Secure MIME (S/MIME) and digital certificates offer channel professionals a low-cost way to improve their customers' email security. This tip explains how to implement S/MIME, talks about
best practices for securing email and digital certificates for email encryption.
MIME (Multi-Purpose Internet Mail Extensions) is the most common protocol used for sending non-text files such as audio, video and images via email, and is an extension of the original Internet email protocol SMTP. S/MIME (Secure MIME) is a version of MIME that features RSA encryption and has become the standard method for sending secure email. S/MIME's strength is its ability to validate the identities of email senders and recipients through digital signatures. It is supported by all the major email programs such as Outlook, Outlook Express and Netscape Messenger. This makes using S/MIME fairly straightforward, particularly as the sender and recipient don't need to use the same S/MIME-compliant email program, though browser-based email accounts such as Hotmail don't yet support S/MIME.
How to send an email with Secure MIME
In order to send an email utilizing S/MIME, you need a digital certificate. Your digital certificate allows you to sign your messages so that recipients can verify that mail coming from your email address is in fact from your email address. When you send a digitally signed message your digital certificate is sent along with the message so that the recipient can use it to verify that the message is from you and has not been modified. Anyone who has your digital certificate can then use your public key stored in the certificate to encrypt a reply so that only you can read it by decrypting it with the corresponding private key installed on your machine. Likewise, if you wish to send an encrypted email message to someone else, you must first obtain their digital certificate in order to be able to use their public key to encrypt the message so that only their private key can decrypt it.
Having to obtain someone's digital certificate in order to encrypt a message to them means that S/MIME is not really practical for a large organization wanting to send encrypted messages to thousands of clients. However as S/MIME provides a high level of sender authentication, it is surprising more organizations haven't installed a public key infrastructure or created an enterprise directory in order to implement S/MIME as a solution to deter today's attacks. If every message leaving a corporate mail server is signed using their digital signature then recipients could easily identify fake messages, as they wouldn't contain a valid digital signature.
Thawte offers free, globally recognized, personal email certificates that are signed by their certification authority. If your organization runs Windows Active Directory you can use the free Microsoft Certification Authority that can issue certificates for domain users. If, however, your organization wishes to sign messages going to the general public, it may be better to get a certificate from a recognized Certificate Authority such as VeriSign or Thawte. Either way, you should take advantage of the 128-bit encryption levels now supported by email programs.
Sending Secure MIME from a Web site
If you wish to send S/MIME email directly from a Web site, you can use AspEncrypt. This is an Active Server component that can be used in tandem with AspEmail to send encrypted and signed mail. It also allows your ASP, ASP.NET and VB applications to issue and manage X.509 digital certificates.
It is important to remember that although S/MIME email is transmitted securely, once it is decrypted and read by the recipient, it can be copied or printed without limit, so always consider the nature and sensitivity of an email's contents before sending it. You must also protect the private key associated with your digital certificate, as this literally is the key to your digital identity.
About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This was first published in September 2005