2024/2025: Segurança da Informação (Information Security) - 1º MCI

5.Nov.2024

Practical work 6

Using digital certificates for securing email (S/MIME standard)

1. In a previous Practical Work, "The almighty Digital Certificate", you should have seen that nowadays almost all reputed websites have a (SSL) digital certificate that will be automatically downloaded by the browser. From it, the browser will extract the website's public key and engage in an authentication protocol that, if successful, will assure the user that the website is genuine, usually by showing a closed padlock.
2. In a similar way, if a person wants to securely exchange email messages with a partner, each must first get (perhaps, buy) an (S/MIME) digital certificate from a Certificate Authority. *¹
   Of course, both types of certificates*² contain the public key of the entity they are related to (website or person).
3. Since a few years ago, any member of U.Porto (e.g. a student), is allowed to get a free, personal, digital certificate to be used in email protection from Certificate Authority Sectigo through U.Porto's IT Services: Client Digital Certificate.*³
   Get your own S/MIME digital certificate by following the instructions pointed to by items in "Obtaining a Client Digital Certificate". During the process:
   • pay attention to the information you are asked to give and to the steps required for having your digital certificate emitted;
   • after the whole procedure is done, you should have downloaded a file with extension P12 (or PFX) containing your fresh pair of cryptographic keys. That file should probably be protected by a password or passphrase of your chosen and is not a digital certificate, but contains one (see "export" below)!
4. Now, install the P12 file on your email client application: I suggest that you use Mozilla's Thunderbird email client so that the whole following procedure is common to all students. (Other email clients can be used and the already mentioned Client Digital Certificate page has items that point to installation instructions for some common email clients.)
   Using Mozilla's Thunderbird's Certificate Manager,*⁴ follow the steps:
   1. "import" the cryptographic information in the P12 file (that is, your public and private keys);
   2. configure Thunderbird for the "export" (or create a "backup copy") of your cryptographic public key to a file - that is really your personal email digital certificate!
5. At this point you should be able to start exchanging protected email messages.
   1. Try to send to a nearby colleague a digitally signed email message.*⁵
      Your colleague should notice the information (text, icons, colors...) shown in his/her email client's interface when your message is received: if the digital signature is valid, your colleague will know the message came from you!*⁶
   2. Have your colleague answer you in a similar way. If everything works, exchange digitally signed messages with other colleagues.
   3. Try also to send a ciphered email message to someone (whose public key your email client has already imported, of course). See if everything works fine.
6. Consider what you have learned about digital signing and enciphering of email messages and pinpoint the details you have not quite grasped, so that they can be discussed in a later class.

*¹ You will see later in the course, that there is a different way to protect the email exchanged, with no need of S/MIME certificates and Certificate Authorities...

*² Both of those digital certificates are also called X.509 certificates.

*³ Also, any person, even outside U.Porto, should be able to get a free email digital certificate from Actalis, one of the very few (or only?...) Certificate Authorities that nowadays offer that community service!

*⁴ To find it, try: Account Settings > End-to-End Encryption > S/MIME

*⁵ Note: make sure the message is configured to use the S/MIME standard!

*⁶ Of course, to validate the sender's signature, the email client must already have the sender's public key! In the S/MIME standard, that will happen naturaly, as the public key of the sender (packed in a digital certificate!) is usually automatically appended to the message's signature.

.

(To be made after class and by oneself!)

(To be made after class and by oneself!)

(To be made after class and by oneself!)

Assessment 6

Assessment of Practical classes - securing email (S/MIME standard)

Using what you observed and learned in the previous practical class on Using digital certificates for securing email (S/MIME standard), do as following.

1. As you know, the P12 file you got from the Certificate Authority, contains both your public key and private key. Think about that fact and send your comment to the teacher of Information Security, course unit of MCI, in an unciphered, but cryptographically signed, email message.
   • Also, manually append the digital certificate file, that contains your public key.
     (Pretend you do not know that in the S/MIME standard, any digitally signed message automatically also transports the digital certificate of the sender.)
2. In the days afterwards you will receive an enciphered message asking you a specific question.
   Prove that you were able to read the message, by returning your answer to the sender. Do it in a confidential message as well, so that nobody but the recipient is able to know what you wrote.