From 0d0e3b3c05b5e3004f526bf0ace02885c36ce2d5 Mon Sep 17 00:00:00 2001 From: Olivier Gayot Date: Sun, 10 May 2015 20:36:08 +0100 Subject: use *.asciidoc(i) extension instead of *.adoc(i) Signed-off-by: Olivier Gayot --- smime.asciidoci | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 smime.asciidoci (limited to 'smime.asciidoci') diff --git a/smime.asciidoci b/smime.asciidoci new file mode 100644 index 0000000..1ecf8e4 --- /dev/null +++ b/smime.asciidoci @@ -0,0 +1,112 @@ +== S/MIME Practical, Week 11 == + +As for PGP, the purpose of this practical is to show us how to use S/MIME to +encrypt, decrypt and digitally sign our emails. + +At the end of this practical, we should be able to send and receive emails with +assurance of the identity of the senders. We will also be able not to worry +whether someone else was able to read their content. + +=== Problem 1: Configuring S/MIME with mutt === + +Though the support of S/MIME is present in 'mutt', it appears that it is very +cumbersome to use. 'mutt' is expecting 'pkcs12' files (that we can produce with +'openssl pkcs12'). Nevertheless, for some reason, it complains about our +'pkcs12' files being not completely bagged. + +There is very few information about this issue on the web and most of the +results are quite irrelevant. + +==== Resolution ==== + +We will not use the builtin support of 'S/MIME' in 'mutt'. Instead, the manual +pages 'openssl (1)' and 'smime (1)' describe us how to generate our emails +using 'openssl smime'. + +The following command will create our email and encrypt it using +ojgg2@kent.ac.uk's public key. + + $ openssl smime -encrypt -out mail.p7m -from olivier.gayot@sigexec.com -to ojgg2@kent.ac.uk -subject "Encrypted message" -des3 certif.crt + This content is encrypted, can you read it? + +We can check that our email file is encrypted: + + $ cat mail.p7m + > To: ojgg2@kent.ac.uk + > From: olivier.gayot@sigexec.com + > Subject: Encrypted message + > MIME-Version: 1.0 + > Content-Disposition: attachment; filename="smime.p7m" + > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" + > Content-Transfer-Encoding: base64 + > + > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG + > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj + > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s + > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl + > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgLOKi60Rw/B0ZJDk78/x + > T0lmSSYhzaIfRJp5SMiH0zFodQFYVW7qBXFI1mXveD0e2k+jLl3phlQb/MXz47AH + > 6pj4OeE4Q0N+0NHmmoFKbN5s8xwH/0hBaLkEAes+ZCG1YjaEoIkPcc5VrGIMceJm + > Vh9GZRSQWo77J8q4EGzpTkZtMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQICCUR + > p0WUvGeAMMTU8q/foeWR6W+w9Wu0jBxHnEOEkjbTqDHasMbL6e0j1sGtKVY3eqtG + > uRoDPyq44Q== + +Using 'mutt', we can now send this email. We will then use 'openssl smime' +again on our recipient's machine to decrypt it using his private key. + + $ openssl smime -inkey private.key -decrypt -in mail.p7m + > This content is encrypted, can you read it? + + +=== Problem 2: Combining encryption and signature === + +What we want now is to encrypt the content of our message and sign it so that +the receiver can read the email and be sure as well that it comes from us. + +==== Resolution ==== + +We will start by encrypting our message the same way we did before. But then, +we will use 'openssl' again to sign it before actually sending it. For this +purpose, we could also use 'mutt'. However, we will use 'openssl smime' in this +example. + +Still having 'mail.p7m' be our encrypted message, the following command will +digitally sign it using the sender's private key: + + $ openssl smime -sign -inkey private.key -signer certif.pem -in mail.p7m -out signed_mail.p7m + +On the receiver's machine, we can now authenticate the sender using its public +certificate as a Certificate Authority: + + $ openssl smime -CAfile certif.pem -verify -in mail.p7m + > To: ojgg2@kent.ac.uk + > From: olivier.gayot@sigexec.com + > Subject: Encrypted message + > MIME-Version: 1.0 + > Content-Disposition: attachment; filename="smime.p7m" + > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" + > Content-Transfer-Encoding: base64 + > + > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG + > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj + > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s + > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl + > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgHRgbsuN8NugJAzynX+9 + > tC300W0aqATHMsqXEzFJS4yA3PQDmgPpAL86iH/C5vAk9XQ1Fmnv0soIYaBTwqSH + > BraNZNKA90KvZPOAymGMVttCC7giWuBxzNOiruaPTnj9md0n9ps7/issftcj7VH6 + > DZ1ic+9pjn8bgThqFoxmsGkMMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIHxER + > UbQa6bqAMEOXZgXTurgcRt74OMS4xeSf1j2Z5abj1PSWBg60ldsbyhVuR2+8wllN + > wNi5FtbKFg== + > + > Verification successful + +By reusing the same command as before to decrypt the file using 'openssl +smime', we can extract its content: + + > This content is encrypted, can you read it? + +Using this technique, we can be certain that the message comes from the people +we think and that no one was able to read the content unless they have our +private key. + + -- cgit v1.2.3