Decryption Error

Discussion in 'iOS 8' started by detlefs, Oct 20, 2014.

  1. detlefs macrumors newbie

    Sep 27, 2014
    I created a self signed S/MIME for encrypted emails in OSX Keychain Access. I am using this S/MIME on my iPad (iOS 8.1) and on my iMac (OS X 10.10). With this S/MIME I have no problems on the iPad decrypting emails which were sent from devices running iOS or OSX.

    But when receiving encrypted emails from a Windows PC I get the following error message:
    "Decryption Error. This message is encrypted. Install a profile containing your encryption identity to decrypt this message"

    The iMac, using the same S/MIME, has no trouble decrypting the same email sent from the Windows PC.

    Does anybody have the same issue? Does anybody have a solution for this problem?
  2. detlefs thread starter macrumors newbie

    Sep 27, 2014
    I solved this issue!

    The problem is, when OS X or iOS sends a signed email there seems to be no indicator included which tells the receiving mail program what type of encryption method to use. This doesn't matter if the receiving mail program is OS X Mail or iOS Mail. But MS Outlook and Windows Live Mail, for that reason, fall back to a 40-bit RC2 encryption method. The 40-bit RC2 encryption method is an old standard that can still be decrypted by OS X but not by iOS. See here an here for details.

    To overcome this problem Windows Live Mail needs to be told to send emails in 3DES. To achieve that I did the following.
    1. I added my Mac email account to Windows Live Mail
    2. I imported my Mac email S/MIME (.p12 file) into the Windows Certificate Manager
    (one copy needs to be in "Personal" and another copy in "Trusted Root Certification Authorities")
    3. I added the S/MIME as signing and encrypting keys under Security in the Mail Account Properties. And set Algorithm to: 3DES
    4. I sent a signed email in Windows Live Mail from my Mac email account to my Outlook email account.
    This adds the S/MIME certificate in the Certificate Manager to "Other People"
    5. Copy the certificate in the Certificate Manager to "Trusted People" and "Intermediate Certification Authorities" if it is not already there.
    6. Delete the S/MIME in "Personal" and in "Trusted Root Certification Authorities". This will delete the private key.
    7. Delete the Mac email account in Windows Live Mail.

    When you are done with these 7 steps Windows Live Mail will only have the Mac S/MIME certificate/public key and knows that it is supposed to send emails encrypted in 3DES.
    And voila, decrypting emails in iOS send from Windows Live Mail is working!
  3. detlefs thread starter macrumors newbie

    Sep 27, 2014
    Above my explanation is a bit complicated. Here is a more condensed version in less technical words.

    Sending a signed email from a OS X or iOS device to a Windows PC will not enable the Windows PC to send emails that can be decrypted by an iPad or an iPhone. That is true for self-signed certificates and for official certificates e.g. from Comodo. To overcome this problem send the signed email from a Windows PC instead.

    Since I have many friends with PCs I was looking for a convenient way to send my certificate. For myself I found Parallels Desktop to be most convenient for this purpose. On my iMac I run Windows 8.1 and Windows Live Mail in Parallels. In Windows Live Mail I set up my Apple email account and installed the certificate. So, whenever I want to add another PC friend to my encrypted email network I send this person a signed email from my Apple email account in Windows Live Mail.
  4. nexus4life macrumors regular

    Jul 19, 2014
    I don't really know exactly what you are talking about, but I appreciate you for your efforts. :)
  5. detlefs thread starter macrumors newbie

    Sep 27, 2014
    I guess really understanding what I was talking about can only somebody who has faced the same problem I did.

    Try setting up exchanging encrypted emails between your iOS device and a Windows PC. When you run into troubles then read my post again. Perhaps then it will make sense to you.

Share This Page