summaryrefslogtreecommitdiff
path: root/smime.asciidoci
diff options
context:
space:
mode:
Diffstat (limited to 'smime.asciidoci')
-rw-r--r--smime.asciidoci112
1 files changed, 112 insertions, 0 deletions
diff --git a/smime.asciidoci b/smime.asciidoci
new file mode 100644
index 0000000..1ecf8e4
--- /dev/null
+++ b/smime.asciidoci
@@ -0,0 +1,112 @@
+== S/MIME Practical, Week 11 ==
+
+As for PGP, the purpose of this practical is to show us how to use S/MIME to
+encrypt, decrypt and digitally sign our emails.
+
+At the end of this practical, we should be able to send and receive emails with
+assurance of the identity of the senders. We will also be able not to worry
+whether someone else was able to read their content.
+
+=== Problem 1: Configuring S/MIME with mutt ===
+
+Though the support of S/MIME is present in 'mutt', it appears that it is very
+cumbersome to use. 'mutt' is expecting 'pkcs12' files (that we can produce with
+'openssl pkcs12'). Nevertheless, for some reason, it complains about our
+'pkcs12' files being not completely bagged.
+
+There is very few information about this issue on the web and most of the
+results are quite irrelevant.
+
+==== Resolution ====
+
+We will not use the builtin support of 'S/MIME' in 'mutt'. Instead, the manual
+pages 'openssl (1)' and 'smime (1)' describe us how to generate our emails
+using 'openssl smime'.
+
+The following command will create our email and encrypt it using
+ojgg2@kent.ac.uk's public key.
+
+ $ openssl smime -encrypt -out mail.p7m -from olivier.gayot@sigexec.com -to ojgg2@kent.ac.uk -subject "Encrypted message" -des3 certif.crt
+ This content is encrypted, can you read it?
+
+We can check that our email file is encrypted:
+
+ $ cat mail.p7m
+ > To: ojgg2@kent.ac.uk
+ > From: olivier.gayot@sigexec.com
+ > Subject: Encrypted message
+ > MIME-Version: 1.0
+ > Content-Disposition: attachment; filename="smime.p7m"
+ > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
+ > Content-Transfer-Encoding: base64
+ >
+ > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG
+ > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj
+ > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s
+ > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl
+ > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgLOKi60Rw/B0ZJDk78/x
+ > T0lmSSYhzaIfRJp5SMiH0zFodQFYVW7qBXFI1mXveD0e2k+jLl3phlQb/MXz47AH
+ > 6pj4OeE4Q0N+0NHmmoFKbN5s8xwH/0hBaLkEAes+ZCG1YjaEoIkPcc5VrGIMceJm
+ > Vh9GZRSQWo77J8q4EGzpTkZtMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQICCUR
+ > p0WUvGeAMMTU8q/foeWR6W+w9Wu0jBxHnEOEkjbTqDHasMbL6e0j1sGtKVY3eqtG
+ > uRoDPyq44Q==
+
+Using 'mutt', we can now send this email. We will then use 'openssl smime'
+again on our recipient's machine to decrypt it using his private key.
+
+ $ openssl smime -inkey private.key -decrypt -in mail.p7m
+ > This content is encrypted, can you read it?
+
+
+=== Problem 2: Combining encryption and signature ===
+
+What we want now is to encrypt the content of our message and sign it so that
+the receiver can read the email and be sure as well that it comes from us.
+
+==== Resolution ====
+
+We will start by encrypting our message the same way we did before. But then,
+we will use 'openssl' again to sign it before actually sending it. For this
+purpose, we could also use 'mutt'. However, we will use 'openssl smime' in this
+example.
+
+Still having 'mail.p7m' be our encrypted message, the following command will
+digitally sign it using the sender's private key:
+
+ $ openssl smime -sign -inkey private.key -signer certif.pem -in mail.p7m -out signed_mail.p7m
+
+On the receiver's machine, we can now authenticate the sender using its public
+certificate as a Certificate Authority:
+
+ $ openssl smime -CAfile certif.pem -verify -in mail.p7m
+ > To: ojgg2@kent.ac.uk
+ > From: olivier.gayot@sigexec.com
+ > Subject: Encrypted message
+ > MIME-Version: 1.0
+ > Content-Disposition: attachment; filename="smime.p7m"
+ > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
+ > Content-Transfer-Encoding: base64
+ >
+ > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG
+ > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj
+ > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s
+ > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl
+ > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgHRgbsuN8NugJAzynX+9
+ > tC300W0aqATHMsqXEzFJS4yA3PQDmgPpAL86iH/C5vAk9XQ1Fmnv0soIYaBTwqSH
+ > BraNZNKA90KvZPOAymGMVttCC7giWuBxzNOiruaPTnj9md0n9ps7/issftcj7VH6
+ > DZ1ic+9pjn8bgThqFoxmsGkMMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIHxER
+ > UbQa6bqAMEOXZgXTurgcRt74OMS4xeSf1j2Z5abj1PSWBg60ldsbyhVuR2+8wllN
+ > wNi5FtbKFg==
+ >
+ > Verification successful
+
+By reusing the same command as before to decrypt the file using 'openssl
+smime', we can extract its content:
+
+ > This content is encrypted, can you read it?
+
+Using this technique, we can be certain that the message comes from the people
+we think and that no one was able to read the content unless they have our
+private key.
+
+