S MIME Encryption Secure Multipurpose Internet Mail Extensions
S/MIME (Secure/Multipurpose Internet Mail Extensions) encryption enhances the integrity and confidentiality of your organization's email messages. For S/MIME to work, each sender and recipient of an email message must have it enabled.
Introduction
Email is perhaps the most widely used network application. Businesses cannot function smoothly without email communication. Thus, Encryption of business email is required for delivering it securely, so that it does not get intercepted by hackers or by someone trying to steal information. S/MIME comes with a higher level of encryption that can be used to send and receive digitally signed and encrypted messages. To be more specific, it uses asymmetric cryptography, hash functions (SHA Algorithm), and digital signatures to protect mails from being read by a third party.
We need this type of encryption for sending sensitive data, to prevent phishing threats, to block entry points for attackers, and also to provide a specific Identity.
How does S/MIME work?
It works the same way as a Passport. Just like an individual Passport, it has all the information in it. For example, your passport has your Name, DOB, Address, etc. In the same way S/MIME certificate is a type of identity provider that has information in it.
If you need to apply for Passport, you need to submit documents as proof of your Identity and Address, like Birth certificate, Electricity Bill, Driving License, PAN information, Aadhaar, etc. And after verification of the submitted documents , the Issuing Authority issues an Individual Passport.
Similarly, to get the S/MIME certificate the organization first submits the request with all the supporting documents. Once it is verified, the Issuing Authority provides the certificate and the public key to access it.
So, just like the passport, this S/MIME certificate is something unique to the user, gives an identity to the user, and contains a public key.
Whenever the user sends an Email the receiver will get to know the email has come from the actual sender (verified user) and it is not a phishing email from someone who is pretending to fake identity. That means the recipient will be sure that the email has come from a genuine user.
For Example, say, you are sending financial data to someone with confidential information. This might be intercepted by hackers and the data might be changed when it is received by the recipient. However, using a higher level of encryption like S/MIME can prevent such data theft as it uses cryptographic encryption with a public key. When the message is sent it will be sealed in a black box and only the intended recipient has the key to unlock the box, i.e the Email.
Importance of S/MIME for an Organisation
Theoretically, it’s alright to send an Email without S/MIME. However, certain advantages will give your organization a level of security that is required at the time of sending confidential or highly sensitive data that you never want to get in hands of persons with bad intentions.
- Provides Genuine Identification:
S/MIME will confirm your identity by adding the extra layer of identification as this will have the name of the Authority which has verified the User and validates you as a genuine sender. If someone is pretending to be you, the recipient can identify with the S/MIME and the email can be treated as Fake or Fraud.
- Prevent MITM Attacks:
If you are not using an Encrypted Protocol, the mail might be the victim of data theft, that is Man in the Middle attacks. If there are any sensitive details in the Mail, those might get leaked or intercepted easily if it’s not encrypted. However, if S/MIME has been used, the attackers will have to decrypt the message before they can use the stolen information. This helps to reduce risk by providing time to discover the interception and take measures to prevent fraud or this type of Man in the Middle Hijacking.
- Ensuring Message Integrity:
S/MIME prevents tampering of the contents because it requires the content of the whole email to be checked and matched before it gets decrypted, so any small change will trigger a warning. Therefore, the sender cannot deny the contents of the message which will ensure transparency and accountability.
Set-up and Procedure
Enabling the S/MIME feature may be different for you depending on the web browser and mail application. Covering every possible combination would not be practical, here we will discuss considering GMAIL as an example.
To use S/MIME encryption in Gmail, you will need to have Google Workspace Enterprise, Google Workspace for Education, or Google workspace Enterprise for Education. S/MIME control isn’t available for Gmail without one of these products.
Prerequisite:
- You have an Email Platform that supports S/MIME encryption.
- Apply for the Certificate: Google accepts certificates from a wide range of Issuing Authorities, you can select anyone from here CA Certificates Trusted by GMAIL for S/MIME.
- Enable hosted S/MIME for Message Encryption.
Set up Procedure:
The basic steps for a hosted S/MIME Email encryption solution for Google Platform are:
1. Log in to an Administrator Account. Using Admin id and password log in to your admin console. Non-admin accounts cannot open the admin console needed to line up a hosted S/MIME encryption solution.
2. Go to User Settings.
From the Admin console’s Home page, select Apps > Google Workspace > Gmail > User Settings.
3. Select the Domain or Organization to Configure. This will be found on the left-hand side of the screen, under Organizations.
4. Select the “Enable S/MIME” Box. There should be a box with the setting that you simply can enable with a click.
5. Allow Users to Upload Certificates (Optional). You will allow users to upload their S/MIME certificates as an option.
6. Set up Root Certificate Management (Optional). You will have to manage the root certificates used for S/MIME email encryption by:
1.You need to click on Add next to Accept these additional Root Certificates for specific domains.
2. Click on Upload Root Certificate.
3. Browsing to seek out certificate files and choose Open. A verification message should appear. Otherwise, an error/mistake message may appear.
4. Under the Encryption level, choose the encryption level to use with the chosen certificate.
5. Under the Address list, enter a minimum of one domain which will use the uploaded root certificate.
6. Click Save.
7. Repeat these steps for every additional certificate chain.
7. Does Your Domain/Organization Get Enable Secure Hash Algorithm 1? If so, you need to click the enable option for the Allow SHA-1 globally box. Otherwise, not recommended by Google.
8. Click Save.
9. Reload Gmail. Users need to reload their Gmail client to see the change.
Adding Personal S/MIME certificate by Individual from Gmail User Settings
10. Upload S/MIME Certificates.
1. Go to Settings.
2. Click on the Accounts tab.
3. Click on Edit Info on the right side of Send mail as an option.
4. A small pop-up window should appear with the “enhanced encryption” option—if this was enabled in Step 5 listed above.
Click on the option:- Upload a personal certificate.
5. Select the certificate from your computer and click Open. It will ask you to enter the password/ key for your certificate, which you will get from the Issuing Authority.
6. Enter the password and click on the option: Add certificate.
11. Use this Certificate S/MIME: You will get the option to use the added certificate as a S/MIME Enhanced Encryption.
How to send a S/MIME Encrypted Email Message
Gmail will automatically display the extent of Encryption available for every sender you add. To see the extent of encryption you can:
● Start composing a message.
● Add recipients id to the “To” field.
You should see a color-coded lock icon that indicates what level of encryption the email is using.
● Check the icons to the right of the compose box of each recipient’s name. A lock icon will appear that shows the level of encryption with a color-coded icon that is supported by that recipient. If you want to send this to multiple recipients which have different levels of encryption, the lowest common encryption status will be shown.
Here, the Green lock icon indicates strong encryption suitable for sensitive data ( here we are using S/MIME)
The Gray lock icon will indicate encryption suitable for common messages which we normally use for sending Emails (like Transport Layer Security [TLS])
A Red lock icon will indicate a scarcity of encryption.
● Click on the lock icon and select View details to see or change your S/MIME settings.
● Once you send a message using S/MIME encryption you can check the encryption level status of the message by opening the dropdown under show details.
● Finally, if you click on the sender info, you will be able to get the sender verification details which will show the Issuing Authority of the certificate. This will prove the authentication and also show the validity of the certificate. Hence, it confirms the identity of the user to be authenticated.
This will show you the Sender’s Digital Signature. Which is S/MIME encrypted and digitally signed.
