SMIME : How it works
S/MIME or Secure/Multipurpose Internet Mail Extensions is a mechanism to communicate over email securely without the email being intercepted and read or modified by anyone not intended to receive it. It is supported by all modern email desktop and mobile clients including Apple Mail on OSX and iOS and Microsoft Outlook on both OSX and Windows. Better still Microsoft exchange server supports setting up certificates in the directory so that clients can automatically discover and enable SMIME without any user intervention or hassle.
Why is SMIME not popular?
Having said that, SMIME is not popular as emails using SMIME will not be readable in web email clients. This and considering that there is no easy way share the public key of recipients required to encrypt while sending and verifying the signature at the receiving end, has made it less popular. Nevertheless it is a standard that is supported by all email programs and for it to work, there is no change required on the email servers effectively bringing it to individuals choice and requirements of security and willing to go the extra mile for keeping ones communication private. Its a client side feature.
How secure is it?
SMIME when used with a large size key (> 2048 bits RSA (2)) effectively makes it immune to brute force attack even for large organisations with huge computing power at present. It is based on public key cryptography (1). The larger the key the more secure it is. A 2048 bit RSA based cipher is impossible to crack while it takes a few milli-seconds to generate and encrypt a message using it. The overhead is small with the computing power available in our laptops and phones.
How does it work?There are two parts to SMIME - encryption and signing. Either of them can be used without the other.
* Encryption prevents the content from being read in transit. The logic of encryption is shown below -
* Signing - Allows the recipient to know that the message came from the sender and is not modified in transit. It works as illustrated below -
Combining signing and encryption gives the best security for the email. It is a general practice to encrypt and then sign the email.
How to setup SMIME?
STEP 1 - Get a certificate from many email certificate providers online. Comodo provides a free email certificate valid for a year. Getting a certificate from a trusted provider makes the certificate trustable by people who communicate with you. However it is not necessary. One can create a self signed certificate easily. If you are getting a certificate from a trusted provider then skip to STEP 2.
To generate a self signed certificate on OSX, follow the steps below.
* Open Keychain Access app
* Select Keychain Access -> Certificate Assistant -> Create a certificate...
* Enter a name and select the checkbox for "Let me override default" as shown below.
* Click continue with defaults until the screen below. Enter the email for which the SMIME is being setup.
* Again click continue until the screen below where select all the checkboxes for "Key usage extensions"
* Click continue for rest of the screens to generate the certificate.
* Now open Keychain Viewer in Keychain Access app (Window -> Keychain Viewer), Select the just created certificate which can identified by the name given in first screen above. If there are duplicates, then open each of the them to check the email address. Drag the Certificate icon (Shown below) on to desktop. This is the public key part of the certificate which can be distributed to others for verifying your signature and encrypting the email content. Put this file up in your website or send it your contacts with whom you want to securely communicate with.
* In the same screen, trust the certificate since it is self signed as shown below. You will be prompted for admin password to confirm the trust settings change.
STEP 2: Quit Apple Email and re-open it to identify the email certificate just installed. Now compose an email with the from address as the email address in question and you should see two options as shown below.
STEP 4: Checkmark is for signing the email so that the recipients can be sure the email is from you and has not been tampered with. The lock icon is to encrypt content. You can only encrypt content if you have public key for all the recipients in to, cc and bcc fields. To test the encryption function, set the "TO" email to be same as the "FROM" address and you should see the lock icon enabled. Now you can send the email and upon receiving you will see the message saying that email is verified and encrypted.