This tip gives a short introduction to S/MIME and why it might be useful to you for email security. I cover some background about the purpose of S/MIME and public key cryptography, then show how these ideas apply to Domino and Notes.
WHAT IS S/MIME?
S/MIME is a security protocol for email that accomplishes two goals -- privacy and authentication. Privacy means that you can send an email message to someone and know that only the intended recipient can read it. Authentication means that you can receive an email from someone and be certain that the message actually came from that sender. You can also combine these two techniques and send an email that is both private and authenticated; you know that no one else will read it, and the receiver knows that you really sent it.
Now, you might say, "What's the big deal about that? Notes mail has been doing that for a long time." This is correct. S/MIME is not needed when you are using native Notes mail with a Domino server. Notes mail contains built-in options for privacy (a.k.a. encryption) and authentication (a.k.a. signing). S/MIME becomes important when two people are not using native Notes mail. An example of this is if your company has a Domino mail server, but users have Outlook Express email clients. Or, if users are connected to a non-Domino email server and use the Notes client as their email software. In both of these cases, native Notes email security does not work, so S/MIME becomes important.
HOW DOES S/MIME WORK?
The basis for S/MIME is public key cryptography. Public key methods use a two-part encryption key -- one that you keep private to yourself, and one that is available to everyone. The trick is that a message encrypted by one of the keys can only be decrypted by the other key. So, suppose you want to authenticate a message you are sending to someone. You encrypt the message with your private key. When the message arrives at the recipient, he or she attempts to decrypt the message with your public key. If the recipient can decrypt the message, then the message must have come from you, because only you have your private key. Privacy works in the opposite way. When you want to send someone a private message, you encrypt the message with the recipient's public key. No one will be able to read that message en route, because only the recipient can decrypt it, with his private key.
HOW CAN YOU USE S/MIME?
Using S/MIME is actually easier than understanding what goes on under the hood. Popular email client software packages (including Notes and Outlook Express) contain support for S/MIME. All you have to do is obtain a public/private key pair, known as an X.509 certificate. You can buy one from VeriSign for $15 per year http://www.verisign.com, as well as from other vendors.
Once the X.509 certificate is installed, using it is simple. Within Outlook Express, you just press the Encrypt or Sign buttons (or both) that appear when you are composing a mail message. When you receive a message that is encrypted or signed, Outlook Express will display appropriate dialog boxes telling you about the security options that the message contains. Using S/MIME from a Notes client is similar, but you must take the additional step of importing the X.509 certificate into your Notes ID file (File / Tools / User ID / Import Internet Certificate).
NOTE: This description of S/MIME is adapted from a longer article on the same topic that I am writing for the Iris Today webzine.
FOR MORE S/MIME INFORMATION
Security for Web-Based Email: A top-notch article by Frederic Dahm from the February 2001 edition of Iris Today. Lots of background information, good diagrams, and gory details where needed.
Lotus Notes and Domino R5 Security Infrastructure Revealed -- The primary IBM redbook about Domino R5 security. It covers a lot of material, including S/MIME.
Also see the Domino R5 Administration Help (which comes with the Domino product). Click on the Index view, then type "s/mime". You can also read this book online, but be aware that it is a BIG book so it might take a while to open the link.
Chuck Connell is president of CHC-3 Consulting http://www.chc-3.com, a consultancy that helps organizations with all aspects of Domino and Notes, especially security.