Email Security - S/MIME Tidbit

So it has definitely been a minute since I produced a tidbit. Lately I have been investing personal time into email security. The topics that I have covered thus far are in no particular order, but anyways in this tidbit I want to cover S/MIME.


"The What?" - It's main goal is to protect emails from unwanted access. It also allows you to digitally sign your emails from unwanted access. S/MIME intends to protect you against phishing attacks.


"The Why?" - The technology is based off of asymmetric encryption, a keypair containing a public & private key. S/MIME allows for email encryption and digitally signing emails.


Summarizing the benefits of S/MIME, they include:

  • Ensuring organizational compliance

  • Prevent data leaks

  • Protect organizational reputation

  • Message integrity

  • Non-repudiation

"The How?" - Emails are encrypted with the recipient's public key, & then the same emails are then decrypted with the corresponding private key. Digital signing emails essentially allows you to prove your identity. This is done via your (sender) private key. Once the receiving side obtains the email that the sender has signed, it uses the sender's public key to verify the signature. Digitally signing emails allows you to authenticate your identity, which ultimately aides in deterring identity spoofed emails.


For the last part of this tidbit, I want to cover a brief overview of setting up an S/MIME sending profile & how S/MIME encryption & signing occurs on the Cisco ESA.


Messages can be sent with one of four modes:

1. Sign

2. Encrypt

3. Sign/Encrypt (sign and then encrypt)

4. Triple (Sign, Encrypt, and then sign again)


The following represents how S/Mime signing & encryption is performed on the ESA:


S/MIME Signing Workflow:

-Applies a has algorithm to the message to create a message digest

-Encrypts the message digest using private key of the appliance S/MIME cert

-Creates PKCS7 signature with the encrypted message digest & public key of the appliance's S/MIME certificate

-Signs the message by attaching the PKCS7 signature to the message

-Sends the signed message to recipient


S/MIME Encryption Workflow:

-Create pseudo-random session key

-Encrypt the message body using the session key

-Encrypt the session key using the public key of the recipient's S/MIME certificate

-Attach the encrypted session key to message

-Send encrypted message to recipient


Alright, that wraps up this tidbit. Check out more via the <esa> tag. Cheers!

0 comments

Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization