by at least two people.
A message sent in "Registered Letter" level must be accessible to more than one person.
Require all PIN codes associated to a message (default: off): It can be required that all PINs must be entered to open the message. In this case the message does not open unless the receiver has all the PIN codes associated with the message.
Additional pre-shared password for "letter" level message (default: off): Sender can define a password needed for the receiver to open a message. Password is placed in the Subject field between chosen identifiers, such as "{}". If system sends automatic messages, password can be added to the message header (e.g., X-Password).
Transform mail to use OTP-like security level (default: off): It can be required that all "letter" or "password level" messages can be transformed to require one-time-pin code that will be provided to the same mail address as the original notification message has been sent.
Strength of PIN number (default: 4 numbers): It is possible to configure how secure a PIN number of a SMS authenticated message must be (e.g. length and special characters).
PIN code entry / order new PIN code: PIN code be entered (default: 5) and PIN code reordered (default: 10) limited amount of times. After too many tries the message is locked and cannot be opened again.
Notify sender address (default: off): In notification message it is possible to mark a certain address as sender instead of actual sender. For example all e-mails sent from first.name@example.com will be seen as sales@example.com.
Define sender and reply-to addresses: Sender address and reply-to address of a notification message can be defined to prevent the sending of possible replies to notification message.
Notify sender S/MIME (default: off): Notification messages can be protected with digital signature using S/MIME with sender address.
Notify sender, Sender Policy Framework (SPF) support (default: on): SPF specifies which servers are authorized to transmit e-mails. Normally D-Envelope uses recipient's e-mail address as sender when replying/forwarding secure e-mails. Because of SPF, e-mails going to external addresses might not be delivered to recipients. To avoid this, D-Envelope can change sender's address in notification message to the address defined in configuration and the original sender is marked to the Reply-to field if both sender and recipient are not local addresses. Original sender can be added to the text in notification message.
Allow read receipt (default: on): With read receipt sender gets a notification message when recipient reads the message. The read receipt also includes the identifiers and checksums of sent message's attachments. Sender can this way verify that message and attachments has gone through. This is forced to work automatically and the recipient will not be notified of it. Text can be customized.
Automatic read receipt (default: off): Read receipt can be forced to specific sender addresses. A read receipt is automatically sent to the original sender when a secured message is opened.
Notification of unread message (default: off): If a message has not been read within specified time the sender and/or receiver can be notified of it. Notification will be sent in plain text. Notification time of unread message is configurable per user address.

Reading messages

The actual message opens with a browser using a secure connection.

Traffic encryption: The receiver opens the e-mail with a browser by clicking the link in the notification message. The connection is established by using standard TLS protocol (https). At server side no weak cipher is allowed so minimum strength of encryption is 128 bits (maximum 256-bit (AES)).

Example of a message that has been sent to an external user via D-Envelope (the user is reading the message in the web interface)

Functions:

Reply using the same secure connection
Reply all (setting, default: on)
Forward (setting, default: off)
Saving message (in text, html, zip, only the attachments as a ZIP, encrypted zip or S/MIME encrypted eml)
Printing message
Deleting message
Storing message on the server (limited time only)
Logout (Terminate session and possibility to set a password which will be required on the next time link opens)
Save as S/MIME encrypted eml (default: on): A receiver of a message sent through D-Envelope can save it in S/MIME encrypted form if he/she has an S/MIME certificate in use.
Preview of attachments (default: off): A receiver of a message can see a preview of the sent attachments (supported file types are pdf, jpeg, png, gif, tiff, txt, rtf and office documents). NOTE! For txt, rtf and office document support, required libreoffice packages must be installed.
Blocking the download of files (default: off): Storing of attachments to a computer can be prevented by blocking attachment downloads. For example, allowing the attachment preview makes it possible to view the files but not download them.

The user interface language is set according to browser's language settings. Supported languages are Danish, Deutsch, English, Estonian, Finnish, Latvian, Lithuanian Norwegian, Russian and Swedish.

Disclaimer page (default: off): Before a secure message is opened, the user can be shown a disclaimer about the confidentiality of the message whereby the reader knows that the message is opened unjustly if he/she is not the intended recipient. The disclaimer text can be customized and localized for each supported language.
Layout of user interface: Layout will be custom-made to fit into organization's image.

Example of a message that has been sent to an external user via D-Envelope (the user is reading the message in the web interface)

Logo
Colors (CSS)
Buttons (CSS)
Multiple options for envelope logo to choose from (including no logo), default can be seen below 5. Help can be shown either as a link or an image and it can be customized with CSS via D-Center

The user interface supports responsive layouts. By designing one, the UI will scale depending on the device monitor size.

Force user interface language (default: off): Language in user interface can be forced so that only one language is in use. Normally language is set automatically according to browser settings.
Recipient can choose interface language (default: off): Secure message recipients can choose to change the interface's language from a dropdown box if this option has been enabled.
Domain based IP-restriction (default: none): Domain can be configured to only have restricted usage based on IP address (either single e-mail addresses or full domains). For example employee can be allowed to read secure messages only from organization's internal network.
Read only once (default: off): Message can be read only once and will be automatically deleted from the server after it is read.
Session expiration (default: one hour): As a message is opened a session is created for the user with which the message is accessible. Session expiration for reply and forwarded messages can also be configured. If session expires, message must be reopened and a new session starts. Users are shown a notification 5 minutes before expiration.
Session details: Users IP address and browser's user agent can be checked and attached to the session when message is read. If one or both (default: user agent only) changes, session is invalidated and message can no longer be read with that session.
Customized help document: Texts in help document in user interface can be customized (default: off). Documents can be in PDF or HTML form.
Custom HTML content: Custom HTML enables adding own HTML content to user interface (DEnvelope and D-Compose).
Check IP address from RBL lists: It can be defined of how many RBL lists the message receiver's IP address is checked from and administrator can define which lists are used (default: dnsbl.ahbl.org and xbl.spamhaus.org). It can also be defined which IP addresses can bypass RBL lists.
Using client certificate to open secure messages (default: off): User may be asked to provide client certificate or a password that will be linked to their e-mail address. The client certificate or user given password must be provided each time a secure message is opened. User can register when opening a secure message for the first time (may require approval by the administrator) or the user must register before a secure message can be sent to them (registration link is sent to the user by administrator).

A sender of the secured email can decide that strong authentication is required for the Recipient ("Handed over personally" security level). If strong authentication for the recipient is required he/she has to attempt authentication by using one of the following SSN based authentication methods (methods are configured and enabled by administrator):

BankID (Sweden and Norway)
Finnish Mobile ID
Finnish Trust Network (banking recognition with Signicat or Telia)
Generic OpenID Connect based SSN authentication
NemID
Suomi.fi

Strong authentication offers receiver's name and social security number. The connection between Secure Email and service provider is established by using standard TLS protocol (https).

Electronic authentication determined by sender (default: off): The receiver can be identified with a social security number added to the message. Sender adds receiver's social security number at the end of the e-mail address and then adds the '.s' identifier (for example, receiver@company.com.ddmmyyzxxxx.s). The receiver is authenticated electronically by using one of the supported SSN authentication services. Only the receiver with correct social security number can open the message.
Please note: If this configuration is enabled at least one of the following configurations has to be enabled:
BankID authentication (default: off): When message is opened user is authenticated with BankID authentication and message is locked to user. If read receipt is enabled the user's social security number or just four last digits is sent to sender as read receipt message. Customer must have an agreement with Svensk e-identitet (Sweden), or Signicat (Sweden and Norway).
Finnish Mobile ID authentication (default: off): When message is opened user is authenticated with Mobile ID and message is locked to user. If read receipt is enabled the user's social security number or just four last digits is sent to sender as read receipt message. Customer must have an agreement with Elisa.
Finnish Trust Network authentication (default off): When message is opened user is authenticated with trust network banking recognition (Signicat or Telia OIDC authentication). Customer must have an agreement with Signicat or Telia.
Generic OpenID Connect based SSN authentication (default off): Secure Email supports any authentication services which are following OpenID Connect standard and provide user's SSN.
Configuration of the Generic OpenID Connect Authentication requires API specification from the authentication service provider.
NemID authentication (default: off): When message is opened user is authenticated with NemID authentication and message is locked to user. If read receipt is enabled the user's social security number or just four last digits is sent to sender as read receipt message. Customer must have an agreement with or Signicat.
Suomi.fi authentication (default: off): When message is opened user is authenticated with Suomi.fi eIdentification and message is locked to user. If read receipt is enabled the user's social security number or just four last digits is sent to the original sender as read receipt message. Customer must have a contract with eSuomi. Suomi.fi e-Identification enables the citizens of Finland and the European Union to be recognized in a safe way by using various identification media such as bank-id and mobile certificates. The identification service environment is meant for the use of governmental authorities, agencies and institutions, courts of law and other judicial bodies.

Replying to messages securely

The recipient can reply to the original message by using the same secure TLS connection between browser and DEnvelope that was used to read the message. Attachments can also be added to the message and it is possible to configure automatic virus scan for the attachments. The reply message is sent from D-Envelope back to the original sender through the organization's internal network. (See picture: Example of D-Envelope usage).

Originator text (default: on): The originator text will be seen in the beginning of the e-mail message.
Allow reply to expired message (default: on): It is possible to reply to an expired message if a receiver wants to start a secure messaging with the original sender of the message. Although an expired message cannot be read, the recipient can reply to the original sender with a new secure message.

Example of a reply possibility to expired D-Envelope message

Prevent reply to specific address (default: off): Determine a list of e-mail addresses to which it is not possible to reply. The message is missing a reply button altogether if the sender is on this list. This can be used to prevent reply messages to automatically generated messages whenever sent from a particular address, for example.
Allow adding recipients in reply (default: off): If enabled, users can add additional recipients when replying to messages. The recipients can be restricted to ones with a domain local to the Secure Emailserver, or permitted globally to anyone. Messages destined outside of the organization's internal network are delivered securely as D-Envelope messages.

Re-opening of messages

Message can be opened again if the user will logout from the system and store the message to server for a limited time. Reopening requires authentication that can be based on cookies, password, PIN code or strong SSN based authentication.

If the authentication is based on cookies, a cookie is saved to the browser and while opening the message user will be automatically identified with it. Message can only be reopened from the same computer/browser. If the authentication is based only on password or PIN code, the message can also be reopened from different computer/browser. It is also possible that both cookies and password or PIN are required when reopening the message. In this case the message can only be reopened from the same computer/browser with password or PIN.

Password logout in "letter" level (default: on): Authentication in re-opening can be based on password or both password and cookies. User must enter own password in logout.
PIN code logout in "letter" level (default: off): The user can enter their mobile number and receive a SMS message with PIN code next time the message is opened.
Strength of password: It is possible to configure how secure the password must be (e.g. length, special characters, numbers and dictionary check for commonly used passwords).
Amount of password tries: Password needed to re-open a message can be entered limited amount of times (default: 5) before the message is locked and cannot be opened again.
Logout confirmation for closing a tab (default: on): JavaScript confirmation box pops up if user tries to close a page without using log out button.

Forwarding messages securely

The recipient can forward a message using the same secure TLS connection between browser and DEnvelope. The forwarded message is first sent to D-Envelope which creates a new unique secure message and sends a notification message.

Forward exact copy only (default: off): Only an exact copy of the message can be forwarded. In other words, the original secure message cannot be modified when it is forwarded in the user interface.

Secure Email Desktop Outlook plug-in

Secure Email Outlook plugin for Windows Outlook clients provides a graphical interface for selecting the appropriate security level for confidential information leaving the organization, and facilitates for a more streamlined implementation of data security policies in regards of e-mail channel.

Secure EmailOutlook plugin also provides additional granularity for applying security controls to the email channel, while improving the end user experience and at the same time minimizing end user training requirements via more intuitive user interface.

Plugin installs as a button in the ribbon and can also be configured to prompt automatically upon pressing Send button. The plugin allows users to set recipient-specific security levels for each message.

All settings can be forced to specific values and users can customize any non-forced settings.

Administrator can lock settings so that the end user cannot change the value or even decide if the setting is visible in the end user interface. Also names of security levels are customizable to match company's instructions and policies.

Secure Email server address: Secure Email server address is required if centralized configuration management is in use or there is a need for D-Internal.
Extension (default: "s"): Domain extension used to tag e-mails for encryption service.
STIV extension (default: "s4"): Domain extension used to tag e-mails for "ST IV" level email security. Note that this requires the creation of a separate instance into the Secure Emailwith a dedicated domain to process these emails.
Available security levels in plugin: Security level can be selected for each recipient separately. Depending on configuration, the security levels are: Letter, Registered letter, Handed over personally and ST IV.
Default security levels in plugin: User can choose the default security level that is automatically suggested when a message is sent. Depending on configuration, the options are: none, no encryption, Letter, Registered letter, Handed over personally, ST IV and strongest available. Necessary additional identifiers can be retrieved automatically from address book (and added information stored to contacts).
Utilization of address book: It is possible to save the contact's mobile number (default: on) and social security identifiers (default: off) to the Outlook address book. Also possible to create a new contact and save the information when there is no existing contact (default: on).

Plugin also features message-specific settings such as making the messages readable only once and setting how long the message can be read.

Show Message options button (default: on): If this option is selected the message-specific options chosen become available.
Read receipt in plugin (default: on): User can choose to request a read receipt when the message has been opened for the first time without going to Outlook settings.
Readable only once in plugin (default: on): If this option is chosen the message can only be read once and will be automatically deleted from the server after it is read.
Time message is readable in plugin (default: on): User can choose how long an unread or read message is stored on the server. Possible to define a maximum limit the user can set for storing unread or read messages. If user tries to enter a longer time than allowed it is reset to the maximum and the field is highlighted.
Disable reply and forward (default: off): Reply and/or Forward functions can be disabled in specific messages.
Use message-specific password in plugin (default: off): Message-specific password can be set that is needed to open the message sent in "Letter" level.
Attachment preview in plugin (default: off): Attachment preview can be set for specific messages that prevents the receiver from downloading attachment.
Prompt plugin popup: Possible to choose that popup always opens from Send button (default: off) or that popup will not be displayed when all receivers share sending e-mail addresses' domain (default: on). In addition the domains that always prompt the plugin popup can be defined.
Increase security level for all in plugin (default: off): Possible to increase the security level to all receivers of the message simultaneously. This function upgrades the lowest security level by one level until at the same level as the highest. Then all receivers are upgraded by one step at the time. It is also possible to simultaneously downgrade all receivers to have no encryption.
Enable digital signature (default: off): It is possible to integrate the Outlook plugin with secSigned solution for digital signatures. The signing process can be started directly from the user's e-mail client with Secure Email Outlook plugin.

Plugin supports using internal e-mail traffic protection (D-Internal).

Enable D-Internal Support (default: off): If this option is enabled the user can choose when to use internal e-mail protection (options: never, only with secure levels or always).

Secure Email Office 365 webmail plug-in (OWA)

Secure Email plugin for Office 365 webmail (OWA) provides a graphical interface for selecting the appropriate security level for confidential information leaving the organization, and facilitates for a more streamlined implementation of data security policies in regards of e-mail channel.

The OWA plugin installs as a button in the message composing view. The OWA plugin allows users to set recipient-specific security levels for each message. If the plugin has been enabled through D-Center it can be installed organization wide in Outlook Web App administrator control panel, or per user in the users own options. The OWA plugin supports centralized configuration management just like desktop Outlook plugin does, but the configurations are separated from each other.

Following settings are available and configurable via D-Center:

Secure Email server address: Secure Email server address is required if centralized configuration management is in use or there is a need for D-Internal.
Extension (default: "s"): Domain extension used to tag e-mails for encryption service.
STIV extension (default: "s4"): Domain extension used to tag e-mails for "ST IV" level email security. Note that this requires the creation of a separate instance into the Secure Email with a dedicated domain to process these emails.
Available security levels in plugin: Security level can be selected for each recipient separately. Depending on configuration, the security levels are: Letter, Registered letter, Handed over personally and ST IV.
Default security levels in plugin: User can choose the default security level that is automatically suggested when a message is sent. Depending on configuration, the options are: none, Letter, Registered letter, Handed over personally and ST IV.