diff options
Diffstat (limited to 'smime.adoci')
-rw-r--r-- | smime.adoci | 112 |
1 files changed, 0 insertions, 112 deletions
diff --git a/smime.adoci b/smime.adoci deleted file mode 100644 index 1ecf8e4..0000000 --- a/smime.adoci +++ /dev/null @@ -1,112 +0,0 @@ -== S/MIME Practical, Week 11 == - -As for PGP, the purpose of this practical is to show us how to use S/MIME to -encrypt, decrypt and digitally sign our emails. - -At the end of this practical, we should be able to send and receive emails with -assurance of the identity of the senders. We will also be able not to worry -whether someone else was able to read their content. - -=== Problem 1: Configuring S/MIME with mutt === - -Though the support of S/MIME is present in 'mutt', it appears that it is very -cumbersome to use. 'mutt' is expecting 'pkcs12' files (that we can produce with -'openssl pkcs12'). Nevertheless, for some reason, it complains about our -'pkcs12' files being not completely bagged. - -There is very few information about this issue on the web and most of the -results are quite irrelevant. - -==== Resolution ==== - -We will not use the builtin support of 'S/MIME' in 'mutt'. Instead, the manual -pages 'openssl (1)' and 'smime (1)' describe us how to generate our emails -using 'openssl smime'. - -The following command will create our email and encrypt it using -ojgg2@kent.ac.uk's public key. - - $ openssl smime -encrypt -out mail.p7m -from olivier.gayot@sigexec.com -to ojgg2@kent.ac.uk -subject "Encrypted message" -des3 certif.crt - This content is encrypted, can you read it? - -We can check that our email file is encrypted: - - $ cat mail.p7m - > To: ojgg2@kent.ac.uk - > From: olivier.gayot@sigexec.com - > Subject: Encrypted message - > MIME-Version: 1.0 - > Content-Disposition: attachment; filename="smime.p7m" - > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" - > Content-Transfer-Encoding: base64 - > - > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG - > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj - > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s - > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl - > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgLOKi60Rw/B0ZJDk78/x - > T0lmSSYhzaIfRJp5SMiH0zFodQFYVW7qBXFI1mXveD0e2k+jLl3phlQb/MXz47AH - > 6pj4OeE4Q0N+0NHmmoFKbN5s8xwH/0hBaLkEAes+ZCG1YjaEoIkPcc5VrGIMceJm - > Vh9GZRSQWo77J8q4EGzpTkZtMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQICCUR - > p0WUvGeAMMTU8q/foeWR6W+w9Wu0jBxHnEOEkjbTqDHasMbL6e0j1sGtKVY3eqtG - > uRoDPyq44Q== - -Using 'mutt', we can now send this email. We will then use 'openssl smime' -again on our recipient's machine to decrypt it using his private key. - - $ openssl smime -inkey private.key -decrypt -in mail.p7m - > This content is encrypted, can you read it? - - -=== Problem 2: Combining encryption and signature === - -What we want now is to encrypt the content of our message and sign it so that -the receiver can read the email and be sure as well that it comes from us. - -==== Resolution ==== - -We will start by encrypting our message the same way we did before. But then, -we will use 'openssl' again to sign it before actually sending it. For this -purpose, we could also use 'mutt'. However, we will use 'openssl smime' in this -example. - -Still having 'mail.p7m' be our encrypted message, the following command will -digitally sign it using the sender's private key: - - $ openssl smime -sign -inkey private.key -signer certif.pem -in mail.p7m -out signed_mail.p7m - -On the receiver's machine, we can now authenticate the sender using its public -certificate as a Certificate Authority: - - $ openssl smime -CAfile certif.pem -verify -in mail.p7m - > To: ojgg2@kent.ac.uk - > From: olivier.gayot@sigexec.com - > Subject: Encrypted message - > MIME-Version: 1.0 - > Content-Disposition: attachment; filename="smime.p7m" - > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" - > Content-Transfer-Encoding: base64 - > - > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG - > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj - > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s - > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl - > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgHRgbsuN8NugJAzynX+9 - > tC300W0aqATHMsqXEzFJS4yA3PQDmgPpAL86iH/C5vAk9XQ1Fmnv0soIYaBTwqSH - > BraNZNKA90KvZPOAymGMVttCC7giWuBxzNOiruaPTnj9md0n9ps7/issftcj7VH6 - > DZ1ic+9pjn8bgThqFoxmsGkMMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIHxER - > UbQa6bqAMEOXZgXTurgcRt74OMS4xeSf1j2Z5abj1PSWBg60ldsbyhVuR2+8wllN - > wNi5FtbKFg== - > - > Verification successful - -By reusing the same command as before to decrypt the file using 'openssl -smime', we can extract its content: - - > This content is encrypted, can you read it? - -Using this technique, we can be certain that the message comes from the people -we think and that no one was able to read the content unless they have our -private key. - - |