Sending Secure Email with S/MIME

S/MIME certificates from SSL.com are a great way for you and/or your business to send and receive authenticated and encrypted email, with trust baked-in at the operating-system level. This article gives a brief overview of what S/MIME is and how it works, and describes the various email and client authentication certificates currently offered by SSL.com.

What is S/MIME?

S/MIME (Secure/Multipurpose Internet Mail Extensions) uses public key infrastructure (PKI) and asymmetric encryption to provide authentication and encryption of email messages. By signing your email with an S/MIME certificate from SSL.com, you can assure receivers that the messages you send are really from you, and they can prove that you really sent them. Furthermore, you can use S/MIME to encrypt your email communications securely, shielding them from prying eyes while in transit. When S/MIME email is deployed throughout a business or other organization, employees can be certain that messages from their colleagues are genuine, and clients and customers can trust email sent from within the organization. In an Internet overrun with phishing attacks and spam, securing your personal and business email is an important step you can and should take to avoid fraud and increase trust.

Asymmetric Encryption

Much like the SSL/TLS protocol, S/MIME employs public key cryptography for encryption and decryption of message data and digital signatures. The private key is kept secure, while the public key can be distributed widely. A special mathematical relationship between the two keys exists such that data encrypted with one key can only be decrypted by the other. If a message is encrypted with your public key, only your private key can decrypt it, and if a message is signed with your private key, someone with your public key can verify that fact. (You can safely share your public key because, given a large enough key size, it is practically impossible to use it to derive its corresponding private key.)

Digital Signatures

When you sign an email message with your S/MIME certificate, your email client software generates a hash, or fixed-length digest, of the message, then encrypts it with your private key to create a digital signature that is included with the email. When a recipient receives the message, their email software uses your public key (also included in the message) to verify that the email was actually sent by you and that its content has not been altered in transit. If someone, somehow, manages to intercept the message and change the text, the hash computed by the receiver will not match the hash in the signature. Furthermore, because the signature itself can only be generated with your private key, it is practically impossible for someone who does not possess the key to create a new, valid signature to match the altered content or otherwise succeed in sending messages purporting to be from you.

Non-Repudiation

Because the authenticity and integrity of digitally-signed email are assured, recipients can prove that a specific person (or at least a person in possession of their private key) sent a particular message. Conversely, it is difficult for the sender to plausibly deny that they sent that same message. This property of digitally-signed email is known as non-repudiation, and is similar in concept to a letter or legal document bearing a person’s physical signature in ink.

Chain of Trust

When you request an S/MIME certificate from SSL.com, we verify your control of a specific email address and possibly (depending on the specific type of certificate requested) additional identifying information before signing it and delivering it to you. Your signed certificate is then part of a chain of trust leading back to SSL.com’s root certificate, which is included in all current major operating system and web browser root certificate stores. After installing the certificate and using it to sign email messages, your recipients’ software can verify that your certificate has been signed by a certificate authority (CA) that it implicitly trusts to provide valid identifying information.

Encrypted Email

To send someone an email message that only they can read, one need only encrypt it with their public key, which is included in any signed email that they may have sent you or can be sent separately. If you have digitally signed the email, they can be sure that it is from you. Note that it is also possible to send signed, unencrypted email, which may be necessary if your addressee does not have a public key, or you do not possess it.

S/MIME Certificates from SSL.com

Email and Client Authentication Certificates

SSL.com currently offers three types of S/MIME client certificates that employ different levels of user authentication:

All of these products from SSL.com allow digitally signed and encrypted emails to be exchanged between any number of recipients, including in group threads. Plus, both can also be used in mutual SSL/TLS as client authentication certificates. For example, a certificate could be used as a credential for gaining access to a restricted network service, such as an internal company website, as well as to secure email.

Enterprise Management Tools

For the convenience and benefit of businesses and other organizations, SSL.com offers advanced enterprise management of email and client authentication certificates. An administrator tasked with issuing 1,000 or more S/MIME certificates to employees probably would not appreciate having to send them out one-by-one, and we can provide the tools to avoid that regrettable situation. With an Enterprise PKI (EPKI) agreement from SSL.com and our management tools, you can centrally manage and distribute high volumes of certificates scoped to your organization, while assuming responsibility for user validation. For detailed information about our EPKI program, please write to us at support@ssl.com.

Installing S/MIME Certificates

For information on installing S/MIME certificates for use in your email software, please watch for our upcoming How-Tos for Thunderbird, Outlook for Windows and Apple Mail. And, always, thank you for choosing SSL.com, where we believe a safer Internet is a better Internet!