summaryrefslogtreecommitdiff
path: root/smime.adoci
diff options
context:
space:
mode:
Diffstat (limited to 'smime.adoci')
-rw-r--r--smime.adoci112
1 files changed, 0 insertions, 112 deletions
diff --git a/smime.adoci b/smime.adoci
deleted file mode 100644
index 1ecf8e4..0000000
--- a/smime.adoci
+++ /dev/null
@@ -1,112 +0,0 @@
-== S/MIME Practical, Week 11 ==
-
-As for PGP, the purpose of this practical is to show us how to use S/MIME to
-encrypt, decrypt and digitally sign our emails.
-
-At the end of this practical, we should be able to send and receive emails with
-assurance of the identity of the senders. We will also be able not to worry
-whether someone else was able to read their content.
-
-=== Problem 1: Configuring S/MIME with mutt ===
-
-Though the support of S/MIME is present in 'mutt', it appears that it is very
-cumbersome to use. 'mutt' is expecting 'pkcs12' files (that we can produce with
-'openssl pkcs12'). Nevertheless, for some reason, it complains about our
-'pkcs12' files being not completely bagged.
-
-There is very few information about this issue on the web and most of the
-results are quite irrelevant.
-
-==== Resolution ====
-
-We will not use the builtin support of 'S/MIME' in 'mutt'. Instead, the manual
-pages 'openssl (1)' and 'smime (1)' describe us how to generate our emails
-using 'openssl smime'.
-
-The following command will create our email and encrypt it using
-ojgg2@kent.ac.uk's public key.
-
- $ openssl smime -encrypt -out mail.p7m -from olivier.gayot@sigexec.com -to ojgg2@kent.ac.uk -subject "Encrypted message" -des3 certif.crt
- This content is encrypted, can you read it?
-
-We can check that our email file is encrypted:
-
- $ cat mail.p7m
- > To: ojgg2@kent.ac.uk
- > From: olivier.gayot@sigexec.com
- > Subject: Encrypted message
- > MIME-Version: 1.0
- > Content-Disposition: attachment; filename="smime.p7m"
- > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
- > Content-Transfer-Encoding: base64
- >
- > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG
- > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj
- > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s
- > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl
- > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgLOKi60Rw/B0ZJDk78/x
- > T0lmSSYhzaIfRJp5SMiH0zFodQFYVW7qBXFI1mXveD0e2k+jLl3phlQb/MXz47AH
- > 6pj4OeE4Q0N+0NHmmoFKbN5s8xwH/0hBaLkEAes+ZCG1YjaEoIkPcc5VrGIMceJm
- > Vh9GZRSQWo77J8q4EGzpTkZtMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQICCUR
- > p0WUvGeAMMTU8q/foeWR6W+w9Wu0jBxHnEOEkjbTqDHasMbL6e0j1sGtKVY3eqtG
- > uRoDPyq44Q==
-
-Using 'mutt', we can now send this email. We will then use 'openssl smime'
-again on our recipient's machine to decrypt it using his private key.
-
- $ openssl smime -inkey private.key -decrypt -in mail.p7m
- > This content is encrypted, can you read it?
-
-
-=== Problem 2: Combining encryption and signature ===
-
-What we want now is to encrypt the content of our message and sign it so that
-the receiver can read the email and be sure as well that it comes from us.
-
-==== Resolution ====
-
-We will start by encrypting our message the same way we did before. But then,
-we will use 'openssl' again to sign it before actually sending it. For this
-purpose, we could also use 'mutt'. However, we will use 'openssl smime' in this
-example.
-
-Still having 'mail.p7m' be our encrypted message, the following command will
-digitally sign it using the sender's private key:
-
- $ openssl smime -sign -inkey private.key -signer certif.pem -in mail.p7m -out signed_mail.p7m
-
-On the receiver's machine, we can now authenticate the sender using its public
-certificate as a Certificate Authority:
-
- $ openssl smime -CAfile certif.pem -verify -in mail.p7m
- > To: ojgg2@kent.ac.uk
- > From: olivier.gayot@sigexec.com
- > Subject: Encrypted message
- > MIME-Version: 1.0
- > Content-Disposition: attachment; filename="smime.p7m"
- > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
- > Content-Transfer-Encoding: base64
- >
- > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG
- > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj
- > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s
- > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl
- > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgHRgbsuN8NugJAzynX+9
- > tC300W0aqATHMsqXEzFJS4yA3PQDmgPpAL86iH/C5vAk9XQ1Fmnv0soIYaBTwqSH
- > BraNZNKA90KvZPOAymGMVttCC7giWuBxzNOiruaPTnj9md0n9ps7/issftcj7VH6
- > DZ1ic+9pjn8bgThqFoxmsGkMMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIHxER
- > UbQa6bqAMEOXZgXTurgcRt74OMS4xeSf1j2Z5abj1PSWBg60ldsbyhVuR2+8wllN
- > wNi5FtbKFg==
- >
- > Verification successful
-
-By reusing the same command as before to decrypt the file using 'openssl
-smime', we can extract its content:
-
- > This content is encrypted, can you read it?
-
-Using this technique, we can be certain that the message comes from the people
-we think and that no one was able to read the content unless they have our
-private key.
-
-