Easy Certificate encryption for Email

Posted: May 26, 2016 in Security
Tags: , , , ,

Class-1 – SSL/TLS – S/MIME (Secure/Multipurpose Internet Mail Extensions)
Standard Email encryption for dummies.

 

WHAT ?

There are several ways to encrypt your emails, but most have the drawback of being an addon/plugin or specific program that both parties must install and configure.
Most bolt-on solutions are based on the Open Source PGP encryption, and are fiddly to configure.
Proprietary software tends to be aimed at making you a premium customer, and you often do not control the key.

Since we started using Digital Certificates to authenticate and encrypt web sites, we also had the same ability for email, but as it was aimed at business users has always been overlooked for free personal use.
Even crusty old Outlook express supported “Digital Signatures”, and all complete email clients still support it.
It is a standard called S/MIME (Secure/Multipurpose Internet Mail Extensions)
https://wikipedia.org/wiki/S/MIME

WHERE ?

There are not many options for free certificates, but depending on your needs there is some choice.
StartSSL provide all users with the same management console, so you can create certs for all your accounts under 1 user and OpenID. Use StartSSL if you also want to prove who you are.
Comodo does not give free users a profile, and certificates are only linked to the email address. If you want something more anonymous use this (Export a backup when you install it).
CAcert is a “community-driven Certificate Authority”. I have not tested CAcert, but it reminds me of the PGP community. Certificates generated here will be for authentication as much as encryption (You will need to install their Root Certificate).
Actalis Italian security provider and Cert Authority. (Not tested)
WoSign Chinese Cert Authority. (Not tested)

NOTE: Free keys are always short-term, and last for 1 year. If you use your certificate to access the online management, you must remember to make a new one before it expires, or you will not be able to log into your account.

HOW ?

When you make your certificate, you must add a password to it.  This is used when you install it, export it or revoke it. (keep is safe)
The OS knows what to do with certs when you double-click, so installing is easy.
It is a limited certificate (Class-1 only) so no other options are needed.
Once it is imported to the OS, it should be available in the email account security settings.
Email certs show in the standard OS Certificate manager, where you can export and delete them.

To exchange “Public Keys”, you first send each other signed emails. These will not be encrypted.
if the receiving client is too basic, the email will be still be readable, but will have the signature as an unknown attachment “smime.p7s
Solution: Advise upgrading to any better email client that supports security !

As soon as you have someone’s Public Key from a signed email, you can enable encryption in a reply.
You can set most email programs to always sign by default, so you prepare the way without having to warn people, or even think about it.
By opening your standard emails, people already have your key so should be easier to convince into encryption.
You can use the certificate to digitally sign all your email for proof of origin, and even though hackers may have access to your email account, they will not have your Private Key so cannot read any encrypted emails.
It even works in news groups, so users with standard software can also make use of it without plugins.

NOTES

When I originally used Comodo I had a choice in key size and algorithm, but I am not sure what they offer at the moment. Their choice of “Medium” and “High” are probably now 2048 and 4096 bit keys.
My current StartSSL public keys are 4096 bit RSA ,  SHA-256 fingerprint
Don’t expect much choice (if any) for a free 1 year certificate.

Certificates can also be used to log into web sites and services, instead of creating a dedicated account with user name and passwords, which have value to hackers.
If a site/service you use is hacked, they only have your Public Key, so cannot use it.

Examples in use:
The Open Source VOIP software “Mumble” uses email certificates for authentication.
StartSSL users are presented with a window asking for confirmation of certificate to log in with.
Setting up your own site to use it is documented by Christian Weiske
https://cweiske.de/tagebuch/ssl-client-certificates.htm

Certificates can be easily imported into mobile devices, so care should be taken not to leave them unlocked or out of your control.
Never install your certificates in a shared or borrowed device. Removing certificates from mobile devices requires special software, and ROOT privilege, so your only option may be to revoke them.
Guardian Project – CACertMan
https://f-droid.org/repository/browse/?fdfilter=cacertman&fdid=info.guardianproject.cacert
https://play.google.com/store/apps/details?id=info.guardianproject.cacert
Trust Manager by Bluebox
https://play.google.com/store/apps/details?id=com.bluebox.labs.trustmanager

Handy Tools

Blaser CertWatch Automated system certificate store checking for Windows
http://www.blaser.us/software/certwatch/
Sysinternals Sigcheck certificate signature checker
https://technet.microsoft.com/sysinternals/bb897441
Sigcheck GUI
http://skwire.dcmembers.com/fp/?page=sigcheckgui

Security Certificate Revocation Awareness by Steve Gibson
https://www.grc.com/revocation/implementations.htm

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s