S/MIME (Secure/Multipurpose Internet Mail Extensions) uses public key infrastructure (PKI) and asymmetric encryption to provide authentication and encryption of email messages. By signing your email with an S/MIME certificate from SSL.com, you can assure receivers that the messages you send are really from you, and they can prove that you really sent them. Furthermore, you can use S/MIME to encrypt your email communications securely, shielding them from prying eyes while in transit. When S/MIME email is deployed throughout a business or other organization, employees can be certain that messages from their colleagues are genuine, and clients and customers can trust email sent from within the organization. In an Internet overrun with phishing attacks and spam, securing your personal and business email is an important step you can and should take to avoid fraud and increase trust.
Much like the SSL/TLS protocol, S/MIME employs public key cryptography for encryption and decryption of message data and digital signatures. The private key is kept secure, while the public key can be distributed widely. A special mathematical relationship between the two keys exists such that data encrypted with one key can only be decrypted by the other. If a message is encrypted with your public key, only your private key can decrypt it, and if a message is signed with your private key, someone with your public key can verify that fact. (You can safely share your public key because, given a large enough key size, it is practically impossible to use it to derive its corresponding private key.)
When you sign an email message with your S/MIME certificate, your email client software generates a hash, or fixed-length digest, of the message, then encrypts it with your private key to create a digital signature that is included with the email. When a recipient receives the message, their email software uses your public key (also included in the message) to verify that the email was actually sent by you and that its content has not been altered in transit. If someone, somehow, manages to intercept the message and change the text, the hash computed by the receiver will not match the hash in the signature. Furthermore, because the signature itself can only be generated with your private key, it is practically impossible for someone who does not possess the key to create a new, valid signature to match the altered content or otherwise succeed in sending messages purporting to be from you.
Because the authenticity and integrity of digitally-signed email are assured, recipients can prove that a specific person (or at least a person in possession of their private key) sent a particular message. Conversely, it is difficult for the sender to plausibly deny that they sent that same message. This property of digitally-signed email is known as non-repudiation, and is similar in concept to a letter or legal document bearing a person’s physical signature in ink.
Chain of Trust
When you request an S/MIME certificate from SSL.com, we verify your control of a specific email address and possibly (depending on the specific type of certificate requested) additional identifying information before signing it and delivering it to you. Your signed certificate is then part of a chain of trust leading back to SSL.com’s root certificate, which is included in all current major operating system and web browser root certificate stores. After installing the certificate and using it to sign email messages, your recipients’ software can verify that your certificate has been signed by a certificate authority (CA) that it implicitly trusts to provide valid identifying information.
To send someone an email message that only they can read, one need only encrypt it with their public key, which is included in any signed email that they may have sent you or can be sent separately. If you have digitally signed the email, they can be sure that it is from you. Note that it is also possible to send signed, unencrypted email, which may be necessary if your addressee does not have a public key, or you do not possess it.
SSL.com currently offers three types of S/MIME client certificates that employ different levels of user authentication:
- Personal Basic Email and ClientAuth Certificates protect a single email address with no additional identifying information.
- Personal Pro Email and ClientAuth Certificates include the sender’s first and last names, validated via government-issued photo ID, for improved identification.
- Business Email and ClientAuth Certificates include all of the above, plus organization name.
All of these products from SSL.com allow digitally signed and encrypted emails to be exchanged between any number of recipients, including in group threads. Plus, both can also be used in mutual SSL/TLS as client authentication certificates. For example, a certificate could be used as a credential for gaining access to a restricted network service, such as an internal company website, as well as to secure email.
For the convenience and benefit of businesses and other organizations, SSL.com offers advanced enterprise management of email and client authentication certificates. An administrator tasked with issuing 1,000 or more S/MIME certificates to employees probably would not appreciate having to send them out one-by-one, and we can provide the tools to avoid that regrettable situation. With an Enterprise PKI (EPKI) agreement from SSL.com and our management tools, you can centrally manage and distribute high volumes of certificates scoped to your organization, while assuming responsibility for user validation. For detailed information about our EPKI program, please write to us at firstname.lastname@example.org.
For information on installing S/MIME certificates for use in your email software, please see our How-Tos for Mozilla Thunderbird, Outlook for Windows, and Apple Mail. And, always, thank you for choosing SSL.com, where we believe a safer Internet is a better Internet!