What is S/MIME?

Protecting privacy and sensitive data is becoming increasingly important in digital environments. Any unencrypted data transmission could be intercepted and read by unauthorized third parties. S/MIME is a standard for encrypting emails and can help secure the exchanged data and information from unauthorized access. In the following article, we will show how to apply the standard and discuss its advantages and disadvantages.

Basics of S/MIME

S/MIME stands for Secure / Multipurpose Internet Mail Extensions. This technology allows emails to be encrypted and signed. Both operations can also be applied to a single email, securing electronic correspondence from unauthorized access.

S/MIME was specified in RFC 2633, which is an extension of RFC 1847 from 1995. S/MIME uses the Content Types application/pkcs7-mime for encryption and multipart/signed for signing emails. As the standard has been established for many years, it is supported by most email clients.

To encrypt or sign emails, S/MIME uses an asymmetric encryption method. This requires a key pair consisting of a public (Public Key) and a private key (Private Key). The public key is visible to everyone, while the private key must only be known to the sender. Messages encrypted with the private key can only be decrypted with the public key, and vice versa.

Generating Keys through Certificates

To generate the necessary keys, users need a certificate. X.509 certificates are used for this purpose, which also play a role in encrypted data transmission through TLS or SSL. Applicants receive this from an official Certification Authority (CA) after submitting a Certificate Signing Request (CSR). This CSR must include the following information, which will be entered into the certificate after verification by the CA:

• public key
• owner's name
• owner's email address
• certificate issuer's signature

There are both free and paid certificates. These are divided into 4 classes:

• Class 1: The email address is verified by the CA.
• Class 2: In addition to Class 1, the name and organisation are verified by the CA.
• Class 3: In addition to Class 2, the commercial register extract and ID card are verified by the CA.
• Class 4: The applicant has personally verified with the original documents at the Certification Authority.

Free certificates typically correspond to Class 1 and are valid for no longer than one year.

Application of S/MIME

The two application areas of encryption and signing fundamentally differ from each other. However, they both enhance security and data protection in email correspondences.

Signing Emails

By signing, the sender verifies their identity. They add a signature to their messages created with the private key. If the recipient knows the corresponding public key, they can verify the sender's identity. Through signing, the recipient can verify that the message indeed comes from the stated sender. The email itself, however, remains unencrypted and can be freely viewed.

The signing of emails is an effective tool against phishing attempts. In this case, criminals pretend to be trustworthy senders and try to steal the recipient's data, information, or even money.

Email Encryption

When a message is encrypted with a Public Key, it can only be decrypted and made readable again by using the corresponding Private Key. Therefore, the sender should provide the recipient with the private key. This can be done, for example, through a signed email. Alternatively, a more secure method would be to send it separately, for example, via fax or post.

If a message is encrypted with S/MIME, it cannot be read by unauthorized persons. Additionally, scanning for viruses or spam is not possible in the encrypted state. Only on the recipient's device can the email be made readable again after decryption. However, the header of an email, consisting of the sender and subject line, remains unencrypted and still readable.

Advantages and Disadvantages of Using S/MIME

The S/MIME standard is an effective solution to protect communication via email from unauthorized access. This way, senders can strengthen their trustworthiness with their recipients.

Tip: An own mail domain additionally supports this trust.

However, the encryption standard is relatively rarely used in practice, as the technology also has some disadvantages that make its handling cumbersome.

Advantages of S/MIME

• effective and secure for encrypting and signing emails
• widely adopted standard supported by common mail clients of popular operating systems
• protection against phishing attacks

Disadvantages of S/MIME

• limited validity of certificates
• senders and recipients must exchange keys securely at regular intervals (after the certificate expires)

Our article is based on our own experiences and research, as well as information from external sources.

Sources & further links on the topic:
Information on using S/MIME with Microsoft Outlook
Information on using S/MIME with Google Mail
Information on using S/MIME with Apple Mail

Image credit:
Gerd Altmann on Pixabay