S_MIME V3 White Paper
S/MIME (Secure Multipurpose Internet Mail Extensions) in the security functions that were extended, it can be MIME entity (such as digital signatures and encryption information, etc.) encapsulated into a secure object. RFC 2634 defines the enhanced security services, such as confirmation receipt with the function of the receiver, so that you can ensure that the recipient can not deny that the message has been received.
S/MIME V3 White Paper Email and Security With the growth of the Internet and other computer networks email has become ubiquitous, and is increasingly a mission-critical facility for businesses and government users. The use of email has emerged as the ideal tool for both the business community and individual users to communicate effectively, efficiently and in a speedy manner. Email is not only easy to use for the end user, but also extremely cost-effective and efficient for the organisation, providing a truly global communication infrastructure. The Challenge Common Internet-based email systems provide an appropriate solution when used for sending information of low value or when strong proof of the identity of the sender or recipient is not required. However, if email is to be used for confidential information exchange and high value transactions then extra security services are required. Incidents of email hacking and compromise of data are becoming frequent and widespread within the business community. The need for secure email has become critical. In today's privacy and security sensitive environments, email security can no longer be viewed as merely a luxury for organisations, but rather as a pre-requisite to implementing business processes and the transfer of corporate and personal data. A secure email facility: • Leverages email, the most commonly deployed internet application, to transmitting sensitive, confidential and verifiable information • Prevents compromise of business information, loss of intellectual property • Protects against corporate espionage or cyber terrorism • Forms the basis for e-business applications • Gives access to new markets • Leads to greater efficiencies, attractive ROI • Can deliver competitive advantage Standards As a result of the need for email security, a number of standards have emerged over recent years, including: • Privacy Enhanced Mail (PEM) • Pretty Good Privacy (PGP) • Secure Multimedia Internet Mail Extension (S/MIME) These standards all attempted to solve the basic security issues associated with sending messages via email, and thus enable email messaging to be leveraged for business benefit. However, in the case of email one standard has emerged as the de-facto industry standard, namely S/MIME. Why PEM and PGP are not the solution PEM was the first credible attempt to make the Internet secure in the late 1980's. PEM includes encryption, authentication, and key management, and allows use of both public-key and secret-key crypto-systems. Although many aspects of the PEM design could not be faulted, it never achieved significant market success, as it was incompatible with MIME, the standard Internet mail format. PGP was another standard used to encrypt and decrypt email over the Internet. It provides message encryption, digital signatures, data compression, and email compatibility. Developed by Philip R. Zimmermann in 1991, PGP has won considerable acceptance amongst private individuals. However, it has never achieved sufficient market acceptance amongst corporations due to its inability to scale adequately for large deployments and, therefore, has not been adopted by major software vendors such as Microsoft, Lotus and Netscape. S/MIME - The industry standard Unlike the PGP and PEM protocols, S/MIME was designed from the ground up to scale well for large deployments and has now emerged as the de-facto industry standard for secure email. S/MIME became a standard in the late 1990's, and has managed to gain global market acceptance to date. In fact, S/MIME has penetrated the market to such an extent that it now figures in both the Netscape and Microsoft portfolios. So why has S/MIME become the de- facto standard for secure email? S/MIME is a protocol designed to work within a Public Key Infrastructure (PKI), which secures communication between two or more parties. The S/MIME standard has been developed by the Internet Engineering Task Force (IETF) and is based on the PKCS #7 (Public Key Cryptography System # 7) standard for messages, and the X.509v3 standard for certificates. It extends MIME, the Internet mail standard, so that a message can be given a digital signature and encrypted. S/MIME is supported by a number of industry leading vendors including SSE, Microsoft, Netscape, Lotus, ConnectSoft, Frontier, FTP Software, Qualcomm, Wollongong, Banyan, NCD, SecureWare, VeriSign, and Novell. Areas of application for S/MIME are diverse, ranging from secure email to Electronic Data Interchange (EDI), military and financial applications. With such extensive market acceptance, S/MIME has become a fundamental part of the Internet messaging infrastructure. S/MIME v3 ESS The latest version of S/MIME, S/MIME v3, also defines a number of Enhanced Security Services (ESS). These are: • Secure mailing lists - allows just one digital certificate to be used when sending a secure message to all members of a mailing list • Signed certificates - binds the signer's certificate to the signature itself; ensuring the correct certificate is used in the verification process • Signed receipts - provides proof of delivery of the message and proof that the message was successfully verified • Security labels - a set of security information regarding the sensitivity of the content eB2Bcom Page 2 Feb02 TrustedMIME TrustedMIME is a client-based secure email solution developed by SSE (now part of Guardeonic Solutions) according to the industry standard S/MIME protocol. TrustedMIME products are marketed, implemented and supported in Australia by eB2Bcom. TrustedMIME plugs into email clients, providing the user with strong (128-bit) encryption and (up to 2048-bit) digital signatures to provide a complete secure messaging solution. TrustedMIME provides support for both Microsoft (Outlook, Exchange, Messaging) and Lotus Notes platforms. TrustedMIME Overview TrustedMIME offers the following features: • Focused on usability and maintainability, ease of use, low cost of ownership, leading a positive ROI • Easy to deploy, easy to use, easy to administer • Leading edge technology • Corporate branding option enabling a strong and consistent corporate identity to be maintained TrustedMIME is based on a modular design enabling it to work with the organisation's chosen Public Key Infrastructure (PKI). In the absence of an existing PKI, TrustedMIME users can generate their own self-signed Public Key Certificates. For existing PKIs, TrustedMIME can work with external, Commercial Certificate Authorities (CCAs) and also provides a range of options for working with internal, local CAs, including SSE's scalable PKI solution, TrustedCA. TrustedMIME is designed to: • Secure client-side email communication via strong cryptography • Provide strong security with minimal impact on the end user • Provide an interoperable solution based on industry wide standards • Provide a corporate component for enterprise wide security policy enforcement • Provide support for the latest S/MIME standards • Provide industry leading integration and interoperability with Public Key Infrastructures eB2Bcom Page 3 Feb02 TrustedMIME/Corporate TrustedMIME/Corporate is an add-on tool to the core solution, which enables organisations to implement enterprise-wide email security. TrustedMIME/Corporate allows organisations to customise TrustedMIME settings and parameters across the complete install base, ensuring that all end users conform to the overall corporate security policy. TrustedMIME/Corporate enables administrators to pre-configure the TrustedMIME client configuration and to determine which security settings end users have access to. TrustedMIME/Corporate also allows a strong and consistent corporate identity to be maintained through branding of the TrustedMIME client. Deployment Scenarios A number of deployment scenarios for secure messaging systems are presented below. The first scenario presents the most straightforward deployment option. Subsequent scenarios detail enhancements to this basic model, leading to increased security and a more robust trust model. At the most basic level, S/MIME requires that users need to be able to distribute copies of their public keys to one another if they wish to send signed and encrypted messages. This is usually done through the distribution of digital certificates containing the public keys. Equally important is the ability of users to protect their private keys. The deployment scenarios outline mechanisms for distributing public keys and protecting private keys within an S/MIME environment. • Using Self-signed Certificates • Using Certificates managed by a Certificate Authority • Storing Private Keys off-line • Performing all Cryptographic Operations off-line When deciding on the most appropriate deployment model the following questions should be considered: • What is the value of the information that is being protected? • What level of security is required to provide acceptable protection against compromise of that information? • What is the cost of implementing and maintaining the security solution? • What is the complexity of the solution and what impact will this have on rollout and end user training? • How scalable is the solution and will it meet future security requirements? The questions above address the key areas of Return on Investment and Total Cost of Ownership. As a general rule, the higher the level of security, the greater the cost and complexity of deployment. Therefore, in order to provide real business benefit, the level of security should ultimately be determined by the value of the information being protected. Vendors Microsoft and Lotus have made significant headway into making their messaging clients S/MIME and PKI enabled. However interoperability between the two is a major issue and eB2Bcom Page 4 Feb02 indeed, interoperability with other mail clients is an even greater issue. The use of additional plug-ins is still necessary in many cases and certainly to facilitate the use of S/MIME v3. Disclaimer The above comments and descriptions are the opinions and views of eB2Bcom and its staff, or its suppliers. These comments are not intended to be represented as a complete or comprehensive description of the topic and readers are encouraged to seek additional sources. Contact Details Further information is available from eB2Bcom. eB2Bcom markets, implements and supports these products in Australia, New Zealand and Asia Tel: +61 (0) 3 9851 8600 Email: email@example.com Web: www.eb2b.com.au eB2Bcom Page 5 Feb02