Manage

Can the symmetric encryption algorithm for S/MIME messages be changed?

Encryption algorithm requirements ensure a base level of interoperability among all S/MIME implementations. Email clients, however, can add additional algorithms, provided they correctly identify which algorithms a particular message uses. Expert Michael Cobb explains how.

Michael Cobb

Which symmetric encryption algorithm is used to secure S/MIME messages? Is there a way to change and/or choose the algorithm?

In the 1990s, RSA Security developed S/MIME (Secure / Multipurpose Internet Mail Extensions), an encryption standard used today by most popular email clients. Whereas MIME specifies rules for how an electronic message, and its many parts, should be organized, version 3 of S/MIME describes how encryption information and a digital certificate can be included as part of the message body. Version 3 consists of several organizational notes, or requests for comments (RFCs), that cover the following cryptographic security services:

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

authentication

message integrity

non-repudiation of origin

privacy and data security

To provide these services, S/MIME uses the X.509v3 format for digital certificates, along with various encryption algorithms. Non-repudiation actions, for example, require a public-key algorithm, while privacy and data security need a fast and efficient symmetric encryption algorithm.

RFC 3370 identifies the algorithms that all S/MIME version 3 software must support. These are Secure Hash Algorithm 1 (SHA-1) and Message Digest-5 (MD5) for hashing, Digital Signature Algorithm (DSA) and RSA for signatures, and RC2 and triple Data Encryption Standard (3DES) for message encryption. The requirements ensure a base level of interoperability among all S/MIME implementations. Email clients, however, can add additional algorithms, provided they correctly identify which algorithms a particular message uses.

The United States government no longer restricts encryption strength, and the default encryption algorithm in Outlook, Outlook Web Access and most email clients is 3DES. Although it is slower than the original DES, the triple Data Encryption Standard is more secure. When Microsoft Outlook runs on a 40-bit operating system that does not have 128-bit encryption capabilities, it uses the RC2 algorithm by default.

Depending on the email client you use, it can be tricky to change this default setting. The figure below shows the security properties that you can set in Outlook Express 6, which include the encryption algorithm. In Outlook 2003's online help feature, there is no mention of how to change the algorithm. However, there is no particular reason to need to change this setting.

Figure 1: Outlook Express 6 Security Settings

More information:

Expert Joel Dubin explains PGP and S/MME's distinct approaches to email coding.

Visit our resource center for news, tips and expert advice on how to use SMIME/PGP encryption methods to secure email transmissions.

This was last published in September 2007

What are the top secure data transmission methods?

How to send secure email attachments

What are the most important email security protocols?

Efail flaws highlight risky implementations of PGP and S/MIME

Cloud computing forensics techniques for evidence acquisition

5 PaaS security best practices to safeguard the application layer

Private vs. public cloud security: Benefits and drawbacks

SolarWinds: Lessons learned for network management, monitoring

7 key SD-WAN trends to evaluate in 2021

10 network security tips in response to the SolarWinds hack

What CIOs need to know about the future of hyperautomation

3 steps to recalibrate a strategic IT roadmap

Experts predict hot enterprise architecture trends for 2021

Otter.ai helps Google Meet stay competitive

Will Windows 10 be the last Windows OS?

CES: Laptops sport designs friendly for remote workers

CS degrees vs. cloud certifications: Compare the pros and cons

Cloud infrastructure automation: When and where to use it

IBM acquisition spree targets hybrid cloud consulting market

Australia’s IT spending set to bounce back in 2021

Virtualisation, automation and network slicing increasing operators’ focus

The ransomware routine: pages from the Secret IR Insider’s diary