S/MIME
S / MIME ( Secure / Multipurpose Internet Mail Extensions ) is a standard for encryption and signing of MIME encapsulated e- mail by a hybrid cryptosystem.
- 2.1 Vulnerability
Function
RFC 1847 (1995) defines two content types for MIME. The multipart / signed format for signing an e -mail and multipart / encrypted format for encryption. An e -mail can only be signed, encrypted, or only two operations are subjected. Both S / MIME (RFC 2633) and OpenPGP (RFC 2440), both of which are specified later, using multipart / signed, whereas multipart / encrypted is only used by OpenPGP. S / MIME defines (also) for encryption application/pkcs7-mime the new content type. S / MIME is supported by most modern e-mail clients. It requires X.509 - based certificates for the operation.
Multipart / Signed
The format contains exactly two blocks. The first contains the data, including the MIME header over which the digital signature was created. The second contains the information to verify the signature. The mail thus remains readable even for e -mail clients that do not support S / MIME. Therefore multipart / signed is recommended by a number of possible S / MIME methods.
Application/pkcs7-mime
The Content-Type application/pkcs7-mime has the optional parameter smime -type that describes the type of data ( without the need to decode it): enveloped -data (encryption), signed -data ( signature) certs -only ( certificate). In addition, the file name of the optional, but requested Content-Disposition header entry indicates the type of data: smime.p7m ( signed or encrypted data), smime.p7c ( certificate), smime.p7s ( signature).
A section with encrypted data also contains exactly two blocks. The first contains information needed for decryption. In the second block, the encrypted data is included. The mail body is completely encrypted and can be read only by the intended recipient. With this, a scan for viruses and spam is only possible on the terminal. The mail headers (including the subject ), however, are still unencrypted and therefore should not contain confidential information.
Thus, an encrypted message looks of example:
Content-Type: application/pkcs7-mime; smime -type = enveloped -data; name = smime.p7m Content-Transfer -Encoding: base64 Content-Disposition: attachment; filename = smime.p7m rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 0GhIGfHfQbnj756YT64V To encrypt an e -mail, the sender must know the receiver's public key, he can be found, for example, a certificate of a previously obtained by the receiver signed e -mail. An e -mail client simplifies the handling by automatically saves all received certificates.
Classification of certificates
The providers of certificates for secure e -mail communication classify these usually in three classes. While in category 1, the Certification Authority saves (CA) for the authenticity of the e- mail address, and only this part of the certificate. In addition, the Class 2 belonging to the e- mail address name will be included in the certificate, as well as the organization / company. This data will help verified by third party databases and ID copies. For Class 3 certificates, the applicant shall provide proof of their identity.
Free Certificates
Some companies and non-profit organizations offer free S / MIME certificates. It can thereby by registering multiple certificates are created, but only after a certain number of identification documents include the name. This can be done by members in a web of trust or other trusted sites such as lawyers or chartered accountants.
CAcert, a non-profit, community -driven CA, provides free certificates. She is not registered in many e- mail clients and Web browsers in the certificate database as a trusted certification authority. A user connects to a server using CAcert certificate or an e -mail will receive a certificate signed by CAcert S / MIME certificate will therefore receive the error message that the origin of this certificate could not be verified (if CAcert not was previously entered manually as trustworthy in the program).
Furthermore, free Class 1 certificates are offered at a reduced validity of companies which are in contrast to CAcert also listed in the certificate databases popular software as trusted. Examples of these are usually intended for private use certificates are:
- StartSSL PKI as StartSSL Free ( within 1 year )
- CertifyID WISeKey with Free Secure email eID ( within 1 year )
- InstantSSL by Comodo as a free Secure Email Certificate ( valid for 1 year )
- Secorio S / MIME ( within 1 year )
- GlobalSign than Free Trial PersonalSign 1 Certificate ( valid for 30 days )
- Symantec ( Verisign ) as Digital IDs for Secure Email ( 25 days validity )
It is also possible to encrypt messages to a self-signed certificate. For this purpose, a self-created root certificate is needed that represents the own Zertifiziertungsstelle. This can be signed basically any certificates. However, all communication partners must first import the root certificate and this trust before an encrypted communication is possible.
Security risk
For the use of S / MIME certificates for encryption and signing key pair of a public and a private key is needed because of the public-key encryption method used.
In contrast to the certificate can and these two keys should be necessarily generated locally by the user.
Most certification bodies, this is also handled so.
The key generation is started it normally through the browser used;
this is triggered by an HTML form tag to
Only a few certification bodies generate the key pair yourself and then submit it to the generated certificate to the user. Thus, the CA 's private key is known, what should be avoided in the context of security, since the private key can thus pass into the wrong hands.
Alternative
As an alternative to the S / MIME and OpenPGP can be employed using a PKI. However, the two processes are not compatible, even if they partially use the same encryption method since they use different data formats. Are usual here PGP / INLINE or PGP / MIME.