Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK
EN
DE ES

Home

/
 ... / 

Blog

/
 ... / 
S/MIME

S/MIME

10.03.2024

Email offers convenience and efficiency that has made this digital communication method indispensable in everyday life.

However, apart from its numerous benefits, email comes with certain risks: it is increasingly used as a tool for attacks on people and organizations where the attacker uses a fake sender address to obtain sensitive information, among other threats.

Fortunately, there are email security solutions based on digital signatures and encryption that can guarantee the privacy of messages and prevent sensitive information from falling into the wrong hands. 

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a security process used to guarantee the confidentiality and sender authentication when sending and receiving email messages. 

S/MIME is based on the MIME standard that allows users to attach non-ASCII files to electronic messages. Therefore, S/MIME offers secure sending of text messages with attachments via email. 

As a standard for MIME-encapsulated email messages, S/MIME offers two basic security features, digital signature and encryption, and provides the following services for electronic messaging applications:

  • Authentication, integrity, and non-repudiation (using digital signature)
  • Data privacy and security (using encryption)

An S/MIME email message can be easily identified as signed and/or encrypted. 

It should be noted that a key/certificate must be obtained and installed to digitally authenticate the people with whom messages are exchanged prior to using S/MIME in any email app.

Generally, S/MIME only works properly with apps designed specifically for handling email, since web-based services may not display signed messages correctly, simply showing an empty email with an attachment containing the actual message instead.

History of S/MIME

The protocol that was used before S/MIME (and is still widely used, in fact) is SMTP, but it is not inherently secure. The S/MIME security standard takes SMTP to the next level, enabling boundless email connectivity without compromising security.

The first S/MIME version was developed back in 1995 by several vendors as a set of message security specifications. At the time, there was no single recognized secure messaging standard, but rather several competing ones.

The situation began to change in 1998 as S/MIME Version 2 was introduced. Unlike the first version, it emerged as the top contender for a security standard establishing the basic framework for handling messages and digital certificates. 

In 1999, S/MIME Version 3 was proposed to improve its performance, updating message and certificate handling standards with enhanced specifications and expanding its general capabilities to include additional services such as secure receipts, triple wrapping, and security labels.

S/MIME Version 3 has become a widely accepted message security standard. 

Certificates and Digital Signature for Email

A certificate is needed to digitally sign and encrypt an email message. It can be described as a document issued by a trusted third party (certificate authority) used to validate and verify the identities of both the message sender and recipient.

The verifying party known as a Certificate Authority (CA) needs to validate certain information before issuing digital certificates. A certificate is unique to each entity/person and is used, among other things, to sign emails, thereby authenticating the information.

When an email is digitally signed, a cryptographic operation links the issuer’s digital certificate with the message content to form a unique fingerprint. 

The two unique components of the signature (the issuer certificate and the email content) offer the following security benefits:

  • Authenticity: when the issuer certificate (validated by a CA) is used to sign an email, the recipient can be sure of the identity of the person who signed the document.
  • Integrity: when the signature is verified, it confirms that the email content at the time of verification is the same as it was at the time of signing, since even the slightest change to the original document will cause the verification to fail.
  • Non-repudiation: the digital signature prevents its owner from denying that the message really originated from them, since it is impossible to dispute an authenticated signature.

Although digital signatures provide data integrity, they cannot ensure confidentiality. Digitally signed messages are sent as plain text, so message encryption must be used to protect the content.

In its simplest form, a digital signature works by signing the email message when it is sent and verifying the signature when it is read. 

The sender’s information used to verify the signature is not the same as that provided by the sender when signing the message. The information used by the recipient is such that it can be used to validate the sender’s unique information without actually knowing it. 

The operations of signing and verifying the digital signature together can authenticate the email sender and confirm the integrity of the content of the signed message.

Sender authentication has the additional benefit of non-repudiation, meaning that the authenticated sender cannot deny having sent the message. Digital signatures address the issues of spoofing and data manipulation against which SMTP offers no protection.

Email Encryption

SMTP-based email messages are not protected. An email can be read by anyone who accesses it while it is being transmitted or stored on a server. S/MIME remedies the situation using encryption.

Encryption is a way of transforming information so that it cannot be read or understood until it is changed back into a readable and understandable format. Thus, it provides two specific security features:

  • Confidentiality: Encryption protects the email message content by making it accessible only to the intended recipient, while anyone else who may receive or see the message will not be able to read it, so it remains confidential. With encryption, a message can be transmitted and stored securely.
  • Integrity: As with digital signatures, message encryption provides data integrity by performing specific operations that make encryption possible.

It is important to clarify that, although encryption provides privacy, it does not authenticate the sender of the message in any way. An unsigned encrypted message is just as susceptible to spoofing as an unencrypted one.

While encryption provides data integrity, it can only verify that the message has not been modified after being sent, but not who sent it. To verify the sender’s identity, a message must be digitally signed. 

S/MIME applies asymmetric cryptography to encrypt emails, where a pair of keys (public and private) is used to send messages.

Each message recipient has a pair of linked keys: one public (known to the sender) and one private (used only by the recipient).

When sending a message, the sender encrypts it with the recipient’s public key. When the recipient gets the message, they decrypt it with their private key.

This cryptographic method also guarantees that a key pair can only be generated once, making it impossible for two people to have accidentally obtained the same key pair.

The encryption operation performed when a message is sent encrypts the electronic message using information specific to the recipient. The original content is replaced with the encrypted one before being sent to the recipient.

The recipient information used to encrypt the message is not the same as that provided by the recipient when it is decrypted. The sender uses the recipient’s unique information without actually knowing it.

As the recipient opens an encrypted message, a decryption operation is performed to retrieve the encrypted message and the recipient’s unique information. The recipient’s unique information is used to decrypt the encrypted message. This operation returns an unencrypted message which the recipient sees. If the message has been modified in transit, the decryption operation will fail.

Triple-Wrapped Messages

One of the most notable improvements in S/MIME Version 3 is triple-wrapping, meaning that a message is signed, encrypted, and then signed again. This feature provides an additional layer of security.

Digital signatures and message encryption are complementary methods providing a comprehensive solution against security threats associated with SMTP-based email.

Digital signatures and message encryption are not mutually exclusive as each service addresses specific security issues. Digital signatures help deal with authentication and repudiation issues, while encryption ensures privacy.

In S/MIME, these two services are designed to be used together, each handling one aspect of the sender-receiver relationship. Digital signatures address security issues that lie with the sender, encryption addresses those primarily related to the recipient.

By combining digital signatures and message encryption, users can benefit from both features. S/MIME provides a security standard for sending and receiving email messages. The core functionality of S/MIME is support for public key cryptography.

When it comes to email security, companies need a solution that not only protects them from the growing threats such as phishing, data loss or breach, but is also accepted by end users. S/MIME strikes the balance between security and usability as it addresses the main threats and can be implemented and managed without extensive user training or resources.

Back to list

Blog

Indicators of Compromise
13.11.2023
With communication infrastructures, one of the main concerns is preventing threats and any suspicious activity that could compromise the security of computer networks.
Read more
IoT: Internet of Things
18.09.2023
 The term Internet of Things (IoT) refers to environments where objects, sensors, and everyday items that are not generally considered computers are embedded with network connectivity and computing capability, allowing them to generate, exchange, and consume data with minimal human intervention.
Read more
IAM: Identity and Access Management
21.07.2023
For a company, maintaining the necessary flow of, and managing access to, its business data calls for full attention not only from its tech department, but from the top management as well.
Read more