The following article is courtesy of Microsoft:
Understanding S/MIME
Before S/MIME, administrators used a widely accepted e-mail protocol, Simple Mail Transfer Protocol (SMTP), which was inherently not secure, or they used more secure but proprietary solutions. Administrators chose a solution that emphasized either security or connectivity. With S/MIME, administrators now have an e-mail option that is both more secure and widely accepted. S/MIME is as important a standard as SMTP because it brings SMTP to the next level: allowing widespread e-mail connectivity without compromising security.
To understand S/MIME, it is helpful to know about its history. The first version of S/MIME was developed in 1995 by a number of security vendors. It was one of several specifications for message security. Pretty Good Privacy (PGP) is an example of another, different specification for message security. At the time of S/MIME version 1, there was no recognized single standard for secure messages but rather several competing standards.
In 1998, the situation began to change with the introduction of S/MIME version 2. Unlike version 1, S/MIME version 2 was submitted to the Internet Engineering Task Force (IETF) for consideration as an Internet standard. With this step, S/MIME changed from being one possible standard among many to being the leading contender for a message security standard. Two IETF Request for Comments (RFC) make up S/MIME version 2: RFC 2311 (http://www.ietf.org/rfc/rfc2311.txt), which established the standard for messages, and RFC 2312 (http://www.ietf.org/rfc/rfc2312.txt), which established the standard for certificate handling. Together, these RFCs provided the first Internet standards-based framework that vendors could follow to deliver interoperable message security solutions. With S/MIME version 2, S/MIME emerges as the standard for message security.
In 1999, S/MIME version 3 was proposed by the IETF to enhance S/MIME capability. RFC 2632 (http://www.ietf.org/rfc/rfc2632.txt) built on the work of RFC 2311 in specifying the standards for S/MIME messages, and RFC 2633 (http://www.ietf.org/rfc/rfc2633.txt) enhanced RFC 2312 specification of certificate handling. RFC 2634 (http://www.ietf.org/rfc/rfc2634.txt) extended overall capabilities by adding additional services to S/MIME, such as secure receipts, triple-wrapping, and security labels.
S/MIME version 3 has achieved wide acceptance as the standard for message security. S/MIME version 3 is supported in the following Microsoft products:
-
Microsoft Outlook® 2000 (with SR-1 applied) and later
-
Microsoft Outlook Express 5.01 and later
-
Microsoft Exchange 5.5 and later
S/MIME provides two security services:
-
Digital signatures
-
Message encryption
These two services are the core of S/MIME-based message security. All other concepts related to message security support these two services. Although the full scope of message security may seem complex, these two services are the basis of message security. After gaining a basic understanding of digital signatures and message encryption, you can then learn how other concepts support these services.
Each service will be reviewed individually, and then information about how the two services work together will be provided.
Digital signatures are the more commonly used service of S/MIME. As the name suggests, digital signatures are the digital counterpart to the traditional, legal signature on a paper document. As with a legal signature, digital signatures provide the following security capabilities:
- Authentication A
signature serves to validate an identity. It verifies the answer to "who
are you" by providing a means of differentiating that entity from all
others and proving its uniqueness. Because there is no authentication in
SMTP e-mail, there is no way to know who actually sent a message.
Authentication in a digital signature solves this problem by allowing a
recipient to know that a message was sent by the person or organization
who claims to have sent the message.
- Nonrepudiation The
uniqueness of a signature prevents the owner of the signature from
disowning the signature. This capability is called nonrepudiation. Thus,
the authentication that a signature provides gives the means to enforce
nonrepudiation. The concept of nonrepudiation is most familiar in the
context of paper contracts: a signed contract is a legally binding
document, and it is impossible to disown an authenticated signature.
Digital signatures provide the same function and, increasingly in some
areas, are recognized as legally binding, similar to a signature on
paper. Because SMTP e-mail does not provide a means of authentication,
it cannot provide nonrepudiation. It is easy for a sender to disavow
ownership of an SMTP e-mail message.
- Data integrity An
additional security service that digital signatures provide is data
integrity. Data integrity is a result of the specific operations that
make digital signatures possible. With data integrity services, when the
recipient of a digitally signed e-mail message validates the digital
signature, the recipient is assured that the e-mail message that is
received is, in fact, the same message that was signed and sent, and has
not been altered while in transit. Any alteration of the message while
in transit after it has been signed invalidates the signature. In this
way, digital signatures are able to provide an assurance that signatures
on paper cannot, because it is possible for a paper document to be
altered after it has been signed.
Important: |
---|
Although digital signatures provide data integrity, they do not provide confidentiality. Messages with only a digital signature are sent in cleartext, similar to SMTP messages, and can be read by others. In the case where the message is opaque-signed, a level of obfuscation is achieved because the message is base64-encoded, but it is still cleartext. To protect the contents of e-mail messages, you must use message encryption. |
Authentication, nonrepudiation, and data integrity are the core functions of digital signatures. Together, they ensure recipients that the message came from the sender, and that the message received is the message that was sent.
At its simplest, a digital signature works by performing a signing operation on the text of the e-mail message when the message is sent, and a verifying operation when the message is read, as shown in the following figure.
The signing operation that is performed when the message is sent requires information that can only be supplied by the sender. (For more information about this signing operation, see "Public Key Cryptography and Digital Signatures" in Understanding Public Key Cryptography.) This information is used in a signing operation by capturing the e-mail message and performing a signing operation on the message. This operation produces the actual digital signature. This signature is then appended to the e-mail message and included with the message when it is sent. The following figure shows the sequence of signing a message.
-
Message is captured.
-
Information uniquely identifying the sender is retrieved.
-
Signing operation is performed on the message using the sender's unique information to produce a digital signature.
-
Digital signature is appended to the message.
-
Message is sent.
Because this operation requires unique information from the sender, digital signatures provide authentication and nonrepudiation. This unique information can prove that the message could only come from the sender.
Note: |
---|
No security mechanism is perfect. It is possible for unauthorized users to obtain the unique information that is used for digital signatures and attempt to impersonate a sender. However, the S/MIME standard can handle these situations so that unauthorized signatures are shown to be invalid. For more information, see Understanding Digital Certificates. |
When the recipient opens a digitally signed e-mail message, a verification procedure is performed on the digital signature. The digital signature that is included with the message is retrieved from the message. The original message is also retrieved, and a signing operation is then performed, which produces another digital signature. The digital signature included with the message is compared to the digital signature produced by the recipient. If the signatures match, the message is verified as having come from the sender as claimed. If the signatures do not match, the message is marked as invalid. The following figure shows the sequence of verifying a message.
-
Message is received.
-
Digital signature is retrieved from the message.
-
Message is retrieved.
-
Information identifying the sender is retrieved.
-
Signing operation is performed on the message.
-
Digital signature included with the message is compared against the digital signature produced on receipt.
-
If the digital signatures match, the message is valid.
Important: |
---|
The sender's information that is used in verifying the signature is not the same information that is provided by the sender when the message is signed. The information used by the recipient is related in a way that lets the recipient verify the sender's unique information without actually knowing that information, thus protecting the sender's information. For more information about how the sender and recipient can share information, see "Public Key Cryptography and Digital Signatures" in Understanding Public Key Cryptography. |
Taken together, the process of digital signing and verification of the digital signature authenticates the sender of an e-mail message and determines the integrity of the data within the signed message. Authenticating senders provides the additional capability of nonrepudiation, which prevents authenticated senders from claiming that they did not send the message. Digital signatures are a solution to impersonation and data tampering, which are possible with standard SMTP-based Internet e-mail.
Message encryption provides a solution to information disclosure. SMTP-based Internet e-mail does not secure messages. An SMTP Internet e-mail message can be read by anyone who sees it as it travels or views it where it is stored. These problems are addressed by S/MIME through the use of encryption.
Encryption is a way to change information so that it cannot be read or understood until it is changed back into a readable and understandable form.
Although message encryption is not as widely used as digital signatures, it does address what many perceive as the most serious weakness in Internet e-mail. Message encryption provides two specific security services:
- Confidentiality Message
encryption serves to protect the contents of an e-mail message. Only
the intended recipient can view the contents, and the contents remain
confidential and cannot be known by anyone else who might receive or
view the message. Encryption provides confidentiality while the message
is in transit and in storage.
- Data integrity As
with digital signatures, message encryption provides data integrity
services as a result of the specific operations that make encryption
possible.
Important: |
---|
Although message encryption provides confidentiality, it does not authenticate the message sender in any way. An unsigned, encrypted message is as susceptible to sender impersonation as an unencrypted message. Because nonrepudiation is a direct result of authentication, message encryption also does not provide nonrepudiation. Although encryption provides data integrity, an encrypted message can show only that the message has not been altered since it was sent. No information about who sent the message is provided. To prove the identity of the sender, the message must use a digital signature. |
Confidentiality and data integrity provide the core functions of message encryption. They ensure that only the intended recipient can view a message and that the message received is the message that was sent.
Message encryption makes the text of a message unreadable by performing an encryption operation on it when it is sent. When the message is received, the text is made readable again by performing a decryption operation when the message is read, as shown in the following figure.
The encryption operation that is performed when the message is sent captures the e-mail message and encrypts it using information that is specific to the intended recipient. The encrypted message replaces the original message, and then the message is sent to the recipient. The following figure shows the sequence of encrypting an e-mail message.
-
Message is captured.
-
Information uniquely identifying the recipient is retrieved.
-
Encryption operation is performed on the message using the recipient's information to produce an encrypted message.
-
Encrypted message replaces the text in the message.
-
Message is sent.
Because this operation requires unique information about the recipient, message encryption provides confidentiality. Only the intended recipient has the information to perform the decryption operation. This ensures that only the intended recipient can view the message because the recipient's unique information must be provided before viewing the unencrypted message.
Important: |
---|
The recipient's information that is used in encrypting the message is not the same information that is provided by the recipient when the message is decrypted. The information used by the sender is related in a way that lets the sender use the recipient's unique information without actually knowing that information, thus protecting the recipient's information. For more information about how the sender and recipient can share information, see "Public Key Cryptography and Message Encryption" in Understanding Public Key Cryptography. |
When the recipient opens an encrypted message, a decryption operation is performed on the encrypted message. The encrypted message and the recipient's unique information are both retrieved. The recipient's unique information is then used in a decryption operation performed against the encrypted message. This operation returns the unencrypted message, which is then shown to the recipient. If the message has been altered in transit, the decryption operation will fail. The following figure shows the sequence of decrypting an e-mail message.
-
Message is received.
-
Encrypted message is retrieved.
-
Information uniquely identifying the recipient is retrieved.
-
Decryption operation is performed on the encrypted message using the
recipient's unique information to produce an unencrypted message.
-
Unencrypted message is returned to the recipient.
Note: |
---|
No security mechanism is perfect. It is possible for unauthorized users to obtain a recipient's unique information and use that information to read encrypted messages. However, the S/MIME standard can handle these situations. For more information, see Understanding Digital Certificates. |
The process of encryption and decryption of messages provides for the confidentiality of e-mail messages. This process addresses a serious weakness in Internet e-mail: the fact that anyone can read any message.
Digital signatures and message encryption are not mutually exclusive services. Each service addresses specific security issues. Digital signatures address authentication and repudiation issues, and message encryption addresses confidentiality issues. Because each addresses different issues, a message security strategy requires both, often at the same time. These two services are designed to be used in conjunction with one another, because each separately addresses one side of the sender-recipient relationship. Digital signatures address security issues related to senders, and encryption addresses security issues primarily related to recipients.
When digital signatures and message encryption are used together, users benefit from both services. Employing both services in messages does not change the handling or processing of either service: each works as discussed in earlier sections in this document. To show how digital signatures and message encryption are handled together, the following figure shows the sequence of signing and encrypting an e-mail message.
-
Message is captured.
-
Information uniquely identifying the sender is retrieved.
-
Information uniquely identifying the recipient is retrieved.
-
Signing operation is performed on a message using the sender's unique information to produce a digital signature.
-
Digital signature is appended to the message.
-
Encryption operation is performed on the message using the recipient's information to produce an encrypted message.
-
Original message is replaced by encrypted message.
-
Message is sent.
The following figure shows the sequence of decrypting and verifying the digital signature.
-
Message is received.
-
Encrypted message is retrieved.
-
Information uniquely identifying the recipient is retrieved.
-
Decryption operation is performed on the encrypted message using the
recipient's unique information to produce an unencrypted message.
-
Unencrypted message is returned.
-
Unencrypted message is returned to the recipient.
-
Digital signature is retrieved from the unencrypted message.
-
Information identifying the sender is retrieved.
-
Signing operation is performed on the unencrypted message using the sender's information to produce a digital signature.
-
Digital signature included with the message is compared against the digital signature produced on receipt.
-
If the digital signatures match, the message is valid.
One of the enhancements of S/MIME version 3 worth noting is "triple-wrapping." A triple-wrapped S/MIME message is one that is signed, encrypted, and then signed again. This extra layer of encryption provides an additional layer of security. When users sign and encrypt messages with Outlook Web Access with the S/MIME control, the message is automatically triple-wrapped. Outlook and Outlook Express do not triple-wrap messages, but they can read them.
Digital signatures and message encryption complement one another and provide a comprehensive solution to the security issues that affect SMTP-based Internet e-mail.
Digital certificates and message encryption are the core functionality of S/MIME. The most important supporting concept for message security is public key cryptography. Public key cryptography makes digital signatures and message encryption within S/MIME viable. In Understanding Public Key Cryptography, public key cryptography and how it relates to S/MIME are explained.