What Is S/MIME and How Does It Work?
Secure Your Email And Protect Your Organization From Man-In-The-Middle Attacks By Using The S/MIME Email-Signing And Encryption Protocol.
- S/MIME enhances email security by encrypting email messages and adding a digital signature.
- S/MIME encryption provides confidentiality and reduces the risk of man-in-the middle attacks.
- S/MIME digital signatures safeguard against email spoofing by verifying the sender’s identity, ensuring the message contents have not been changed and confirming the sender actually sent the message.
As an email makes its way across the internet, it stops at various servers and routers along the way. It’s possible that at any of these stops, prying eyes may pick up the message and read its contents or insert a fake response, resulting in stolen login credentials or traffic rerouted to a phishing site, for example. These man-in-the-middle (MitM) attacks are difficult to detect, but they can be thwarted using S/MIME’s encryption and digital signatures.
What Is S/MIME?
S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions, is an email-signing and encryption protocol that encrypts email messages and adds a digital signature. It can also compress a message to reduce its size. S/MIME is not a new standard, but it has been steadily improved over time. The most recent version, S/MIME version 4.0, includes updates to the standard's content-encryption, signature and digest algorithms.[i]
More specifically, S/MIME’s encryption scrambles email messages so they can only be accessed by their recipients using a private key to decrypt the messages. It prevents anyone else — namely, attackers — from intercepting and reading the emails as they travel from senders to receivers.
S/MIME’s digital signatures also protect the security of email messages in three ways:
- Authentication: Verifies the sender’s identity so the recipient can be confident the message came from the identified sender. This helps prevent email spoofing often seen in phishing attacks.
- Message integrity: Detects any changes made to the message after being sent.
- Nonrepudiation: Prevents the sender from denying they sent the message. This can be important for product orders, legal documents or criminal cases.
How Does S/MIME Work?
S/MIME uses asymmetric cryptography with a public/private key pair. The two keys are mathematically related so that a message encrypted using the public key can only be decrypted using the private key. Each sender and receiver obtain both a public and private key. The public key is published and encrypts the email; the private key is kept secret and decrypts the email. Once a person hits “send” on an email, S/MIME sending agent software encrypts the message using the recipient’s public key, and the receiving agent decrypts the message using the recipient’s private key, as shown in the diagram. Of course, this requires both sender and receiver to support S/MIME.
Before S/MIME can be configured, every sender and receiver needs a digital certificate that binds the person’s identity to a public key. An administrator is usually responsible for configuring S/MIME and issuing digital certificates. In fact, a best practice for an administrator is to issue two certificates for each user, one for signing and one for encryption.[ii]
Certificate Authorities (CAs) issue X.509 trusted certificates, which verify a public key belongs to the person using it. A root certificate, signed by the CA, is used to create and sign other certificates in a tree-like or chained structure. Both Microsoft and Google recommend configuring at least two levels to the chain so that the root certificate does not directly issue user certificates.
Before choosing a CA, an administrator should check the list of supported CAs for the company’s email system. Choosing only one or two CAs will simplify certificate management tasks, such as monitoring certificate expiration dates and scanning for shadow certificates that users acquired using other CAs.
How to Configure S/MIME
In a business setting, an administrator is also responsible for defining policies for using S/MIME encryption and signatures in email client software. Here we look at specific directions for two email systems: Microsoft Outlook and Google Workspace.
Enabling S/MIME on Outlook: Microsoft provides step-by-step instructions for configuring S/MIME for Exchange.[iii] This supports email clients using Outlook, Outlook Web app and Outlook on mobile devices. The process consists of five steps:
- Set up and publish S/MIME certificates. The administrator installs a third-party CA for Windows and sets up the chain for issuing certificates. Although Exchange supports privately issued certificates, Microsoft recommends using third-party CAs because recipients automatically trust certificates from them. Some clients and devices don’t support privately issued certificates.
- Set up a virtual certificate collection in Exchange Online for validating the S/MIME certificates. To do this, the administrator exports the root and intermediate certificates into a serialized certificate store (SST) file in Windows PowerShell, and then imports the certificates from that SST file into Exchange.
- Sync user certificates for S/MIME into Microsoft 365. The administrator issues user certificates and publishes them in Active Directory. User data is then synchronized to Windows 365 using Azure Active Directory Connect synchronization services.
- If users are using Outlook for the Web, the administrator configures policies in Chrome and Edge web browsers to install S/MIME extensions.
- Configure email clients to use S/MIME. For this step, users need access to their certificates. The administrator can distribute users’ certificates to their devices automatically using Endpoint Manager, or users can manually export their certificates to their mobile devices. Then users can set up S/MIME encryption through the Trust Center Settings in the Options menu.
Enabling S/MIME on Gmail: Like Microsoft, Google provides step-by-step instructions for configuring hosted S/MIME on Google Workspace.[iv] This process also consists of five steps:
- Enable S/MIME. After setting up a root certificate and at least one intermediate certificate, the administrator enables S/MIME as a setting in the Workspace Admin console. By default, organizational units inherit the settings of the top-level organization, but this can be overridden to customize the S/MIME settings for one or more organizational units.
- Upload certificates to Gmail users. Optionally, the administrator can allow users to upload their own certificates. Google recommends uploading certificates programmatically using the Gmail S/MIME API, or users can upload their own certificates using Gmail settings if the administrator has enabled that feature.
- Define encryption rules. The administrator then defines rules that either force encryption and signing of all outgoing Gmail messages or only those messages that meet the rules’ criteria.
- Reload Gmail. Users will need to reload Gmail after waiting 24 hours before attempting to encrypt messages.
- Users exchange public keys. To publish the public key, a user sends another user a signed S/MIME message. The signature will include the sender’s public key.
How to Send an S/MIME Encrypted Mail
When a user composes a message in Gmail, a lock icon appears next to each recipient who has S/MIME enabled. If the user addresses the email to multiple recipients and those recipients support different levels of encryption, Gmail will use the lowest level of encryption supported by all recipients.
When composing a single message in Outlook, users can select “Encrypt with S/MIME” under the Options menu. To digitally sign or encrypt every email by default, users can choose either encryption, sign or both from the Settings menu.
The Bottom Line
Configuring S/MIME for a business involves distributing and managing digital certificates for end users. The payoff for this effort is clear: S/MIME’s email encryption and digital signatures guard against MitM attacks and email-spoofing schemes.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!