1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
== S/MIME Practical, Week 11 ==
As for PGP, the purpose of this practical is to show us how to use S/MIME to
encrypt, decrypt and digitally sign our emails.
At the end of this practical, we should be able to send and receive emails with
assurance of the identity of the senders. We will also be able not to worry
whether someone else was able to read their content.
=== Problem 1: Configuring S/MIME with mutt ===
Though the support of S/MIME is present in 'mutt', it appears that it is very
cumbersome to use. 'mutt' is expecting 'pkcs12' files (that we can produce with
'openssl pkcs12'). Nevertheless, for some reason, it complains about our
'pkcs12' files being not completely bagged.
There is very few information about this issue on the web and most of the
results are quite irrelevant.
==== Resolution ====
We will not use the builtin support of 'S/MIME' in 'mutt'. Instead, the manual
pages 'openssl (1)' and 'smime (1)' describe us how to generate our emails
using 'openssl smime'.
The following command will create our email and encrypt it using
ojgg2@kent.ac.uk's public key.
$ openssl smime -encrypt -out mail.p7m -from olivier.gayot@sigexec.com -to ojgg2@kent.ac.uk -subject "Encrypted message" -des3 certif.crt
This content is encrypted, can you read it?
We can check that our email file is encrypted:
$ cat mail.p7m
> To: ojgg2@kent.ac.uk
> From: olivier.gayot@sigexec.com
> Subject: Encrypted message
> MIME-Version: 1.0
> Content-Disposition: attachment; filename="smime.p7m"
> Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
> Content-Transfer-Encoding: base64
>
> MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG
> A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj
> MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s
> aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl
> Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgLOKi60Rw/B0ZJDk78/x
> T0lmSSYhzaIfRJp5SMiH0zFodQFYVW7qBXFI1mXveD0e2k+jLl3phlQb/MXz47AH
> 6pj4OeE4Q0N+0NHmmoFKbN5s8xwH/0hBaLkEAes+ZCG1YjaEoIkPcc5VrGIMceJm
> Vh9GZRSQWo77J8q4EGzpTkZtMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQICCUR
> p0WUvGeAMMTU8q/foeWR6W+w9Wu0jBxHnEOEkjbTqDHasMbL6e0j1sGtKVY3eqtG
> uRoDPyq44Q==
Using 'mutt', we can now send this email. We will then use 'openssl smime'
again on our recipient's machine to decrypt it using his private key.
$ openssl smime -inkey private.key -decrypt -in mail.p7m
> This content is encrypted, can you read it?
=== Problem 2: Combining encryption and signature ===
What we want now is to encrypt the content of our message and sign it so that
the receiver can read the email and be sure as well that it comes from us.
==== Resolution ====
We will start by encrypting our message the same way we did before. But then,
we will use 'openssl' again to sign it before actually sending it. For this
purpose, we could also use 'mutt'. However, we will use 'openssl smime' in this
example.
Still having 'mail.p7m' be our encrypted message, the following command will
digitally sign it using the sender's private key:
$ openssl smime -sign -inkey private.key -signer certif.pem -in mail.p7m -out signed_mail.p7m
On the receiver's machine, we can now authenticate the sender using its public
certificate as a Certificate Authority:
$ openssl smime -CAfile certif.pem -verify -in mail.p7m
> To: ojgg2@kent.ac.uk
> From: olivier.gayot@sigexec.com
> Subject: Encrypted message
> MIME-Version: 1.0
> Content-Disposition: attachment; filename="smime.p7m"
> Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
> Content-Transfer-Encoding: base64
>
> MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG
> A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj
> MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s
> aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl
> Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgHRgbsuN8NugJAzynX+9
> tC300W0aqATHMsqXEzFJS4yA3PQDmgPpAL86iH/C5vAk9XQ1Fmnv0soIYaBTwqSH
> BraNZNKA90KvZPOAymGMVttCC7giWuBxzNOiruaPTnj9md0n9ps7/issftcj7VH6
> DZ1ic+9pjn8bgThqFoxmsGkMMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIHxER
> UbQa6bqAMEOXZgXTurgcRt74OMS4xeSf1j2Z5abj1PSWBg60ldsbyhVuR2+8wllN
> wNi5FtbKFg==
>
> Verification successful
By reusing the same command as before to decrypt the file using 'openssl
smime', we can extract its content:
> This content is encrypted, can you read it?
Using this technique, we can be certain that the message comes from the people
we think and that no one was able to read the content unless they have our
private key.
|