== S/MIME Practical, Week 11 == As for PGP, the purpose of this practical is to show us how to use S/MIME to encrypt, decrypt and digitally sign our emails. At the end of this practical, we should be able to send and receive emails with assurance of the identity of the senders. We will also be able not to worry whether someone else was able to read their content. === Problem 1: Configuring S/MIME with mutt === Though the support of S/MIME is present in 'mutt', it appears that it is very cumbersome to use. 'mutt' is expecting 'pkcs12' files (that we can produce with 'openssl pkcs12'). Nevertheless, for some reason, it complains about our 'pkcs12' files being not completely bagged. There is very few information about this issue on the web and most of the results are quite irrelevant. ==== Resolution ==== We will not use the builtin support of 'S/MIME' in 'mutt'. Instead, the manual pages 'openssl (1)' and 'smime (1)' describe us how to generate our emails using 'openssl smime'. The following command will create our email and encrypt it using ojgg2@kent.ac.uk's public key. $ openssl smime -encrypt -out mail.p7m -from olivier.gayot@sigexec.com -to ojgg2@kent.ac.uk -subject "Encrypted message" -des3 certif.crt This content is encrypted, can you read it? We can check that our email file is encrypted: $ cat mail.p7m > To: ojgg2@kent.ac.uk > From: olivier.gayot@sigexec.com > Subject: Encrypted message > MIME-Version: 1.0 > Content-Disposition: attachment; filename="smime.p7m" > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" > Content-Transfer-Encoding: base64 > > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgLOKi60Rw/B0ZJDk78/x > T0lmSSYhzaIfRJp5SMiH0zFodQFYVW7qBXFI1mXveD0e2k+jLl3phlQb/MXz47AH > 6pj4OeE4Q0N+0NHmmoFKbN5s8xwH/0hBaLkEAes+ZCG1YjaEoIkPcc5VrGIMceJm > Vh9GZRSQWo77J8q4EGzpTkZtMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQICCUR > p0WUvGeAMMTU8q/foeWR6W+w9Wu0jBxHnEOEkjbTqDHasMbL6e0j1sGtKVY3eqtG > uRoDPyq44Q== Using 'mutt', we can now send this email. We will then use 'openssl smime' again on our recipient's machine to decrypt it using his private key. $ openssl smime -inkey private.key -decrypt -in mail.p7m > This content is encrypted, can you read it? === Problem 2: Combining encryption and signature === What we want now is to encrypt the content of our message and sign it so that the receiver can read the email and be sure as well that it comes from us. ==== Resolution ==== We will start by encrypting our message the same way we did before. But then, we will use 'openssl' again to sign it before actually sending it. For this purpose, we could also use 'mutt'. However, we will use 'openssl smime' in this example. Still having 'mail.p7m' be our encrypted message, the following command will digitally sign it using the sender's private key: $ openssl smime -sign -inkey private.key -signer certif.pem -in mail.p7m -out signed_mail.p7m On the receiver's machine, we can now authenticate the sender using its public certificate as a Certificate Authority: $ openssl smime -CAfile certif.pem -verify -in mail.p7m > To: ojgg2@kent.ac.uk > From: olivier.gayot@sigexec.com > Subject: Encrypted message > MIME-Version: 1.0 > Content-Disposition: attachment; filename="smime.p7m" > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" > Content-Transfer-Encoding: base64 > > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgHRgbsuN8NugJAzynX+9 > tC300W0aqATHMsqXEzFJS4yA3PQDmgPpAL86iH/C5vAk9XQ1Fmnv0soIYaBTwqSH > BraNZNKA90KvZPOAymGMVttCC7giWuBxzNOiruaPTnj9md0n9ps7/issftcj7VH6 > DZ1ic+9pjn8bgThqFoxmsGkMMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIHxER > UbQa6bqAMEOXZgXTurgcRt74OMS4xeSf1j2Z5abj1PSWBg60ldsbyhVuR2+8wllN > wNi5FtbKFg== > > Verification successful By reusing the same command as before to decrypt the file using 'openssl smime', we can extract its content: > This content is encrypted, can you read it? Using this technique, we can be certain that the message comes from the people we think and that no one was able to read the content unless they have our private key.