MIME (Multi-Purpose Internet Mail Extensions) is the most common protocol used for sending non-text files such as audio, video and images via e-mail, and is an extension of the original Internet e-mail protocol SMTP. S/MIME (Secure MIME) is a version of MIME that features RSA encryption and has become the standard method for sending secure e-mail. S/MIME's strength is its ability to validate the identities of e-mail senders and recipients through digital signatures. It is supported by all the major e-mail programs such as Outlook, Outlook Express and Netscape Messenger. This makes using S/MIME fairly straightforward, particularly as the sender and recipient don't need to use the same S/MIME-compliant e-mail program, though browser-based e-mail accounts such as Hotmail don't yet support S/MIME.
In order to send an e-mail utilizing S/MIME you need a digital certificate. Your digital certificate allows you to sign your messages so that recipients can verify that mail coming from your e-mail address is in fact from your e-mail address. When you send a digitally signed message your digital certificate is sent along with the message so that the recipient can use it to verify that the message is from you and has not been modified. Anyone who has your digital certificate can then use your public key stored in the certificate to encrypt a reply so that only you can read it by decrypting it with the corresponding private key installed on your machine. Likewise, if you wish to send an encrypted message to someone else, you must first obtain their digital certificate in order to be able to use their public key to encrypt the message so that only their private key can decrypt it.
Having to obtain someone's digital certificate in order to encrypt a message to them means that S/MIME is not really practical for a large organization wanting to send encrypted messages to thousands of clients. However as S/MIME provides a high level of sender authentication, it is surprising more organizations haven't installed a public key infrastructure or created an enterprise directory in order to implement S/MIME as a solution to deter today's phishing attacks. If every message leaving a corporate mail server is signed using their digital signature then recipients could easily identify fake messages, as they wouldn't contain a valid digital signature.
Thawte offers free, globally recognized, personal e-mail certificates that are signed by their certification authority and are available at http://www.thawte.com/email. If your organization runs Windows Active Directory you can use the free Microsoft Certification Authority that can issue certificates for domain users. If, however, your organization wishes to sign messages going to the general public, it may be better to get a certificate from a recognized Certificate Authority such as VeriSign or Thawte. Either way, you should take advantage of the 128-bit encryption levels now supported by e-mail programs.
If you wish to send S/MIME e-mail directly from a Web site, you can use AspEncrypt available at www.aspencrypt.com. This is an Active Server component that can be used in tandem with AspEmail to send encrypted and signed mail. It also allows your ASP, ASP.NET and VB applications to issue and manage X.509 digital certificates.
It is important to remember that although S/MIME e-mail is transmitted securely, once it is decrypted and read by the recipient, it can be copied or printed without limit, so always consider the nature and sensitivity of an e-mail's contents before sending it. You must also protect the private key associated with your digital certificate, as this literally is the key to your digital identity.
About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
