Enhancing email security with s mime
1 / 31

Enhancing Email Security with S/MIME - PowerPoint PPT Presentation

  • Uploaded on

Enhancing Email Security with S/MIME. Chuck Connell, www.chc-3.com www.DominoAdministration.com , www.DominoSecurity.org. Introduction. Worked at Lotus from 90 to 95 Managed Notes C API team, architect in (short-lived) “enterprise applications” group, business partner technical liaison

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Enhancing Email Security with S/MIME' - tynice

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Enhancing email security with s mime

Enhancing Email Security with S/MIME

Chuck Connell, www.chc-3.com




  • Worked at Lotus from 90 to 95

  • Managed Notes C API team, architect in (short-lived) “enterprise applications” group, business partner technical liaison

  • Began my own business in 1995

  • Notes/Domino consulting, writing, teaching CS at Boston University

  • Security expert at www.SearchDomino.com


  • What is S/MIME?

  • Why do we care about it?

  • Secrecy, authentication, and integrity

  • Cryptography primer, including public key techniques and certificates

  • How S/MIME works

  • Where S/MIME is used in Notes/Domino

  • How to use S/MIME


  • Experienced with Notes, Domino, general email topics

  • Used some encryption/privacy tools

  • Not a security expert or mathematician (will skip gory details)

  • My goal is to explain a fairly complex topic to a generally knowledgeable computer audience

What is s mime
What is S/MIME?

  • When email was first developed, people could only send plain text messages

  • MIME was developed in early 90s to allow people to send pictures, sound, programs and general attachments -- “Multipurpose Internet Mail Extension”

  • MIME has no security features, can be read along its route or forged (easily)

  • S/MIME is a secure version of MIME

What does s mime give us
What does S/MIME give us?

  • Secrecy – Only intended recipient can read the message. (A thick envelope and trustworthy couriers.)

  • Authentication – Recipient knows the message came from the apparent sender. (An ink signature that you recognize.)

  • Integrity – Recipient knows the message was not changed en route. (Un-erasable ink in a letter.)

Cryptography primer
Cryptography primer

  • Secret key (a.k.a symmetric cipher)

  • Public key (a.k.a. asymmetric cipher)

    • Secrecy

    • Authentication

    • Secrecy and authentication

  • Hashing (a.k.a. message digest)

  • Public key certificate (X.509)

Symmetric cipher
Symmetric cipher

  • Dates back thousands of years

  • A “key” is scrambled into the message in a way that makes the message unreadable

  • Scrambling method can be pencil and paper, mechanical, or mathematical

  • Key can be numbers, letters, text from a book

  • Only way to read the message (easily) is to unscramble it with the same key

  • Sender and receiver must exchange key somehow

Public key cryptography pkc
Public key cryptography (PKC)

  • Invented in 1970s

  • There are two keys; one public for all to see, the other kept secret to one person

  • Keys are pairs of large numbers, related to prime number theory

  • Message is scrambled with one key; only unscrambled easily with the other key

  • Can be used for secrecy, authentication, or both

Pkc for secrecy only
PKC for secrecy only

  • Chuck wants to send message that only Katie can read

  • Ciphertext = PKC(plaintext, katie’s public key)

  • Plaintext = PKC(ciphertext, katie’s private key)

  • Only Katie can decrypt the message, and Chuck does not have to send her a key

Pkc for authentication only
PKC for authentication only

  • Chuck wants to send message to Katie and prove it is from him

  • Ciphertext = PKC(plaintext1, chuck’s private key)

  • Chuck sends ciphertext and plaintext1

  • Plaintext2 = PKC(ciphertext, chuck’s public key)

  • Katie compares plaintext1 (sent) with plaintext2 (decrypted)

  • If they match, only Chuck could have sent the message.

Pkc for secrecy and authentication
PKC for secrecy and authentication

  • Chuck wants to send secret message to Katie and prove it is from him

  • Cipher1 = PKC(plaintext1, chuck’s private key)

  • Cipher2 = PKC(Cipher1 and plaintext1, katie’s public key)

  • Chuck sends Cipher2

  • Cipher1 and Plaintext1 = PKC(Cipher2, katie’s private key)

  • Plaintext2 = PKC(Cipher1, chuck’s public key)

  • Katie compares plaintext1 (sent) with plaintext2 (decrypted)


  • A one-way operation that is hard to undo

  • Often results in a shorter message, which is called a message digest

  • Example: “Let’s have breakfast at Dunkin Donuts”  “h7tfd8Fr”

Public key certificate
Public key certificate

  • But, there is a problem with PKC… How does Katie know it is really Chuck sending her the message. Someone could pretend to be Chuck.

  • Public key certificates solve this problem (mostly)

  • A public key certificate contains

    • A person’s name

    • That person’s public key

    • Name of a trusted certifying authority (CA)

    • Digital signature of the CA, using their private key

  • Certificate can be verified with CA’s public key

  • X.509 is most common format

So what is s mime
So what is S/MIME?

  • S/MIME puts all these techniques together to create a practical, efficient, reasonably secure email protocol

  • Standard (symmetric) cipher – RC2 or TripleDES

  • Public key (asymmetric) cipher – RSA

  • Hashing – SHA-1 or MD5

  • (Mathematical details found in references)

S mime for secrecy only
S/MIME for secrecy only

  • Chuck’s email program creates a random key (session key) to be used in a symmetric cipher.

  • Chuck’s email program encrypts the message with the symmetric cipher and session key.

  • Chuck’s email program encrypts the session key with PKC and Katie's public key.

  • Chuck’s email program creates a package of: encrypted message, encrypted session key, his X.509 certificate, names of encryption algorithms.

S mime for secrecy continued
S/MIME for secrecy, continued

  • Chuck’s email program sends package to Katie. This is an S/MIME email message.

  • Katie’s email program receives package.

  • Katie's email program uses her private key (and named PKC method) to decrypt the session key.

  • Katie’s email program uses session key (and named symmetric cipher) to decrypt the message.

S mime for authentication only
S/MIME for authentication only

  • Chuck’s email program uses hash function to create message digest

  • Chuck’s email program encrypts message digest with PKC and his private key

  • Chuck’s email program creates a package of: original message, encrypted message digest, his X.509 certificate, names of encryption algorithms

  • Chuck’s email program sends package to Katie.

  • Katie's email program receives package

S mime for authentication continued
S/MIME for authentication, continued

  • Katie’s email program verifies Chuck’s X.509 certificate by testing signature of CA

  • Katie’s email program gets Chuck’s public key from his certificate

  • Katie's email program uses Chuck’s public key to decrypt the message digest

  • Katie's email program independently computes the message digest, using the same hash function

  • Katie's email program compares the two message digests to verify sender and message integrity

S mime for secrecy and authentication
S/MIME for secrecy and authentication

  • Message is authenticated just as shown above

  • Authenticated package is made secret, just as shown above

  • Secret package is sent to recipient

  • Receiver uses his/her private key to decrypt session key

  • Receiver uses session key to decrypt rest of secret package, yielding authenticated message

  • Receiver authenticates message, just as shown above

So s mime is used for notes mail
So S/MIME is used for Notes mail?

  • No! For pure Notes email (Notes and Domino) S/MIME is not needed. Notes has its own, similar, methods.

  • S/MIME is used whenever pure Notes email is not available

    • From Notes, through Domino, to other email

    • From Notes, through standard server, to any email

    • From other email, through Domino, to any email

Using s mime
Using S/MIME

  • Get a digital identification

  • Set up Domino server for S/MIME

  • Use S/MIME with general email clients

  • Use S/MIME with Notes

Getting a digital identification
Getting a digital identification

  • A digital ID is

    • Your name

    • Public/private key pair

    • Public key certificate for this ID

  • Most popular vendors are www.Thawte.com and www.VeriSign.com

  • Thawte is free, but VeriSign is only $15/year and simpler to use

Setting up domino for s mime
Setting up Domino for S/MIME

  • Do nothing! (other than standard Internet mail set up)

  • (If anyone is aware of special settings that are required, please let me know.)

S mime with standard email clients e g outlook express
S/MIME with standard email clients (e.g. Outlook Express)

  • If you got your digital ID on this computer, it is already installed (Can see the ID with Start / Settings / Control Panel / Internet Options / Content / Certificates)

  • For secrecy, just press Encrypt

  • For authentication, just press Sign

  • When receiving a message, you will see security symbols near the attachment paperclip

Using s mime with notes
Using S/MIME with Notes

(Assuming digital ID already on Windows computer)

  • Export digital ID from Windows

  • Import digital ID to Notes ID file

  • Make sure this certificate will be used for Internet mail from Notes

  • Use digital ID as you send and receive email


For further reading
For further reading

  • Excellent online overview of cryptography: www.rsalabs.com/faq/

  • Cryptography and Network Security by William Stallings – Good general security textbook. www.amazon.com/exec/obidos/ASIN/0138690170

  • S/MIME Internet task force: www.imc.org/ietf-smime/index.html

  • Relationship between S/MIME and PGP/MIME: www.imc.org/smime-pgpmime.html