08/20/2021 | News release | Distributed by Public on 08/20/2021 10:37
Key Points:
As an email makes its way across the internet, it stops at various servers and routers along the way. It's possible that at any of these stops, prying eyes may pick up the message and read its contents or insert a fake response, resulting in stolen login credentials or traffic rerouted to a phishing site, for example. These man-in-the-middle (MitM) attacks are difficult to detect, but they can be thwarted using S/MIME's encryption and digital signatures.
What Is S/MIME?
S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions, is an email-signing and encryption protocol that encrypts email messages and adds a digital signature. It can also compress a message to reduce its size. S/MIME is not a new standard, but it has been steadily improved over time. The most recent version, S/MIME version 4.0, includes updates to the standard's content-encryption, signature and digest algorithms.[i]
More specifically, S/MIME's encryption scrambles email messages so they can only be accessed by their recipients using a private key to decrypt the messages. It prevents anyone else - namely, attackers - from intercepting and reading the emails as they travel from senders to receivers.
S/MIME's digital signatures also protect the security of email messages in three ways:
How Does S/MIME Work?
S/MIME uses asymmetric cryptography with a public/private key pair. The two keys are mathematically related so that a message encrypted using the public key can only be decrypted using the private key. Each sender and receiver obtain both a public and private key. The public key is published and encrypts the email; the private key is kept secret and decrypts the email. Once a person hits 'send' on an email, S/MIME sending agent software encrypts the message using the recipient's public key, and the receiving agent decrypts the message using the recipient's private key, as shown in the diagram. Of course, this requires both sender and receiver to support S/MIME.
S/MIME Certification
Before S/MIME can be configured, every sender and receiver needs a digital certificate that binds the person's identity to a public key. An administrator is usually responsible for configuring S/MIME and issuing digital certificates. In fact, a best practice for an administrator is to issue two certificates for each user, one for signing and one for encryption.[ii]
Certificate Authorities (CAs) issue X.509 trusted certificates, which verify a public key belongs to the person using it. A root certificate, signed by the CA, is used to create and sign other certificates in a tree-like or chained structure. Both Microsoft and Google recommend configuring at least two levels to the chain so that the root certificate does not directly issue user certificates.
Before choosing a CA, an administrator should check the list of supported CAs for the company's email system. Choosing only one or two CAs will simplify certificate management tasks, such as monitoring certificate expiration dates and scanning for shadow certificates that users acquired using other CAs.
How to Configure S/MIME
In a business setting, an administrator is also responsible for defining policies for using S/MIME encryption and signatures in email client software. Here we look at specific directions for two email systems: Microsoft Outlook and Google Workspace.
Enabling S/MIME on Outlook: Microsoft provides step-by-step instructions for configuring S/MIME for Exchange.[iii]This supports email clients using Outlook, Outlook Web app and Outlook on mobile devices. The process consists of five steps:
Enabling S/MIME on Gmail: Like Microsoft, Google provides step-by-step instructions for configuring hosted S/MIME on Google Workspace.[iv]This process also consists of five steps:
How to Send an S/MIME Encrypted Mail
When a user composes a message in Gmail, a lock icon appears next to each recipient who has S/MIME enabled. If the user addresses the email to multiple recipients and those recipients support different levels of encryption, Gmail will use the lowest level of encryption supported by all recipients.
When composing a single message in Outlook, users can select 'Encrypt with S/MIME' under the Options menu. To digitally sign or encrypt every email by default, users can choose either encryption, sign or both from the Settings menu.
The Bottom Line
Configuring S/MIME for a business involves distributing and managing digital certificates for end users. The payoff for this effort is clear: S/MIME's email encryption and digital signatures guard against MitM attacks and email-sp
[i]'Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification,' IETF
[iii]'Configure S/MIME in Exchange Online,' Microsoft
[iv]'Set up rules to require S/MIME signature and encryption,' Google
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly