Email encryption and signing with S/MIME

Todo4teams offers you the possibility to exchange strongly encrypted and signed emails with your customers according to the S/MIME standard.
S/MIME is the most common standard for e-mail encryption and is highly supported by email programs like Microsoft Outlook or Mozilla Thunderbird.

Explanation of terms

With S/MIME emails can be signed and/or encrypted - that is - an email can only be signed but not encrypted, or encrypted but not signed or both signed and encrypted. The terms and procedures are briefly explained below.

In both cases so-called "asymmetric key pairs" are used. These are two digital keys, one of which can be publicly distributed, while the second is kept strictly secret. Both form a pair by means of the fact that messages encoded with the public key can only be decoded with the secret (private) key. A stranger who reads the message on the transmission path and does not know the private key is unable to decrypt the contents of the message.

Signing

When signing emails  the sender uses the private key to attach the contents of the message with a digital signature. The recipient can use the signature and the public key to check whether the message has been changed on the transmission path after reception. However, the content of the message remains readable by third parties during transmission! The valid signature, however, guarantees to the receiver that the message actually originates from the sender and has not been changed in the transmission path.

Encrypting

Bei der Verschlüsselung einer E-Mail wird deren kompletter Inhalt mit dem öffentlichen Schlüssel des Empfängers so kodiert, dass sie nur mit dem passenden privaten Schlüssel dekodiert werden kann. Dazu muss der Absender zunächst in den Besitz des öffentlichen Schlüssels des Empfängers kommen - z.B. dadurch, dass er eine signierte E-Mail des Empfängers empfängt.

Der Empfänger kann nun sicher sein, dass kein Dritter den Inhalt auf dem Übertragungsweg entschlüsseln kann. Allerdings kann er sich nicht über die Identität des Absenders sicher sein. Dazu müsste der Absender den Inhalt sowohl verschlüsseln als auch signieren.

Signing and encrypting

When both of the above are combined, both the sender's identity and strong encryption are ensured during the transmission of the email.

Application in todo4teams

Todo4teams can receive and send both encrypted and/or signed emails.

To receive encrypted messages and to send signed messages the S/MIME certificate and the corresponding private key must be stored in the configuration of the email mailbox (see example on the right). Both have to be in the PEM-format and has to be configured with the markings in the picture:

-----BEGIN CERTIFICATE----- und -----END CERTIFICATE-----

or respectively

-----BEGIN PRIVATE KEY----- und -----END PRIVATE KEY-----

If your S/MIME certificate is in P12 or other format,please use the openssl command to extract the certificate and the private key into the PEM format.

Copy the data into the "Certificate" text box and save the settings. Make sure that only trustworthy administrators will have access to these settings! The private key must never get into the wrong hands.

Manage your customers' certificates

Todo4teams does not have an address book with certificate and keys being stored as a helpdesk tool. To answer an encrypted email it is necessary that the sender (your customer) signs his email to todo4teams. Todo4teams can then use the copied certificate to encrypt the reply.

The same applies to the reverse direction: In order for a customer to send you an encrypted email he needs a signed email, which then automatically contains your public key.

Receiving messages

When you receive messages in the S/MIME format, you do not have to pay particular attention: todo4teams will convert the email into a ticket as usual and display the attached files. Only a small message in the head of the ticket will show that it is a signed message and that the signature is valid.

Sending messages

In the "finish" dialog of ticket processing, more precisely in the email tab, you will see two checkboxes with which you can control the signing and encryption of the reply. These options may be disabled: If the incoming message does not have a signature certificate, the reply can not be encrypted. If, on the other hand, the mailbox does not have a certificate, the reply can not be signed.

If you choose both options for the reply, the customer will receive markings like these   that will show him, that the email was signed and encrypted.

Security and key length

When creating your S/MIME certificate please use key lengths of 2048 or 4096 bits. With these keys S/MIME is currently considered safe, that is, while keeping your private keys secure, the encrypted messages can neither be decoded by hackers nor by state institutions.