TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
White paper-smime-compatibility
1.
S/MIM
ME Compa
atibility
Assessing
g the compa
atibility and best practices of using S/MIME encryption
c n
GLOBALS
SIGN WHITE
E PAPER
Ben Lighto
owler, Security Analyst
GMO Glob balSign Ltd
www.globalsign.com
w .
2. GLOBALSIGN WHITE PAPER
Contents
Introduction ...................................................................................................................................................................................... 3
WHy S/Mime Certificates? ................................................................................................................................................................ 3
S/MIME Compatibility ...................................................................................................................................................................... 3
.
Best Practices ............................................................................................................................................................................... 4
Encryption Strength vs. Compatibility ..................................................................................................................................... 4
Setting Algorithms and Recommendations ............................................................................................................................. 4
Trouble Shooting ..................................................................................................................................................................... 5
Backing Up ................................................................................................................................................................................... 7
Fig 1: S/MIME Email Client Compatibility Table ................................................................................................................................ 8
INQUIRE ABOUT SECURE EMAIL SOLUTIONS ............................................................................................................................... 9
ABOUT GLOBALSIGN .................................................................................................................................................................... 9
www.globalsign.com Page 2
3. GLOBALSIGN WHITE PAPER
INTRODUCTION WHY S/MIME CERTIFICATES?
Many organizations, both large and small, face difficult
choices when considering secure data transfer between Prevent tampering of email content
stakeholder groups. Virtual teams made up of internal
Prove message origin
colleagues, outside partners and even potential clients find
a need to collaborate effectively and securely, requiring Prevent exposure of email content
cost effective ways to authenticate the integrity of data
Flexible & secure communication
they receive but also the need to maintain confidentiality.
This is especially true with data transmission systems using
the open Internet to relay e‐mail and storage being so S/MIME COMPATIBILITY
freely available in the “cloud” to collaborate (Google Docs, The S/MIME protocol occupies an ever‐evolving space in
Dropbox etc). Now more than ever, data protection is one the communications spectrum. Over time it has proven to
of the biggest concerns for CISOs and heads of security be robust enough to cope with an array of different
with solutions needed to cover the encryption of data environment preferences and requirements. It is for this
either at rest or during transmission to other parties. reason that browser based web client implementations, as
Within this white paper we will be highlighting the use of well as desktop and server implementations, must be able
S/MIME certificates as a solution; providing a way to to work with each other in this regard. This is where, to a
maintain confidentiality, as well as proving the integrity certain extent, the system can develop a few pitfalls as it’s
and origin of emails and their authors. not always possible to meet future needs and past desires
with the same settings.
Although there has never been a want or a desire for
sensitive information to be exposed, many organizations Due to the timeframes involved in product development
risk exposure by using insecure channels to transmit data. and mismatched release cycles between different vendors,
Password protecting ZIP files still requires the secure there appears to be no universal standard. Best practice at
transfer of the password and the ever‐present problem of the time often moves the goal posts, with increased
accidentally forgetting to protect a ZIP file prior to security sometimes being achieved at the expense of
transmission. In recent times the need to encrypt sensitive maximum compatibility. Algorithms used for digital
information including the e‐mail text content itself has signatures, for example hashing, have moved forward in
grown in prominence. As the world moves data storage recent years (from MD5 to SHA1 and now onwards
and communications to the ‘cloud’ and assets become towards adoption of the SHA2 family). In much the same
available ‘remotely’ extra dimensions are added to the way the RSA asymmetric key length necessary for signing
threat model. However, this new added convenience need has moved from 1024 to 2048 bit. Encryption too has now
not require a compromise in security. Provided that the moved away from triple DES (3DES) to various strengths of
correct standard of encryption has been implemented, AES (The Advanced Encryption Standard). Unfortunately
even if data has been intercepted, it cannot be exposed, in the case of unmodified email clients of different ages
modified or manipulated. this can cause frustration where authors and recipients are
unable to decrypt messages.
S/MIME or Secure/Multipurpose Internet Mail Extensions
is the industry standard for public key encryption for A comprehensive summary into these issues can be seen
MIME based data. S/MIME Encryption provides Message in the Fig 1 at the end of this paper with conclusions
integrity, authentication, privacy via data encryption and offering a choice.
non‐repudiation via digital signatures. S/MIME is a
standard tracked by IETF and now defined by several RFC’s One concern is that the value of email encryption seems to
3851, 3850, 3370, and 3369. S/MIME works by using a have been greatly underestimated, especially with so
data envelope to surround the data entity which is many recent high profile attacks against e‐mail service
inserted into a PKCS7 MIME Entity (when encrypting). providers. Personal users with concerns over privacy and
www.globalsign.com Page 3
4. GLOBAL
LSIGN WHITE P
PAPER
corporate users with concerns over confide entiality need to In sim
mple terms, the c choice is down tto the user’s speecific
net as the transp
realise that using the Intern port mechanism needs s. If the requirem
ment is maximum security over a long
s equivalent to sending a postcard by snail mail.
for e‐mail is perio d of time, select ting the strongest and most robust
In the case oof the postcard, anyone involved in the deliveryy algoriithm available iss the sensible chhoice. If the
chain is able
e to intercept an
nd read the conttent – at the requi rement of the u user is based in the short term and the
sorting offic
ce and right up to the letterbox i
itself. Given primaary concern is cle ear authenticati ion, then the old
der and
that it’s obv
vious never to se
end a postcard wwith confidentiall more e proven algorith hms would be m more suitable.
details in pla
ain text, why should an email bee any different?
Malicious us sers can monitor emails quite fr
reely and the Setti
ing Algorithm
ms and Recom
mmendations
s
authors are none the wiser. . For o ptimal compatib bility settings, Outlook 2011 for Mac
OS X users should set t their email sec
curity settings to
o SHA‐1
Best Pra
actices ng algorithm and
signin d 3DES encryptin ng algorithm forr
Research into the strengthss and weakness oof S/MIME comp patibility or AES‐
‐256 for greater security. These
compatible email clients has yielded certain
n settin
ngs can be locateed through Outlook‐> Preferenc ces‐>
recommend dations of best p
practices when u
using certain Accouunts‐> Advanced d‐> Security tab. .
applications
s.
Encryptio
on Strength v
vs. Compatibility
For almost a all mail clients users have the opption to set
both the siggning algorithm a and the encryption algorithm.
When selecting signing algo orithms it can bee tempting to
trongest algorith
utilise the st hm available at tthe time. In the
case of Outl look 2010 this w would be SHA‐25 56 up to SHA‐
512. Whilst t this might be reeassuring, the negative
implications s on compatibilit ty can greatly ou
utweigh the
benefits of tthe stronger enc cryption, as high
hlighted in Fig 1.
Whilst optioons of algorithms are more limit ted in legacy
versions, this does mean they are insecure. . The signing
algorithm SHA‐1 (recommended below) is c currently Outloook 2007 users c
can locate their e
email security se
ettings
striking the best balance be etween ubiquitous compatibility y throuugh Tools‐> Trustt Center‐> E‐mail Security Tab‐>
>
and hash alg gorithm strength h. Settin
ngs. As with Outtlook for Mac the
e recommended d
settin
ngs are SHA‐1 sig
gning algorithm and 3DES encry ypting
The other option available t to most mail clie ent users is the algoriithm as shown bbelow.
encrypting a algorithm. In this case it is the re
ecommendation n
of this authoor to use the str
rongest where possible. It was
during the rresearch that pro oduced that table below, see
Fig 1, that th
he strongest enc cryption possible e was almost
always used d; 3DES in the caase of legacy clieents and AES‐
256 for mor re modern mail c clients. This is no
ot to say that
the encryption algorithms a available to older mail clients
are sub‐stan ndard. Users shoould not feel par ranoid or
insecure wh hen utilising the 3DES algorithm as their
strongest en ncryption algoritthm option. This s option is just
as viable in a situation wher re certain compa atibility is called
for.
www.globalsign.com Page 4
5. GLOBAL
LSIGN WHITE P
PAPER
securrity settings thro
ough in Outlook via File ‐> Options‐>
Trust Center Settingss‐> Email Securit
ty Tab‐> Settingss.
Ideallly the Hash algorithm should be e set to SHA‐1 an
nd the
ypting algorithm AES (256‐bit).
encry
Thunderbird d users will find that their email security
settings are limited to the ppoint where the option to
change the signing and encrypting algorithm ms is not
available. The foollowing are a coouple of points t
to avoid a few
comm mon issues. The first point is to a
avoid an encrypttion
Mulberry M Mail users can find the email secuurity settings flaggiing error, ensure
e that the ‘send clear text messaages’ is
through Filee‐> Preferences‐> Advanced Rad dio button‐> d. This option ca
ticked an be located in Outlook via File ‐>
Security Tabb. For the highesst level of compa
atibility Optioons‐> Trust Center Settings‐> Em mail Security Tab
b as
available maake sure the ‘Usse MIME Multipa art Security with
h showwn below.
PGP’ is ticke
ed and for ease oof use make sure e the
automatical lly verify and decrypt messages when opened
options are ticked.
Trou
uble Shooting
g
Outlo ook 2010 users m
might find the re
ecipients of their
r
encry ypted emails unaable to decrypt t
them. The follow
wing is
a fix t
that Microsoft has released to address this prob
blem.
1
1. try Editor: Start ‐> Search ‐> regedit
Start Regist
2
2. Locate and then click to select the followin
ng
registry
subkey: HKKEY_CURRENT_U USERSoftwareM Micros
oftOffice1
14.0OutlookSe ecurity
3
3. Note Create the Security r
registry subkey i
if it
does not ex
xist.
The next sec
ction is aimed at
t Outlook 2010 u
users. To check
4
4. Right click ‐
‐> new ‐> DWOR
RD(32bitValue)
your hashing and encrypting algorithms, loc
cate the
www.globalsign.com Page 5
6. GLOBAL
LSIGN WHITE P
PAPER
5. Ad
dd the following
g registry data to
o the this
ke
ey: Value name: UseIssuerSerialNumber Value
ata: 1 (0x00000001 (1))
da
6. Close regedit and Restart Outlook
k.
This quick fiix simply changees the method by y which emails
are encrypted. Rather than n using the newe er Subject Key
Identifier (SKI) method for eencryption, Outlook will revert
to using thee Serial Number (S/N) of the certtificate. Whilst
SKI offers ann advantage in that multiple ‘re‐
‐issued’
certificates could all have th
he same SKI (SKI is a SHA‐1 hash h
of the public key) rather thaan being tied to a unique S/N, it
is not yet widely used by other email clients s and operating
systems. Thhis is described in RFC 5652 and implemented
For mmore info please visit Microsoft K
Knowledgebase article
in the Crypttographic Message Syntax (CMS).
‐ http
p://support.micro
osoft.com/kb/21 142236
Anothher issue potent
tially affecting O
Outlook 2010 use
ers is
an att
tachment error. It could be thee case that MAC OSX
users
s (even those usi
ing Outlook for M MAC) receive
winmmail.dat attachmeents as shown b below.
This is
ssue is caused bby the sender (An Outlook 2010 user),
using
g an email forma at known as ‘Rich
h Text’. To temp
porarily
chang ge this option onn a message by m
message basis thhe
optio n is available un
nder the Format Text tab when
comp posing a new me essage.
www.globalsign.com Page 6
7. GLOBAL
LSIGN WHITE P
PAPER
Or to chang
ge this option on a permant basis the option can
n
be located t
through File‐> Options‐> Mail‐> Compose
Messages heading‐> Compo ose messages in the this format.
mended to have this option se to
It is recomm o either Plain
Text or HTMML.
Backing
g Up
It is highly recommended th hat when using a any Digital
Certificate aand Public Key, t that you make a backup of your
Certificate aand Private Key. Windows users may create a
back up in the form of a PKC CS#12 (.pfx) password
Next select your Certtificate from the Personal tab annd click
protected fi ile. To do this, o
open Internet Explorer in
the ‘e
export’ option. SSelect the ‘makee private key
administrator mode (this pr rovides the neceessary
expor rtable radio butt
ton and follow the export wizard.
permissions s for private key exporting) and f for all versions
Once you have backe ed up the certific
cate, the issuing
g
previous to IE 9 locate the t trust store throu
ugh Tools‐>
Certifficate and have tthe PKCS12 file a
available to you, place
Internet Options‐> Content‐> Certificates. O Open IE 9, again
it on a
a removable me edia device of yoour choice and sttore it
in administr rator mode, and locate the certificate store
in a se
ecure location.
through the e cog icon in the top right hand c corner of your
browser the en ‐> Internet Op ptions‐> Content‐> Certificates.
www.globalsign.com Page 7
8. GLOBALSIGN WHITE PAPER
L P
/MIME EMAIL CLIENT COMPATIBILITY TAB LE
FIG 1: S/ A T B
www.globalsign.com Page 8
9. GLOBALSIGN WHITE PAPER
INQUIRE ABOUT SECURE EMAIL SOLUTIONS
To learn more about GlobalSign S/MIME solutions, please visit
http://www.globalsign.com/authentication‐secure‐email/ or contact us for further information.
We would be happy to discuss your specific requirements.
ABOUT GLOBALSIGN
GlobalSign was one of the first Certification Authorities and has been providing digital
credentialing services since 1996. It operates multi‐lingual sales and technical support offices in
London, Brussels, Boston, Tokyo and Shanghai.
GlobalSign has a rich history of investors, including ING Bank and Vodafone. Now part of a GMO
Internet Inc group company ‐ a public company quoted on the prestigious Tokyo Stock Exchange
(TSE: 9449) whose shareholders include Yahoo! Japan, Morgan Stanley and Credit Suisse First
Boston.
As a leader in public trust services, GlobalSign Certificates include SSL, Code Signing, Adobe CDS
Digital IDs, Email & Authentication, Enterprise Digital Solutions, internal PKI & Microsoft
Certificate Service root signing. Its trusted root CA Certificates are recognized by all operating
systems, all major web browsers, web servers, email clients and Internet applications; as well as
all mobile devices.
Accredited to the highest standards
As a WebTrust accredited public Certificate Authority, our core solutions allow our thousands of
enterprise customers to conduct secure online transactions and data submission, and provide
tamper‐proof distributable code as well as being able to bind identities to Digital Certificates for
S/MIME email encryption and remote two factor authentication, such as SSL VPNs.
GlobalSign US & Canada GlobalSign EU GlobalSign UK
Tel: 1‐877‐775‐4562 Tel: +32 16 891900 Tel: +44 1622 766766
www.globalsign.com www.globalsign.eu www.globalsign.co.uk
sales‐us@globalsign.com sales@globalsign.com sales@globalsign.com
GlobalSign FR GlobalSign DE GlobalSign NL
Tel: +33 1 82 88 01 24 Tel: +49 30 8878 9310 Tel: +31 20 8908021
www.globalsign.fr www.globalsign.de www.globalsign.nl
ventes@globalsign.com verkauf@globalsign.com verkoop@globalsign.com
www.globalsign.com Page 9