Using SMIME for Email Security


Email security is an important facet of data protection, both for enterprises and individuals.  Email security can be implemented to perform email authentication and/or email encryption.  Both authentication and encryption are provided using Secure/Multipurpose Internet Mail Extensions (S/MIME) with public key cryptography (PKI).  The basic requirements for PKI are a certificate authority (CA), a private key, and a public key.  An example is shown later that explains how to set up PKI for email using Comodo as the CA and Mozilla Thunderbird as the email client.

With authentication, the sender signs the messages with the sender’s private key.  The receiver then verifies the signature using the sender’s public key.  If the verification failed, the receiver would know that the message was spoofed.

The encryption works a little differently.  The sender encrypts the message using the receiver’s public key.  That way, only the receiver can decrypt the message with the receiver’s private key.  If anyone else was to receive the message, they would not be able to open it because they do not have the appropriate private key to decrypt the message.

From an enterprise standpoint, normally a local enterprise CA is used as the certificate authority.  A user accesses the server, via HTTP or HTTPS, and generates a public/private key pair.  The CA then creates a certificate based on the user’s public key and other identifying information.  The certificate establishes that the public key should be trusted.  The next logical question is, “Why would an external organization trust the enterprise CA”.  The answer is that the enterprise CA has its certificate signed by a trusted certificate authority (CA), such as Verisign or Comodo.  This trusted authority should be one of the well known CA.  These trusted CA certificates are preloaded into web browsers, such as Mozilla Firefox and Microsoft Internet Explorer.

Personal users can also provide authentication and encryption for their email messages.  They can go directly to a well known CA to register their public key and receive a CA signed certificate that they can then use to authenticate and encrypt emails.  Below, is an example using the free Comodo email certificate, under the InstantSSL name, and the Thunderbird email client.  I could have just as easily used another email certificate CA.   Also, I could have used another email client, such as Microsoft Outlook.

Example of Setting up S/MIME Email Security

The first step is to create the public/private key pair and have it signed by the InstantSSL certificate authority (CA).  This is actually all done through the InstantSSL website.   It is important to note that the public/private key pair and certificate are local to the web browser and computer that it is loaded on.  You must use the same computer and browser to complete the remaining steps.

  1. Access the website and click on “GET IT FREE NOW”.

2. Fill out the registration form and click “Agree & Continue”

3. Another webpage appears with a “success” message and instructions to check your email for further steps

4. In your email, you should have a message as shown below.  Click “Click & Install Comodo Email Certificate” to automatically download the public/private key pair and  associated email certificate signed by the Comodo CA.

5. Successful installation of the certificate into the local computer should look like the picture shown below

At this point, the email certificate should be entered into the certificate store on your computer.  When using Firefox, the certificate gets stored in the Firefox certificate store, but not the Thunderbird certificate store.  This is confirmed in the Mozilla reference link provided at the end of this document.  The public/private keys must be loaded into Thunderbird in order to authenticate and encrypt emails.  The steps below export the certificate from the Firefox certificate store and place them into the Thunderbird certificate store.  It should be noted that the backup file, created here, contains the private key and must by safely protected.

1.  Check the certificate store, within Firefox, by accessing “Tools > Options > Advanced > Encryption > View Certificate”.  Navigate to the “Your Certificate” tab, highlight your certificate, and click on “Backup”

2.  Choose a directory to store the backup file and save the file.  The file is saved with a .p12 extension.  As part of the save process, you are asked to protect the file with a password.  This password will be used again when importing the file into the Thunderbird certificate store.

The next step is to import this certificate, with the public and private key, into Thunderbird.

1.  Within Thunderbird, click on “Tools > Account Settings…”

2.  For the appropriate email account, click on the “Security” option.  This should be the email account that is associated with the email address used to create the certificate.

3.  Click on the “View Certificate” button on the bottom of the GUI

4.   In the next window, click “Import”

5.   Highlight the certificate you just backed up from Firefox, and click “Open”.  When prompted, enter the password that was created when the certificate was backed up.

6.  Go back to the “Security” portion for the email account and click “Select…” in the Digital Signing section

7.   Select the certificate that was just uploaded and answer yes when prompted to use the same certificate for the encryption

Everything is now setup to authenticate emails.  Authentication can be done because it requires that the email be signed using your private key.  What about encrypting emails?  That requires the public key of the person that you are sending the email to.  The next question that arises is, “How do I get the public key of the person I want to send an encrypted email to?”.  The answer is that the person you want to send an encrypted email to must first send you an email signed with their private key.  This email also has their public key, which is automatically placed into your certificate store after you verify the signature.  Let’s play the scenario above out using Alice and Bob.  Alice wants to send Bob an encrypted email, but she doesn’t have his public key.  Here are the steps to make it happen.

  1. Bob sends Alice an email that is signed with his private key.  Bob’s certificate with his public key is appended to the message.  If Bob is using a private enterprise CA, that is also included, since it is not one of the public CAs already on his computer.  If the private CA is included, Alice will be asked if she wants to accept the CA certificate.  The appended certificates make it easier to share the required information for authentication and encryption.  See RFC 3850 for more details.
  2. Alice receives the email with three security attributes.  First, the email is signed with Bob’s private key.  Second, the certificate with Bob’s public key is appended to the message.  Third, the certificate for the CA that signed Bob’s certificate is provided if it is a private CA.  If a private CA is used, Alice is asked if she will trust the CA.  If Alice says “no”, the message cannot be opened.  Let’s assume that Alice decides to trust the CA.  At this point, Bob’s public key is automatically loaded into Alice’s key store.  This allows Alice to verify the email signature that was signed with Bob’s private key.  Additionally, Alice can now encrypt emails to Bob using Bob’s public key.
  3. Alice now replies to Bob’s message.  She signs the message using her private key and encrypts the message using Bob’s public key.
  4. Bob receives the email.  Using the same procedure as step 2, he automatically adds Alice’s public key to his key store and verifies the email signature using Alice’s public key.  He also decrypts the message using his private key.

One final note:  The email certificate registration process shows that anyone can receive an email certificate.  There is no verification process in place to ensure that the person requesting the certificate is a trusted user.  With this in mind, it is important to coordinate with people when adding their public key to your certificate store.  One method would be to call the person and tell them you are sending them a signed email.  They can then accept the public key, appended to the email, with more confidence.




S/MIME Certificate Handling

S/MIME Version 3.1 Message Specification

Mozilla  Getting an S/MIME Certificate

Mozilla Installing an S/MIME Certificate

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.