digplanet beta 1: Athena
Share digplanet:


Applied sciences






















S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs 3369, 3370, 3850 and 3851. S/MIME was originally developed by RSA Data Security Inc. The original specification used the IETF MIME specification[1] with the de facto industry standard PKCS#7 secure message format. Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them.


S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity, non-repudiation of origin (using digital signatures), privacy and data security (using encryption). S/MIME specifies the MIME type application/pkcs7-mime (smime-type "enveloped-data") for data enveloping (encrypting) where the whole (prepared) MIME entity to be enveloped is encrypted and packed into an object which subsequently is inserted into an application/pkcs7-mime MIME entity.

S/MIME certificates[edit]

Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA. The accepted best practice is to use separate private keys (and associated certificates) for signature and for encryption, as this permits escrow of the encryption key without compromise to the non-repudiation property of the signature key. Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate). While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you to install your own certificate before they allow encrypting to others.

A typical basic ("class 1") personal certificate verifies the owner's "identity" only insofar as it declares that the sender is the owner of the "From:" email address in the sense that the sender can receive email sent to that address, and so merely proves that an email received really did come from the "From:" address given. It does not verify the person's name or business name. If a sender wishes to enable email recipients to verify the sender's identity in the sense that a received certificate name carries the sender's name or an organization's name, the sender needs to obtain a certificate ("class 2") from a CA who carries out a more in-depth identity verification process, and this involves making inquiries about the would-be certificate holder. For more detail on authentication, see digital signature.

Depending on the policy of the CA, the certificate and all its contents may be posted publicly for reference and verification. This makes the name and email address available for all to see and possibly search for. Other CAs only post serial numbers and revocation status, which does not include any of the personal information. The latter, at a minimum, is mandatory to uphold the integrity of the public key infrastructure.

Obstacles to deploying S/MIME in practice[edit]

  • Not all email software handles S/MIME signatures, resulting in an attachment called smime.p7s that may confuse some people.
  • S/MIME is sometimes considered not properly suited for use via webmail clients. Though support can be hacked into a browser, some security practices require the private key to be kept accessible to the user but inaccessible from the webmail server, complicating the key advantage of webmail: providing ubiquitous accessibility. This issue is not fully specific to S/MIME: other secure methods of signing webmail may also require a browser to execute code to produce the signature; exceptions are PGP Desktop and versions of GnuPG, which will grab the data out of the webmail, sign it by means of a clipboard, and put the signed data back into the webmail page. Seen from the view of security this is the more secure solution.
    • Some organizations[who?] consider it acceptable for webmail servers to be "in on the secrets"; others[who?] do not. Some of the considerations are mentioned below regarding malware. Another argument is that servers often contain data that is confidential to the organization anyway, so what difference does it make if additional data, such as private keys used for decryption, are also stored and used on such servers?
    • Many make a distinction between private keys used for decryption and those used for digital signatures. They are far more likely to accept sharing of the former than the latter. This is especially true if the non-repudiation aspect of digital signatures is a concern (it may not be). There is fairly universal consensus that non-repudiation requires that a private key be under sole control of its owner during its entire lifecycle.[citation needed] Therefore, decryption done with webmail servers is more likely to be acceptable than digital signatures.
  • S/MIME is tailored for end-to-end security. Logically it is not possible to have a third party inspecting email for malware and also have secure end-to-end communications. Encryption will not only encrypt the messages, but also the malware. Thus if mail is scanned for malware anywhere but at the end points, such as a company's gateway, encryption will defeat the detector and successfully deliver the malware. The only solution to this is to perform malware scanning on end user stations after decryption. Other solutions do not provide end-to-end trust as they require keys to be shared by a third party for the purpose of detecting malware. Examples of this type of compromise are:
    • Solutions which store private keys on the gateway server so decryption can occur prior to the gateway malware scan. These unencrypted messages are then delivered to end users.
    • Solutions which store private keys on malware scanners so that it can inspect messages content, the encrypted message is then relayed to its destination.
  • Due to the requirement of a certificate for implementation, not all users can take advantage of S/MIME, as some may wish to encrypt a message, with a public/private key pair for example, without the involvement or administrative overhead of certificates.

Even more generally, any message that an S/MIME email client stores encrypted cannot be decrypted if the applicable key pair's private key is unavailable or otherwise unusable (e.g., the certificate has been deleted or lost or the private key's password has been forgotten). Note, however, that an expired, revoked, or untrusted certificate will remain usable for cryptographic purposes. In addition, indexing of encrypted messages' clear text may not be possible with all email clients. Regardless, neither of these potential dilemmas is specific to S/MIME but rather cipher text in general and do not apply to S/MIME messages that are only signed and not encrypted.

S/MIME signatures are usually "detached signatures": the signature information is separate from the text being signed. The MIME type for this is multipart/signed with the second part having a MIME subtype of application/(x-)pkcs7-signature. Mailing list software is notorious for changing the textual part of a message and thereby invalidating the signature; however, this problem is not specific to S/MIME, and a digital signature only reveals that the signed content has been changed.

See also[edit]


  1. ^ RFC 2045: Multipurpose Internet Mail Extensions (MIME). Part One was published in November 1996.

External links[edit]

Free Secure Email Certificate providers

  • Comodo Group (one year certificate).
  • StartCom (one year certificate)
  • Actalis (one year certificate)
  • CAcert (six month or two year certificate - untrusted by most software)

Original courtesy of Wikipedia: http://en.wikipedia.org/wiki/S/MIME — Please support Wikipedia.
This page uses Creative Commons Licensed content from Wikipedia. A portion of the proceeds from advertising on Digplanet goes to supporting Wikipedia.
529186 videos foundNext > 

S-MIME email encryption: The Concept

Quick into about the basics of public key email encryption, including the why and how, before I get into the "How to set it up" screencasts next.

Computer and Network Security - S/MIME

Computer and Network Security - S/MIME.

Intoduction To S/MIME

Email Security: Part 2 - S/MIME

S-MIME is discussed. Domainkeys identified mail is analyzed.

Mail Verschlüssulung mit S/MIME - Grundlagen

Video Anleitung zu Mail Verschlüssulung mit S/MIME. Was ist S/MIME, Voraussetzungen, Vergleich S/MIME - PGP und wie Funktioniert Asymmetrische ...

S MIME Part 1

Setup Outlook 2007 with S-MIME

This video shows how to setup Outlook 2007 to use S-MIME.

S/MIME Einrichtung auf dem Mac und iOS Geräten (iPhone / iPad)

Diese kurze Anleitung zeigt die Einrichtung eines S/MIME Systems zum Signieren und Verschlüsseln von E-Mails unter Mac OS X Lion und iOS 5.

Mail Verschlüsselung mit S/MIME - StartSSL Zertifikat

Video Anleitung zu Mail Verschlüssulung mit S/MIME. Erstellung eines Zertifikates am Beispiel von StartSSL. Exportieren des Zertifikates aus dem Firefox, ...

Setup OWA to use S-MIME

This video shows how to setup OWA to use S-MIME.

529186 videos foundNext > 

2799 news items

Financial Market News
Thu, 11 Feb 2016 19:56:15 -0800

Mimecast logo Mimecast Ltd (NASDAQ:MIME)'s stock had its “buy” rating reaffirmed by research analysts at Oppenheimer in a research note issued on Tuesday, Marketbeat reports. A number of institutional investors have modified their holdings of the ...

Ars Technica

Ars Technica
Wed, 20 Jan 2016 12:03:45 -0800

There's only one halfway-decent S/MIME client on Android today. We're looking to innovate there in the very near future." Then there's that feature FBI Director James Comey wishes all encryption had: a "policy" key for unlocking anything encrypted ...


Yahoo Finance UK
Tue, 26 Jan 2016 06:03:45 -0800

... one of the leading collaboration and secure email apps, adding more capabilities with the secure integration of Box, S/MIME for end-to-end email encryption to the desktop, convenient PDF conversion and support for reading Voltage encrypted messages.
Intercooler Financial
Tue, 09 Feb 2016 13:56:15 -0800

Mimecast logo Mimecast Ltd (NASDAQ:MIME)'s stock had its “buy” rating restated by equities researchers at Oppenheimer in a research report issued on Tuesday, Marketbeat reports. A number of hedge funds recently made changes to their positions in the ...
Mon, 25 Jan 2016 15:19:16 -0800

Security is another key focus for MailDroid with support for password protection, PGP and S/MIME. Flipdog offers a free Crypto plugin (available here) for enhanced security and there's an optional spam filter to keep out unwanted emails that is ...

Windows IT Pro

Windows IT Pro
Thu, 12 Mar 2015 06:18:45 -0700

S/MIME is “client to client” encryption. S/MIME is the only client-side option available in Exchange Online to allow Outlook or OWA clients to encrypt messages from creation to delivery. That's not to say that email normally leaves your PC in plain text.
Daily Political
Sun, 07 Feb 2016 08:52:30 -0800

Mimecast logo Mimecast Ltd (NASDAQ:MIME) – Investment analysts at Oppenheimer lowered their Q4 2015 EPS estimates for shares of Mimecast in a research note issued on Tuesday, according to Zacks Investment Research. Oppenheimer analyst S. Eyal ...

Windows IT Pro (blog)

Windows IT Pro (blog)
Thu, 27 Nov 2014 06:48:45 -0800

New features are all very exciting, which is nice, until they don't work, which isn't so nice. My experience of sending an S/MIME-signed message from Outlook Web App proved problematic and deserved some investigation. The root cause turned out to be a ...

Oops, we seem to be having trouble contacting Twitter

Support Wikipedia

A portion of the proceeds from advertising on Digplanet goes to supporting Wikipedia. Please add your support for Wikipedia!

Searchlight Group

Digplanet also receives support from Searchlight Group. Visit Searchlight