Institute of Technology, Dundigal, Hyderabad 500 043

Department of Computer Science Engineering

Lab: C&IS LAB Rollno:16R21A0559

Program/Exp.no: 11 Date: 30/10/2019

CASE STUDY 11: Configure a mail agent to support Digital Certificates, send a
mail and verify the correctness of this system using the configured parameters

Email has long been described as the “killer app” that attracted masses to the Internet starting
in the mid-90’s. By one estimate, as of May 2009 some 247 billion emails are sent per day. Despite
its massive and widespread use, the vast majority of these emails are relatively insecure.

A conventional email message is vulnerable to several kinds of compromise. For example, because
message senders can be easily forged, you cannot be sure that the sender is who they claim to be; or
that the message text has not been tampered with. Plus, email text itself is not generally encrypted,
meaning that if someone hacks access to your inbox, they can view your messages.

Security baked right in

In fact, it is possible to secure email against both of these vulnerabilities. There are several
technologies available, but the one we’re going to look at today is called S/MIME and support for it
is already built into most desktop email clients, including Outlook, Apple Mail, and Thunderbird.

The S/MIME standard is based on public-key cryptography. In this specification, an individual user
owns a digital certificate which contains a public key and a private key. The private key is held only
by its owner; the public key is shared with contacts. With the keys in place, you can use your email
client to attach a digital signature to outgoing emails, or to encrypt the content of an email, or both.

When a user receives an email with a digital signature, a mail client that supports S/MIME will
display an icon showing that the message has been signed. Often you can click this icon for more
information, which usually boils down to verification that the message has not been altered. In truth,
the digital signature ensures that the message was sent by someone with that sender’s digital
certificate installed. Presumably this is the person you think it is, although technically it could be
someone who had access to that sender’s computer, or stole his or her digital certificate.

Step 1: Get your digital certificate

The first thing you need is a digital certificate that contains your keys. The easiest and most preferred
method for obtaining a certificate is through a CA, or Certification Authority. You can get one
for free from several vendors, although they will come with varying lengths of expiration periods.
Typically, you can buy from same vendors a longer lasting certificate for a modest fee.
For this example, we will obtain a free digital certificate from Comodo, which is good for one year.
To do so, visit the Comodo Free E-mail Certificate site. Once there, click through on the free
 Institute of Technology, Dundigal, Hyderabad 500 043
Department of Computer Science Engineering

Lab: C&IS LAB Rollno:16R21A0559

Program/Exp.no: 11 Date: 30/10/2019

certificate. You will be asked to fill out a form with a few basic details, such as your email address
and name. Be sure to enter the same email address that you will be using in your email client!
Comodo will send you an email containing a link to your certificate. When you open this link, your
browser will automatically install the certificate. Precisely where the certificate winds up installed
depends on your software:
Firefox: The digital certificate will be installed in Firefox’s own key cache. You can access this
cache via Tools/Options/Advanced/View Certificates/Your Certificates.
Internet Explorer: The certificates can be accessed through the Windows Control Panel/Internet
Options/Content/Certificates/Personal.
Safari on OS X: Certificates can be access through the Keychain Access application/My
Certificates.
When using Outlook or Apple Mail, these clients should see your digital certificate in the OS-
installed location. If you are using a third-party mail app, such as Thunderbird, you’ll need to import
your digital certificate. To do this, you’ll first need to export (sometimes called “backup”) your
certificate into a so-called P12 file:
Using Firefox, you can export your certificate by navigating to the certificate cache as described
above, selecting your certificate, and then clicking “Backup.”
Internet Explorer users navigate to the certificate as described above, then select the certificate
and click “Export.” In the Certificate Export Wizard, select “Yes export the primary key” and then
choose the PKCS 12 format.
Apple Keychain users can simply select the certificate and choose File/Export to output the
certificate in P12 format.
To import your digital certificate into Thunderbird, open Thunderbird and click to
Tools/Options/Advanced/Certificates/View Certificates/Your Certificates/Import.
 Institute of Technology, Dundigal, Hyderabad 500 043
Department of Computer Science Engineering

Lab: C&IS LAB Rollno:16R21A0559

Program/Exp.no: 11 Date: 30/10/2019

The Thunderbird 3 compose new message window includes a Security menu for S/MIME signing and
encryption.

Step 2: Sending a signed email

Now that your email client can access your digital certificate, you can send an email with a digital
signature. We’ve already talked about one reason to do so—to certify that you are the message
sender. But there’s another reason, too—to provide your certificate to a recipient.
Below, we will look at sending encrypted mail. You can only send encrypted mail to a recipient
whose digital certificate you already have; but you can send a digitally signed message to anyone.
Therefore, when you send a digitally signed message to a recipient, that recipient receives your
public key. After that, they can send you encrypted email. Likewise, when someone else sends you a
digitally signed message, you will receive his or her public key, and can send them encrypted
messages.
When your email client detects your digital certificate is installed, the window for composing a new
message will typically include a menu item or icon for applying your digital signature. See the
included screenshots (above and below) for examples from the three major email clients.

Step 3: Sending an encrypted email

In fact, sending an email with content encrypted is no more difficult than sending an email with a
digital signature. Any email client that supports S/MIME will provide both signing and encryption as
simple checkbox or icons you can toggle on or off as seen in the example screenshots.
Remember that, unlike a digital signature alone, you can only send an encrypted email to a recipient
whose public key you already have received. Otherwise your email client will display a warning that
the message cannot be encrypted. You can receive the recipient’s public key by asking them to first
send you an email that they have digitally signed.
 Institute of Technology, Dundigal, Hyderabad 500 043
Department of Computer Science Engineering

Lab: C&IS LAB Rollno:16R21A0559

Program/Exp.no: 11 Date: 30/10/2019

S/MIME encryption and signing buttons in the Options menu of Outlook 2010.

Limitations of S/MIME

Using S/MIME encryption is not without its drawbacks. For one, the major webmail clients,
including Gmail and Hotmail do not have built-in support for sending or receiving messages with
S/MIME security features. One workaround is to use a browser add-on, such as Gmail S/MIME for
Firefox. Another is to configure your webmail service, such as Gmail, to deliver mail by POP or
IMAP and use a desktop client with S/MIME support. (Not all webmail services offer this option.)