S/MIME & Certificates

S/MIME

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a protocol that adds digital signatures and encryption to MIME, the standard format used to send email and attachments. This technology allows you to encrypt emails on the fly, and you can also "sign" messages electronically.

Encryption means you can make sure that nobody except the intended recipient can read them and that they cannot be tampered with unnoticed during transit. Digital signatures attached to email prove two things:

• That the mail has been sent by the email address that claims to have sent it.
• That the mail has not been tampered with while it was in transit.

A digital signature doesn't necessarily prove that an email comes from you as a person, only that it came from a given email address. A third party (commonly called a Certification Authority, or CA) is required to assert and "guarantee" your identity.

X.509 Certificates

In order to digitally sign and encrypt messages with S/MIME, you must have a certificate that associates your email address with your identity. Digital certificates act as unique fingerprints to help prove senders' authenticity and allow you to sign your email messages digitally. You transmit your digital certificate — a secret key, which is a series of seemingly random letters and numbers — along with your email messages, and you receive others' certificates along with theirs.

Digital certificates are issued by organizations that guarantee their certificates' trustworthiness, and that the Internet community considers reliable. Valid certificates prove that senders actually own their email addresses, but not necessarily that they are who they say they are. (For example, just because I own a certificate for the email address stevejobs@hotmail.com, that doesn't prove that I'm Steve Jobs.) With proper certification — such as a notary validating the person's identity — signatures may be able to prove that a mail is sent by a specific person, but initially, the CA only has limited means to check that you are who you claim to be.

Obtaining A Free Certificate

I recommend getting a free personal email certificate from TrustCenter, based in Hamburg, Germany. Detailed instructions are given below:

1. Go to http://www.trustcenter.de/en/products/tc_internet_id.htm
2. Click on "Request Certificate" (orange button in the right sidebar).
3. Provide first and last name, email address, and country. (Careful, the default is likely Germany!) Click "Next".
4. Choose the highest grade key size available — 2048-bit is the default. Click "Generate key pair".
5. Select your title of choice and provide a revocation password. Click "Next".
6. An email (which also contains your order number) should arrive shortly. Send an email to ecn@trustcenter.de with the subject and body text specified therein.
7. The next email will have a link for you to download your certificate. Click the link in the email, then "Install certificate" on the web page. A file ending with ".p7s" will be downloaded — open the file, or let Safari auto-open it for you. Keychain Access will recognize this file and will automatically load the certificate and corresponding private key into your keychain.

Be sure to back up your private key — it only ever exists on your computer, so you can't download it from the CA. If you lose it, you'll have to revoke it and request a new certificate, which is a pain and not wholly reliable because not everyone abides by certificate revocation lists. (In short, it's easier to cancel a credit card than completely revoke a certificate.) In Keychain Access, click on "My Certificates" in the left sidebar. Select your certificate from the list and choose "Export Items..." from the File menu. You want to export a ".p12" file, which requires you to provide a password to secure the file. (If you forget the password, you won't be able to open the file.) You can store this exported file as a backup, or even transfer it to another machine so you can use your same certificate — remember, you need the private key to sign or decrypt email.

Signing Mail

After retrieving your certificate and verifying that it's in your keychain, it's time to relaunch Mail. (While it is possible to use S/MIME in most other Mac email clients, I haven't yet found any easy setup instructions. That's not to say none exist, I just haven't found any.) Now that you have a certificate, Mail automatically allows you to send digitally signed emails. At the very right of Mail's New Message window header, you'll see a star icon. Click on it to toggle the signature off and on.

Mail automatically sends your certificate information along with any messages you digitally sign and/or encrypt. Send a digitally signed message to another user who has Mail (in Mac OS X 10.3 or later), and your certificate is added automatically to that user's Keychain. If your friend uses another email client that supports such certificates (most modern email programs do), it will most likely manage the certificate in a similar manner. If your friend uses a Web-based email service, he or she will see this certificate as an attachment and won't be able to use it within the Web interface.

Receiving signed messages is also transparent in Mail, unless the message encounters a glitch along the way. Each message will contain a Security header that says whether it is signed or encrypted.

If you receive a message that has been altered after it was sent, Mail displays a conspicuous message saying that it is unable to verify the message signature. That means either someone has fiddled with your message in transit or the message got corrupted. Your best bet is to contact the original sender to make sure that they sent the message, and verify that you have an up-to-date copy of their certificate.

Encrypting Mail

Encryption scrambles a message and any attachments for people who don't have the correct digital certificate. Senders use recipients' certificates to encrypt email; recipients use their own certificates to decrypt the messages. You can use Mail to send an encrypted email to another person whose certificate in your keychain. (Encrypting is only possible if you already have the recipient's certificate. Keychain Access automatically picks up any certificates of people that send you S/MIME signed emails.)

To encrypt, open a new message in Mail, address it to the person, and then click on the Encryption icon (a lock) at the right of the message window's header.Your entire email and any attachments will be encrypted. When the recipient opens the message, they will be able to read its contents and save any files you sent without doing anything special.

(If anyone else intercepts the message, that person will see gibberish.) If the message gets corrupted or changed in transit, or if there's a problem with the recipient's certificate, they will see the message "Unable to decrypt message", in which case the recipient may need to check that they have an up-to-date copy of your certificate.

The following were used as sources for this page, and make for excellent further reading:

• MacDevCenter — "Keep your secrets with Mail"
• Macworld — "How to Set Up Encrypted Mail on Mac OS X"
• Joar Wingfors' site — "Using encryption and digital signatures in Mail"