Secure / Multipurpose Internet Mail Extension (S/MIME ) is a security enhancement to the MIME e-mail format standard.
RFC 822 defines a format for text messages that are sent using e-mail. The format adds to the text message an envelope of meta-data, namely the header. The header is separated from the body of the email by a blank line. Each line in the header consists of a keyword such as From, To, Subject, Date. Mime addresses shortcomings in the 822 scheme or the Simple Mail Transfer protocol. For instance
MIME introduces five new headers.
The most interesting content-type is the multipart type. The content-type header then contains a parameter, called boundary, that defines the delimiter between body parts. Each boundary starts on a new line and consists of two hyphens followed by the boundary value. The final boundary also has a suffix of two hyphens. Here is an example
From: Nathaniel Borenstein <firstname.lastname@example.org>
To: Ned Freed <email@example.com>
Date: Sun, 21 Mar 1993 23:56:48 -0800 (PST)
Subject: Sample message
Content-type: multipart/mixed; boundary="simple boundary"
This is the preamble. It is to be ignored, though it
is a handy place for composition agents to include an
explanatory note to non-MIME conformant readers.
This is implicitly typed plain US-ASCII text.
It does NOT end with a linebreak.
Content-type: text/plain; charset=us-ascii
This is explicitly typed plain US-ASCII text.
It DOES end with a linebreak.
This is the epilogue. It is also to be ignored.
MIME has a number of transfer encodings, including 7bit (7b ASCII characters), 8bit (uses the full ASCII character set), binary, quoted-printable (the data is encoded as mostly ASCII text and remains readable by humans), and base64 (encodes 6-bit blocks of input to 8-bit blocks of output, all of which are printable ASCII characters). The base64 mode allows us to encode arbitrary binary data so that intermediate mail agents do not mingle them up.
S/MIME has the same functionality as PGP, that is, it offers the ability to sign and to encrypt messages. In more detail, S/MIM provides:
S/MIME incorporates three public-key algorithms, DSS for digital sigantures, Diffie-Hellman for encyrpting session keys, or RSA. It uses SHA1 or MD5 for calculating digests, and three-key triple DES for message encryption. In an ideal situation, a S/MIME sender has a list of preferred decrypting capabilities from an intended recipient, in which case it chooses the best encryption. Otherwise, if the sender has received any previous mail from the intended recipient, it then chooses the same encryption mechanism.
To secure a MIME entity (e.g. the entire message with exception of the RFC 822 header), S/MIME produces a PKCS object. The PKCS object is then treated as the message object and encoded with MIME. Since the result of encryption is typically in binary, it needs to be transferred in a more secure way, such as in base64 mode.
To make an EnvelopedData MIME entity we:
To recover the encrypted message, the recipient first reconverts the base64 encoding and uses his private key to recover the session key. He uses this key to decrypt the message.
To make an SignedData MIME entity we:
Clear signing uses the multipart content type in MIME to transmit body and signature separately. The body needs to be encoded in some way so that it is not altered during transit. The second object, the signature, is sent in base64. Thus, only S/MIME enabled mail readers can use the signature.
The crux of any secure email system is the distribution of public / private key pairs and certification. S/MIME is very liberal about certification. There are public certifiers, such as Verisign and Thawte that distribute certificates at various levels of security. There are mail products that include certification authorities to be used within an organization. These products can be configured to accept these certificates. Finally, S/MIME is most frequently used without a directory for storing certificates and without a need for trusted certifiers. If Alice wants to sent an encrypted message to Bob, he first has to send her a signed message. The signed message contains his certificate that she accepts into her address book.
|©2003 Thomas Schwarz, S.J., COEN, SCU||SCU||COEN||COEN350||T. Schwarz|