S/MIME

S/MIME

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME.

History

S/MIME was originally developed by RSA Data Security Inc. The original specification used the recently developed IETF MIME specification with the de facto industry standard PKCS #7 secure message format.

Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specification that is identical in most respects with PKCS #7.

Function

S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption). S/MIME specifies the application/pkcs7-mime (smime-type "enveloped-data") type for data enveloping (encrypting): the whole (prepared) MIME entity to be enveloped is encrypted and packed into an object which subsequently is inserted into an application/pkcs7-mime MIME entity.

S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them.

/MIME Certificates

Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA such as one of those listed below. Best practice is to use separate private keys (and associated certificates) for Signature and for Encryption, as this permits escrow of the encryption key without compromise to the non-repudiation property of the signature key. Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate). While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others.

A typical basic personal certificate verifies the owner's identity "only" in terms of binding them to an email address and does not verify the person's name or business. The latter, if needed (e.g. for signing contracts), can be obtained through CAs that offer further verification (digital notary) services or managed PKI service. For more detail on authentication, see Digital Signature.

Depending on the policy of the CA, your certificate and all its contents may be posted publicly for reference and verification. This makes your name and email address available for all to see and possibly search for. Other CAs only post serial numbers and revocation status, which does not include any of the personal information. The latter, at a minimum, is mandatory to uphold the integrity of the public key infrastructure.

Obstacles to deploying S/MIME in practice

* Not all e-mail software handles S/MIME, resulting in an attachment called smime.p7m that often confuses people.
* S/MIME is sometimes considered not properly suited for use via webmail clients. Though support can be hacked into a browser, some security practices require the private key to be kept accessible to the user but inaccessible from the webmail server, complicating the key webmail advantage of providing ubiquitous accessibility. This issue is not specific to S/MIME - any secure method of signing webmail requires a browser to execute code to produce the signature.
** Some organizations consider it acceptable for webmail servers to be "in on the secrets"; others don't. Some of the considerations are mentioned below regarding malware. Another argument is that servers often contain data that is confidential to the organization anyway, so what difference does it make if additional data, such a private keys used for decryption, are also stored and used on such servers?
** Many make a distinction between private keys used for decryption and those used for digital signatures. They are far more likely to accept sharing of the former than the latter. This is especially true if the non-repudiation aspect of digital signatures is a concern (it may not be). There is fairly universal consensus that non-repudiation requires that a private key be under sole control of its owner during its entire lifecycle. Therefore, it's more likely to accept decryption done with webmail servers than digital signatures.
* S/MIME is tailored for end to end security. Encryption will not only encrypt your messages, but also malware. Thus if your mail is scanned for malware anywhere but at the end points, such as your company's gateway, encryption will defeat the detector and successfully deliver the malware. Solutions:
** Perform malware scanning on end user stations "after" decryption.
** Store private keys on the gateway server so decryption can occur prior to the gateway malware scan. (Though this in some ways defeats the purpose of encryption, as it allows anyone with access to the gateway server to read another user's mail.)
** Use message content scanners specifically designed to check the content of encrypted messages in transit whilst preserving end-to-end signatures and encryption. Such solutions must contain built-in protection for both the private key used to decrypt the message, and for the temporarily decrypted contents.

Caveats

When a message is encrypted using S/MIME (or PKCS#7), the public key of each intended recipient is extracted from their certificates and those certificates are identified in the message by issuer and serial number. One of the consequences of this is that if a certificate is renewed (i.e. new certificate, same keypair) and the old certificate is deleted thinking it won't be needed any more, S/MIME clients will no longer be able to locate the decryption key to decrypt messages sent before the renewal, even though the key hasn't changed. In other words, deletion of expired certificates can have surprising consequences.

Even more generally, any messages that an S/MIME client stores in their encrypted form will not be decryptable if the certificate used for encryption has been deleted or otherwise not available, whether that certificate has expired or not.

S/MIME signatures are usually done with what's called "detached signatures". The signature information is separate from the text being signed. The MIME type for this is multipart/signed with the second part having a MIME subtype of application/(x-)pkcs7-signature. Mailing list software is notorious for changing the textual part and thereby invalidating the signature.

Free access

Thawte (a subsidiary of VeriSign), CAcert and other companies offer free e-mail certificates for exclusive S/MIME usage on their Web site. Getting a certificate is as simple as visiting their Web site and signing up for an account. However, this does not automatically allow usage of one's name in the certificate. For that, one has to prove their identity in person to at least two Thawte notaries that are part of their Web of Trust.

See also

* MIME Multipurpose Internet Mail Extensions
* TLS Transport Layer Security, formerly SSL
* E-mail authentication
* E-mail encryption
* Pretty Good Privacy (PGP)
* GnuPG

External links

* [http://www.ietf.org/html.charters/smime-charter.html S/MIME working group charter] — has links to S/MIME related RFCs and internet drafts.
* [http://weblog.infoworld.com/udell/2004/03/23.html#a952 How to forge an S/MIME signature] — critique on some S/MIME implementations.
* [http://www.imc.org/ietf-smime/index.html S/MIME IETF Working Group]
* [http://www.imc.org/smime-pgpmime.html S/MIME and OpenPGP]
* [http://www.eldos.com/sbb/desc-mime.php MIMEBlackbox] - components for Windows and .NET software developers with S/MIME and PGP/MIME support
* [http://www.ripe.net/db/support/security/mail_client_tests.html E-mail Client Testing for S/MIME Compliance]
* VeriSign's Public Directory (ld

* [http://kb.mozillazine.org/Getting_an_SMIME_certificate MozillaZine Knowledge Base: Getting an SMIME certificate]
* [http://www.smime.org SMIME.org provides help and references to products and standards of email encryption.]

*

de:S/MIME
es:S/MIME
fi:S/MIME
it:S/MIME
ja:S/MIME
ru:S/MIME


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • mime — [ mim ] n. • 1520; lat. mimus, gr. mimos I ♦ N. m. 1 ♦ Antiq. Courte comédie burlesque et satirique, comprenant texte, chant et expression corporelle. 2 ♦ Genre de spectacle fondé sur le geste et l expression corporelle. ⇒ mimique (II, 1o),… …   Encyclopédie Universelle

  • Mime artist — Mime redirects here. For Multipurpose Internet Mail Extensions, see MIME. For other uses, see Mime (disambiguation). Mimes Mimes Jean and Bri …   Wikipedia

  • MIME — (произн. «майм», англ. Multipurpose Internet Mail Extensions  многоцелевые расширения интернет почты)  стандарт, описывающий передачу различных типов данных по электронной почте, а также, шире, спецификация для кодирования… …   Википедия

  • Mime to Five — is episode 7.3 of the Happy Tree Friends TV series.Characterstarring Roles* MimeFeaturing Roles* Pop and Cub * Russell * Sniffles * Giggles * Disco Bear * Lumpy * Cro Marmot * Flaky * Toothy * Cuddles * The MoleCameo Roles* Petunia * NuttyPlotThe …   Wikipedia

  • Mime Jr. — Mime Jr. Saltar a navegación, búsqueda Mime Jr. Pokédex Nacional Bonsly Mime Jr. (#439) Happiny Pokédex Sinnoh Sudowoodo Mime Jr. (#094) Mr. Mime N. japonés Manene …   Wikipedia Español

  • MIME ET PANTOMIME — La pantomime, la mime sont des formes d’expression par gestes sans recours à la parole; par extension, au théâtre, la pantomime elle même constitue l’argument interprété par l’acteur – le pantomime ou, par contraction, le mime –, en fonction… …   Encyclopédie Universelle

  • Mime Movie — is an animated film directed by Doug TenNapel. The movie will air in Cartoon Network at 2008. It is unknown if it will have its own series.PlotA city girl gets trapped in a tent with two silent mimes and a Mexican man so she can wait for the big… …   Wikipedia

  • Mime the Gap — is a physical comedy company founded by Richard Knight who specialises in mime and physical humour. Richard, who is heavily mime based in his performances, has taught and performed all over the world. Having trained with Jacques Lecoq and Antonio …   Wikipedia

  • Mime (Schmied) — Mime, auch Mimir, ist ein Schmied aus der Heldensage mit mythischen Zügen. In den deutschen Heldenliedern des Mittelalters wird der Schmied durchgängig Mime genannt. In einer nordischen Übertragung, der Thidrekssaga, heißt er jedoch Mimir, so wie …   Deutsch Wikipedia

  • MIME tipas — statusas T sritis informatika apibrėžtis ↑Elektroninio laiško arba kurios nors jo dalies duomenų tipas, apibrėžtas ir tos dalies antraštėje aprašytas pagal ↑MIME protokolo taisykles. Yra apibrėžti tokie tipai: teksto, grafikos, garso, vaizdo,… …   Enciklopedinis kompiuterijos žodynas

  • MIME type — MIME tipas statusas T sritis informatika apibrėžtis ↑Elektroninio laiško arba kurios nors jo dalies duomenų tipas, apibrėžtas ir tos dalies antraštėje aprašytas pagal ↑MIME protokolo taisykles. Yra apibrėžti tokie tipai: teksto, grafikos, garso,… …   Enciklopedinis kompiuterijos žodynas

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”