Secure Email via S/MIME

While two-factor authentication schemes face various snags, S/MIME is ready to help secure e-mail today

By Simson Garfinkel

February 01, 2006 — CSO — Phishing poses a significant threat to the future of commercial e-mail, online banking and online commerce.

And it's increasingly clear that the techniques employed by phishers can be used equally well to compromise the security of corporate and government computer systems. Indeed, if someone were to send out thousands of e-mails to your users saying that the URL for the corporate intranet had changed and the users needed to log in to the new site, that person would almost certainly score dozens of valid user names and passwords.

There are many proposals for fighting the phishing problem. Some schemes call for the deployment of new technology such as two-factor authentication. Others call for improving e-mail security with better antispam systems and new cryptographic protocols such as Yahoo's DomainKeys. But there is a simple, straightforward and easy-to-use technique that many businesses could start using today. That technique is called S/MIME—the Secure Multipurpose Internet Mail Extension—and it's already built into the Windows, Macintosh and Linux operating systems.

The S/MIME system for sending secure e-mail was developed by RSA Security in the 1990s and adopted as an Internet standard by the Internet Engineering Task Force in 1998. Today, support for S/MIME is built into a wide variety of e-mail systems, including Microsoft Outlook, Outlook Express, Lotus Notes, Apple Mail, Eudora 7 and even the Linux Evolution mail client.

S/MIME defines a standard way for signing e-mail messages with a digital signature, for sealing them with encryption, or for both signing and sealing. A signed message allows the recipient to verify that the message came from a specific sender and that it has not been modified between the time that it was sent and the time that it was viewed by the recipient. Sealed messages are encrypted so that they can't be deciphered by anyone who doesn't have the appropriate cryptographic key.

S/MIME Certificates Made Simple

Like the secure sockets layer that's used to secure Web commerce and banking, S/MIME is based on the X.509 public-key infrastructure. This means that S/MIME's ability to authenticate the sender of a message depends upon the sender obtaining an S/MIME certificate from a certificate authority (CA) such as Thawte. S/MIME users also have to obtain certificates before they can receive messages that are sealed with encryption. In practice, this certificate requirement is the reason that banks and other companies don't use S/MIME to send secure mail to their customers: The vast majority of consumers have never obtained digital certificates. Even though these people have S/MIME support built into their e-mail clients, there is no way to send them an encrypted message.

• Print